When it came into force in May 2018, the EU’s GDPR was hailed as giving individuals greater control of their data. As such, Subject Access Requests (SARs) were updated to become Data Subject Access Requests (DSARs), with new requirements designed to make it easier for individuals to access information that organisations held about them; organisations could no longer charge a fee for DSARs and responses would have to be made within 30 days instead of 40 days. Unfortunately, it has been shown that some organisations are woefully underprepared for the number of requests they have received and are struggling to respond within the legislated timeframe.
Failure to comply with a DSAR requirement can result in action being taken by the Information Commissioner’s Office (ICO), which could ultimately land them with a hefty fine; this could be up to 4 per cent of annual global turnover or €20,000,000, whichever is higher.
The challenges of DSARs
Since the introduction of the GDPR, individuals have the right to request access to all the information an organisation holds on them: “without undue delay and in any event within one month of receipt of the request”.
Without the right processes in place, organisations will likely fail to respond in the time limit required by the GDPR. This is particularly telling when organisations receive hundreds or even thousands of requests for information. Take, for instance, London’s Metropolitan Police Force. In June, the ICO handed the Met an enforcement order for having more than 1,100 open requests, with 680 being over three months old.
There are a number of challenges that such requests present to organisations. Firstly, information could be contained within hundreds of different documents that an organisation holds, including emails between the individual and the company, forms they have filled in, comments they have made, applications, transactions and so on.
Secondly, as a business grows the likelihood is that its IT infrastructure and data storage will also grow. The result is that the relevant information could be spread over on-premises servers, servers in the cloud, and employees’ personal devices.
Data getting in the way of data
Finding and collating all the relevant information about an individual, then responding by sending them their data, deleting it, or both, all within 30 days is a considerable task. This is made all the more complicated by the fact that many organisations are holding onto information about the individual that they no longer need to be.
The Varonis 2019 Global Data Risk Report found that nearly nine out of 10 companies had more than 1,000 stale sensitive files, while seven out of 10 had over 5,000. These are files that could contain information pertaining to a specific individual, but are no longer in use. This has two clear drawbacks for those trying to track down information. The first is that this presents hundreds, if not thousands, of extra files that have to be trawled through, adding a time burden to what is already a tight deadline. The second is that those doing the searching might not be aware of this information, or if they are, it could be so old that it does not conform with the organisation’s current naming conventions, making it more difficult to search.
Another consideration is unfettered access to data. If files do not have the proper security controls in place, employees can do what they want with the data. They could move or copy files without the knowledge of the system administrators, resulting in multiple copies of the same information being stored in several different locations. Our research highlighted that more than half of all companies had more than 1,000 sensitive files open to every employee.
How to manage DSARs
The key to coping with DSARs is to be ready to respond to them before they come in. If you haven’t got the right mechanisms in place when you receive a DSAR, the chances are that you will miss something.
One of the most significant steps an organisation can take to streamline the process, is ensuring that all data in its network is mapped. This means creating an index of all your data, both structured and unstructured, to help find those files containing data subject identifiers. This information can be held in any file type including word documents, spreadsheets, notepad files, XML files and even zip files. In regard to data subject identifiers, a search needs to be able to flag those patterns and regular expressions (regexes) that apply to GDPR data across the 28 member states such as national identification numbers, passport number, personal ID number, VAT number and so on.
Having such insight into the data will also help reveal duplicate copies and highlight how recently data has been accessed. This knowledge will enable the removal of information from the system that is no longer needed or surplus to requirements, either through deletion or archiving. Automation is an important component so that the process can be completed quickly and with a high level of accuracy.
The final piece of the jigsaw is access. Organisations need to have full visibility of who has access to data and manage permissions so that it can be controlled and secured effectively. This can help to avoid the ‘permission creep’ that sets in over time when access permissions are set too broadly, presenting further data management challenges.
To avoid unnecessary fines from the ICO for missing the 30-day deadline, organisations need to get their houses in order by knowing what data they have, where it is, how to find it and who has access to it. In this way, they can beat the clock before it has even started ticking and find those records in a matter of minutes.
Matthew Lock, Technical Director, Varonis