Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 Insights - International and Cross-Border 9 How eDiscovery Technology Can Improve Compliance with Data Subject Access Requests

How eDiscovery Technology Can Improve Compliance with Data Subject Access Requests

Nov 20, 2018

Data Subject Access Requests (DSAR’s) have always proved to be challenging to organisations who are required to comply with a request. Since the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) went into effect these requests have now become more burdensome, providing shorter time frames and greater fines. The consequences of noncompliance are significant resulting in fines of up to 4% of a corporation’s annual global turnover or €20,000,000 (whichever is higher). As a result, companies must understand these four key issues in order to successfully respond to a DSAR.

What is a DSAR?

DSAR’s give individuals the right to find out what personal data about them is being held by an organisation, why the organisation is holding their data and what is being done with their data by that organisation. The definition of personal data has also been updated with the introduction of GDPR, covering not only names, addresses, and personal identifiers, but also covering online identifiers including IP addresses, location data and internet cookies.

That being said a document containing an individual’s name does not automatically constitute personal data. A document must directly discuss the individual or their activities. Purely copying that individual into an email chain and having their name display in a document does not necessarily identify that email as being their personal data and a determination should be made on the entirety of the documents content.

How have DSARs changed under GDPR?

Prior to the GDPR and DPS 2018, DSARs were covered by the EU Data Protection Act of 1998 (DPA). Many aspects have stayed the same, but there are several differences between the two regulations, this includes reducing the response time down to one month from the original 40 days. Organisations can however look to extend the deadline by a further two months, where requests are seen to be complex or if a number of requests from the individual have been received.

The fees for dealing with a DSAR under DPA was originally £10, this fee has now been removed entirely. That being said, if the requests are seen to be excessive or unfounded a “reasonable fee” for administrative costs can be charged.

What are companies obligated to provide?

An organisation responding to a DSAR must be provide the following as part of a DSAR:

Confirmation that the organisation is processing their personal data;
A copy of their personal data (without disclosing other individuals personal data);
The purpose for holding their personal data;
Who their data is disclosed to;
The retention period for the data;
The existence of the right to request deletion of restriction to their data; and
The source of the data

Under GDPR organisations are also required to “provide the information in a commonly used electronic format, unless the individual requests otherwise”.

How can organisations meet these obligations?

In order to prepare and successful meet DSAR’s within the allotted time frame, organisations should review and update their internal policies and procedures for handling DSARs. Organisations should look to update their IT systems to ensure personal data can be quickly isolated, transferred, or deleted in accordance with a DSAR request. In order to successfully identify, and in turn disclose individual’s personal data, eDiscovery expertise and technology can make a significant difference to meeting the obligations of the employer. Tools and workflows developed to respond to document reviews can be utilised to assist with complying with DSAR requirements ensuring that the strict timelines are met.

As an example, forensic teams can assist in data scoping, identifying where personal data may be stored, if possible how to search it, and how to collect this data in a defensible and cost effective manner. The use of Early Case Assessment and culling techniques such as de-duplication, filtering and keyword searching can significantly reduce the size of the data. Utilising analytical tools such as Textual Near Duplication and Email Threading can also limit the review population further, reducing the number of documents for review and redaction.

Disclosure of confidential, sensitive or personal information (not relating to the requestor) is a key concern when providing document to the requestor, therefore accurate redaction is of paramount importance. Utilising redaction technologies including auto-redaction tools which are created to identify and safeguard personal information can be used to quickly find sensitive data with certain patterns such as National Insurance numbers, credit card numbers, addresses, phone numbers, etc.

All eDiscovery service providers may not be equipped to help companies respond to DSARs. The workflow is different in a litigation context than it is in the case of a request to find all information held about an individual. That’s why it’s important to discuss these issues with an experienced service provider who can identify the most cost-effective techniques to ensure compliance.

CDS provides a full-range of advisory services. To discuss how we can assist you with DSARs, contact us for a consultation.

About the Author

Mark Anderson

In his role as Director of UK Operations for CDS, Mark Anderson provides project management and expert consulting through all stages of eDisclosure and eDiscovery. Mark works alongside corporate and law firm clients to identify data for collection and advises on best practices for collection of data, data processing, and document review workflows. He has supervised multi-national teams and has experience working on some of the largest, most challenging matters, including cases involving cross-border issues and the application of technology assisted review (TAR). Prior to joining CDS, Mark conducted forensic collections, assisted with data investigations, and served as a project team lead for multiple international legal technology service providers. Mark holds multiple Relativity certifications including Relativity Master and is an Encase Certified Examiner.

There are no upcoming events at this time

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid		This cookie is used for storing the session ID of the user who clicked on an okt.to link.
pardot	past	The cookie is set when the visitor is logged in as a Pardot user.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_dc_gtm_UA-109542572-2	1 minute	No description
_hjAbsoluteSessionInProgress	30 minutes	No description
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description
_hjTLDTest	session	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 9 hours 2 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Our Insights

Thought Leadership and Industry Trends

How eDiscovery Technology Can Improve Compliance with Data Subject Access Requests

Mark Anderson

Our Blog

Sign Up for Our Newsletter

About CDS