Organisations need to to ensure they have robust data protection and storage measures in place for GDPR, but many are making the mistake of not including Subject Access Requests (SARs) as part of their strategy, according to Nuxeo’s Director of Product Marketing David Jones.
While many organisations have been burning the midnight oil trying to put a framework in place that enables them to manage the personal data of EU citizens in a manner that ensures they comply with GDPR, they have given little or no time to considering how they will manage Subject Access Requests (SARs), which is one of the more overlooked aspects of the new regulation.
A SAR is the right of an EU citizen to request access to any personal data that an organisation may hold on them. Under GDPR, organisations must respond to SARs “without undue delay and at the latest within one month”. This is a much shorter time frame than the 40 days which is dictated under the current Data Protection Act, which GDPR will replace.
In addition, organisations will not be able to charge an administration fee for processing a SAR under GDPR, unless the request is “manifestly unfounded or excessive”. This change is likely to increase the volume of these requests made to organisations. At present, a charge can be made for processing SARs in the UK, which appears to put many individuals off from doing so.
Even more demanding, in responding to a request, data controllers may need to provide detailed information and offer the right to have inaccurate data corrected or erased. In addition, organisations will need to identify exactly where they have sourced personal information from.
If an organisation finds itself processing a large number of SARs, this could put a serious strain on their internal processes, if not set up correctly. Irrespective, they will need to be able to provide information pertaining to SARs much faster (along with any additional information required) to comply with GDPR, or they could face extremely hefty fines.
Knowing where your data is
Many organisations have a network of content and data silos that are often not linked or adequately secured, which makes the process of compiling relevant information a tortuous task.
Locating information pertaining to specific individuals and updating security policies and procedures will be essential in planning how to address SARs under GDPR in order to meet the new timescales and format requirements.
With individuals being able to make SARs requests electronically, it’s important that staff are trained to recognise a SAR and act accordingly to ensure nothing slips through the GDPR net. Otherwise, precious time will be wasted in processing the request, which may result in failing to meet the deadline.
Processing SARs under GDPR
It is impossible to estimate how many individuals will put in SARs requests once GDPR comes into play. The elimination of the processing fee will undoubtedly be an incentive, and there will be some who will want to put the new regulation to the test simply because they have the right. But this uncertainty should not encourage an ostrich mentality. SARs are not going away, and being ill prepared could tarnish an organisation’s image and brand simply by not being able to process SARs within the one-month timeframe.
But, handling SARs under GDPR doesn’t have to be a looming black cloud. Modern solutions for managing personal data and simplifying how SARs are processed, such as Content Services Platforms (CSPs), are available. CSPs can bring the numerous information sources within an organisation together to help to establish clear visibility and to ensure there are efficient workflows and reporting to keep track of requests.
A nod to content services
Regulators will be looking for a strong data security posture when GDPR comes into force. This means having a 360 degree view of data, where it is, what it is being used for, and who is accessing it. Organisations, however, often have multiple systems in place for storing and managing business-critical data. In such a tangled environment, it is almost impossible to have a single version of the truth, ideally gained by storing all data in a consistent, transparent, and traceable way.
Unlike self-contained Enterprise Content Management (ECM) systems of old, CSPs are flexible, adaptable and integrate data from various sources and formats. They are agile, and built for process automation and content distribution. Above all, they are what is called ‘repository neutral’. This means it is quick to find and access information, no matter where it resides. In addition, CSPs are integrated with other core business systems, meaning relevant information can be displayed where it makes most sense - in context. It also makes CSPs an excellent tool to drive information and data analysis, so that an organisation knows exactly where personal data is being stored.
CSPs are a natural step forward from legacy ECM systems, providing the power to deal with our information-centric world built increasingly on mobile devices and in the cloud, while leveraging emerging technologies such as artificial intelligence (AI). But buyer beware – if you are offered a ‘GDPR compliant’ platform, be wary. There isn’t any single solution on the planet that can deliver GDPR compliance on its own. But, what they can do is help you manage your compliance requirements.
Where CSPs come into their own is by combining information systems. This is accomplished by their ability to connect and “look within” not only other file systems for unstructured content, but also database systems that contain structured data. From this, organisations can get a complete view of GDPR-related content, which is key in efficient SARs searches.
Unless organisations put SARs processes in place, SARs are likely to become a serious headache after May 25th. Primarily because organisations rarely manage personal data in a consistent and connected manner. Proper preparation is essential if organisations want to keep SARs administration costs down.
Fines for not complying with GDPR are substantial, as is the risk of widespread negative publicity for those that fail to quickly process SARs. If you haven’t built SARs into your GDPR plans – act now, and with the right tools and processes in place SARs will create minimal disruption.
David Jones, Director of Product Marketing at Nuxeo
Image Credit: Harakir / Pixabay