Skip to main content

Preparing for the upcoming subject access requests pandemic

Image Credit: Bruce Mars / Pixelbay
(Image credit: Image Credit: Bruce Mars / Pixelbay)

The recent Coronavirus crisis has affected business in a way that no one could have predicted. As 8 million people in the UK have now been put on furlough, and another 2.1 million have lost their jobs, organisations should expect a surge in data subject access requests (DSAR) from furloughed and redundant employees that may make requests for the data that their employer holds on them. These requests will come in addition to those that organisations regularly receive from their customers.

Even in normal circumstances, dealing with data subject access requests is a time-consuming and costly task. In fact, Gartner found that the majority of organisations needed two or three weeks to process a single request, with its average cost reaching $1,400 (approx. £1,097). Today, with many offices under increased pressure to combine in-office and Work from Home formats, responding to the increased number of data subject requests has the potential to become an overwhelming task for businesses. Even though regulators are showing flexibility in these tough times, they do not exempt organisations from their General Data Protection Regulation (GDPR) obligations. A failure to respond to a request in a timely manner can still result in a hefty fine. Therefore, it has never been as critical as it is today to optimise data subject request management as well as eliminate any bottlenecks that complicate it.

Why does the Covid crisis make DSARs more challenging?

The remote work environment, which is prevalent in the majority of organisations today, can make DSAR management twice as challenging as usual. Even under normal circumstances, there are numerous reasons for delays in processing. Initially, an organisation often receives vague requests from the individual; once the identity of the data subject is verified, an organisation often spends extra time to narrow down the request as well to specify its scope. For example, the data subject may initially enquire about all the data that an organisation holds on them, while what they actually need is information within a certain time frame. Secondly, a Data Protection Officer (DPO) needs to work with various departments to manually collect responses for a single request. Since everyone is working remotely, it is even more challenging for a DPO to coordinate response collection. 

There’s also the issue of having to manage complex requests that require searching for the information not only in a dedicated CRM system, but include other locations where users share data, such as file shares or cloud-based file sharing platforms. This involves IT teams – the only legitimate users capable of making the search enterprise-wide. Yet now IT teams are very busy supporting remote infrastructure, which might lead to further delays in responding to such DSARs and wider IT issues.

How can data subject request management be improved?

To establish robust DSAR management in today’s environment, organisations should be guided by the 'do more with less' approach. This means that any action undertaken should help organisations prioritise their efforts in a way that enables them to process large volumes of requests effectively and quickly at minimal cost.

  • Automate the search for data

To start with, organisations should ditch manual methods in data collection. To accomplish this, organisations should automatically classify and tag sensitive data, both structured and unstructured, no matter the file type or size. It’s important to use a technology that enables them to do this remotely. Once the data is indexed, a DPO or other designated person will be able to search for the requested data by simply locating files that contain data subject identifiers, without the need to contact each department for response collection. It is also important to ensure that all sensitive data is stored in a designated location to reduce the scope of systems that an organisation must look through. Having a clear view of all data sources, with the ability to quickly search for the personal information across those sources, is a fundamental requirement to deal with more requests in less time.

  • Establish data subject request response workflow

An organisation should have a documented workflow for staff responsible for receiving different types of requests and handing them to a dedicated person. For example, a request from an ex-employee might come through HR, while a request from a customer might come through the front desk. Whoever receives the request, must be trained to engage with the requester, verify their identify, specify the scope of the request, and hand it to the DPO or another designated person. 

There should also be guidance for responding to complex requests, including the instruction for cooperation between the DPO and the legal department, for example. This type of procedure will minimise the scope of non-valid requests and will save an organisation from delays due to untrained employees and long processing time.

  • Empower non-IT employees to search for the requested data

Gathering the requested data across various data repositories is the most time-consuming stage of DSAR processing. Having only one designated person is difficult – yet, many organisations even lack such a person, and impose this obligation on an overwhelmed IT team. To address this challenge, organisations should empower non-IT employees to help the DPO or another designated person with this task. To ensure that the privacy of the individuals is not impacted while such employees search for their data, organisations should implement easy-to-use technologies that enable non-technical users to search for data enterprise-wide, while not exposing the actual data to them. 

Once the data is collected, it should be saved in a protected location for a DPO to complete the response. This will enable an organisation to effectively satisfy its data privacy commitments even when they have tons of requests.

There is no doubt that data protection regulations will further strengthen across the globe, thereby driving the demand for control over personal data from the consumers’ and employees’ side. In fact, Gartner predicts that by 2022, half of our planet’s population will have its personal information covered under local privacy regulations in line with the GDPR. Therefore, organisations should establish appropriate data subject request management procedures to ensure they can meet this demand, despite the extraordinary circumstances that we have all recently faced.

Ilia Sotnikov, VP of Product Management, Netwrix