The big public sector SAR challenge

null

Many UK public sector organisations will not be able to respond to SARS within the new GDPR deadlines, so here are key steps to ensure successful outcomes. 

There has been a lot of press about the GDPR in the run up to May 2018, and as a result more people are taking an interest in their right to know about the information held about them by public sector bodies. One of the key changes under the GDPR is the adjustment of the acceptable time frame for response to Subject Access Requests (SARs). From later this month, these organisations must respond in 30 days – 10 days faster than the current time frame of 40 working days. Unfortunately, this regulatory change will prove a major issue for many.   

What is a SAR? 

A SAR is created by section 7 of the Data Protection Act. It’s most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this - and an individual who makes a written request and pays a fee is entitled to be told whether any personal data is being processed. They must be given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations - or people. Finally, they receive a copy of the information comprising the data and details of its source.

A SAR can be made relating to any personal identifiable information (PII) relating to an individual that the data processor has obtained, stored and shared. An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work - except where this information is a trade secret. It’s estimated that there are over 30 different variants of PII that can be collected at any one time. The types of data vary massively – they range from HR files - to health information, images and biometric data.   

Current issues 

To gauge the status of GDPR- SAR readiness, we recently spoke to over 30 Public Sector organisations about how effectively they respond to SARs – where individuals request information an organisation holds about them. Organisations targeted included; Bank of England, Metropolitan Police, HM Treasury and Crown Prosecution Service. We asked each participant to provide us with the number of SARs they received for the last three years, dating back to 2014. All noted an increase in such requests, some more dramatic than others. The alarming truth was that few will be able to process SARs within the new, GDPR-driven response time frame.

Our research revealed that more people are taking an interest in how their information is processed, stored and shared. Overall, the 30 organisations questioned have seen an increase of 138% in SARs over the last 3 years - but the majority are struggling to deal with these additional volumes and risk GDPR penalties. Over 84% of organisations are still taking significantly longer than 30 days on average to respond to a SAR.

The longest SAR response was 351 days, and whilst conducting this study, an organisation responded in error to our SAR – and sent sensitive information relating to another request. Resources appear an issue too - as only 29% of organisations have dedicated members of staff for SAR requests. When asked about taking a proactive approach to dealing with SARs by tracking response rates, within and outside of the current deadlines - only a handful of our participants were able to answer this question.   

Steps to success 

This new age of data ownership means that organisations need to have strict policies in place. Not just to deal with the large influx of SAR requests that they are increasingly seeing, but to ensure that they can prove they’re still compliant after the GDPR comes into effect.

To take positive actions to achieve greater success with GDPR readiness, there is a twofold process. Firstly, from a people perspective – organisations must establish who will collate the information when a SAR is requested. They will also have to possess a significant understanding of both the organisation and complexities of the data regulations. Having a dedicated member of staff, or team to deal with this can help avoid problems with paper trails, and the loss or disorganisation of information.

Secondly, from a technology standpoint – organisations hold huge volumes of PII information, so they must establish what tools they can use to detect where all of this information is stored. Typically, a manual and lengthy search process could put them in danger of breaching the 30-day deadline and potentially risk a penalty fine.

The right policies and procedures need to be supported by the right technology. Conducting a data discovery exercise is a good option for organisations to provide full visibility over their data – so it can be easily retrieved.  Data Discovery works by scanning, tagging and surfacing files and data – to gain insight into key areas that include; where PII data is stored and which files are in breach of GDPR.

To seek outside help with this, organisations must only consider GDPR partners that have hands-on experience, great relationships with other experts in the field, access to specialist tools – and possesses a strong track record in regulated sectors. Also, a potential partner should already be GDPR compliant themselves. Any partner must comply with ISO 27001 to deliver the appropriate technical controls, policies, procedures and promote a culture of awareness of information security. Any potential partner should also follow ITIL best practices and help use it to implement and adapt processes for GDPR compliance.

Ultimately, with many major public sector organisations currently failing to address both the large influx of SARs – they must work towards ensuring that they are still GDPR-compliant after May 2018. Clearly, swift improvements are required by many organisations. To avoid fines, they need to put strict data policies in place, ensure staff are appropriately trained and employ the correct data management and discovery technologies too.

Andrew North, Commercial Director at Bluesource 

Image Credit: Billion Photos / Shutterstock