Data Subject Access Requests (DSAR’s) have always proved to be challenging to organisations who are required to comply with a request. Since the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) went into effect these requests have now become more burdensome, providing shorter time frames and greater fines. The consequences of noncompliance are significant resulting in fines of up to 4% of a corporation’s annual global turnover or €20,000,000 (whichever is higher). As a result, companies must understand these four key issues in order to successfully respond to a DSAR.
What is a DSAR?
DSAR’s give individuals the right to find out what personal data about them is being held by an organisation, why the organisation is holding their data and what is being done with their data by that organisation. The definition of personal data has also been updated with the introduction of GDPR, covering not only names, addresses, and personal identifiers, but also covering online identifiers including IP addresses, location data and internet cookies.
That being said a document containing an individual’s name does not automatically constitute personal data. A document must directly discuss the individual or their activities. Purely copying that individual into an email chain and having their name display in a document does not necessarily identify that email as being their personal data and a determination should be made on the entirety of the documents content.
How have DSARs changed under GDPR?
Prior to the GDPR and DPS 2018, DSARs were covered by the EU Data Protection Act of 1998 (DPA). Many aspects have stayed the same, but there are several differences between the two regulations, this includes reducing the response time down to one month from the original 40 days. Organisations can however look to extend the deadline by a further two months, where requests are seen to be complex or if a number of requests from the individual have been received.
The fees for dealing with a DSAR under DPA was originally £10, this fee has now been removed entirely. That being said, if the requests are seen to be excessive or unfounded a “reasonable fee” for administrative costs can be charged.
What are companies obligated to provide?
An organisation responding to a DSAR must be provide the following as part of a DSAR:
- Confirmation that the organisation is processing their personal data;
- A copy of their personal data (without disclosing other individuals personal data);
- The purpose for holding their personal data;
- Who their data is disclosed to;
- The retention period for the data;
- The existence of the right to request deletion of restriction to their data; and
- The source of the data
Under GDPR organisations are also required to “provide the information in a commonly used electronic format, unless the individual requests otherwise”.
How can organisations meet these obligations?
In order to prepare and successful meet DSAR’s within the allotted time frame, organisations should review and update their internal policies and procedures for handling DSARs. Organisations should look to update their IT systems to ensure personal data can be quickly isolated, transferred, or deleted in accordance with a DSAR request. In order to successfully identify, and in turn disclose individual’s personal data, eDiscovery expertise and technology can make a significant difference to meeting the obligations of the employer. Tools and workflows developed to respond to document reviews can be utilised to assist with complying with DSAR requirements ensuring that the strict timelines are met.
As an example, forensic teams can assist in data scoping, identifying where personal data may be stored, if possible how to search it, and how to collect this data in a defensible and cost effective manner. The use of Early Case Assessment and culling techniques such as de-duplication, filtering and keyword searching can significantly reduce the size of the data. Utilising analytical tools such as Textual Near Duplication and Email Threading can also limit the review population further, reducing the number of documents for review and redaction.
Disclosure of confidential, sensitive or personal information (not relating to the requestor) is a key concern when providing document to the requestor, therefore accurate redaction is of paramount importance. Utilising redaction technologies including auto-redaction tools which are created to identify and safeguard personal information can be used to quickly find sensitive data with certain patterns such as National Insurance numbers, credit card numbers, addresses, phone numbers, etc.
All eDiscovery service providers may not be equipped to help companies respond to DSARs. The workflow is different in a litigation context than it is in the case of a request to find all information held about an individual. That’s why it’s important to discuss these issues with an experienced service provider who can identify the most cost-effective techniques to ensure compliance.