This article was originally published by HelloDPOLaw in Privacy Laws & Business in the UK, written by Jenai Nissim and Claire Saunders.
Even if you have got the basics down to a fine art, a policy and procedures in place, templates and exemptions assessments to help you navigate data subject access requests (DSARs), if a significant DSAR crosses your desk, dealing with it can still be a daunting prospect. In this article, we discuss how you can prepare for the inevitable eventuality of dealing with a DSAR and the assistance that can be provided by technological solutions, specifically, the deployment and use of AI.
Action stations!
As we all know, with any DSAR, being ready to jump into action is essential in order to maximise the short one-month time frame for response. Making sure you have tried and tested operational procedures in place is crucial. Even if you have never had a DSAR before, knowing in advance how you would handle one and who to ask to help with locating and retrieving data forming part of the DSAR can save you valuable days once the clock starts ticking.
You will also need to take all the practical steps that you would take for any DSAR, for example diarising the time limit and, if necessary, confirming the requester’s identity and clarifying the scope of the request. In addition to this, there are some steps you can take to prepare for more complex/high volume DSARs which may make things run more smoothly should the situation arise.
Consider the timescale at an early juncture, remembering that you will need to tell the individual within the original timeframe if you intend to extend the time period for responding, providing defendable justifications for your decision to extend.
Assemble your internal team. If your DSAR is an employee DSAR (which are perhaps the most common high data volume and most complex DSARs), engaging with legal and HR is a good idea (although if the situation is contentious you will need to consider the circumstances of the DSAR to determine who is appropriate to be involved in the DSAR). It is also likely that your IT team will need to be involved to help with the identification and collation of information.
Involve your external advisors as soon as possible. A quick email/phone call to a trusted advisor can help set the foundations for the DSAR, help you put things in motion and provide reassurance. We have found that if clients provide us with the exact scope of the DSAR, details of the types of documents involved in the search and the full context of the relationship with the data subject (including any ongoing disputes), this allows us to provide quicker, more accurate estimates to clients and to get started as quickly as possible.
Identify the risk/sensitivity associated with the DSAR. For example, if the DSAR relates to an ongoing contentious situation, legal professional privilege and the exemption in relation to negotiations may need to be considered alongside any other applicable exemptions for example, the third-party data exemption.
Identify who can provide technical support to assist with DSAR review. When you engage with a third party, as you will be sharing personal data with them, you will need to ensure you are satisfied they can comply with applicable data protection obligations and appropriate data protection contractual terms are in place. Doing this whilst the clock is ticking on the DSAR may add unnecessary time pressure, so we recommend establishing this relationship as part of your documented DSAR procedure.
Another step which can be taken in advance of receiving a DSAR is to consider having criteria in place to ensure all DSARs are quickly escalated internally and dealt with at an appropriate level. Once the DSAR is identified, consider how you define a complex or large volume DSAR and the steps you will take to make those who are likely to receive a DSAR aware of the processes in place to deal with them. To ensure this process works efficiently it is critical to train teams and/or individuals on not only how to identify a DSAR, but how to identify what is “personal data” to ensure that the scope of the search for personal data does not lead to vast quantities of information which do not fall within the DSAR. Implementing small but critical steps such as these can save hours of time when the review of the DSAR information commences. This will also keep costs lower, which is another worthy benefit.
Deploying AI to assist with DSARs
For many years, providers have offered a number of non-AI based options to assist organisations in responding to DSARs. At the most basic level, software can be used to search for key words, restrict searches to specific time periods, thread emails to avoid duplicate email chains being reviewed and to remove duplicate information and documents, but as we will explore below, there are now more sophisticated and, dare we say, exciting ways in which these solutions can assist with DSARs.
To get a more holistic view of the current and potential future use of AI in the context of DSARs we called on the expertise of two companies that we have previously partnered with, Complete Discovery Source Inc.(CDS) and Consilio LLC (Consilio) both of whom provide (amongst other things) traditional and AI enabled solutions to assist organisations responding to DSARs.
So how can AI help with DSARs? Both companies recognise that AI is most useful in the case of DSARs involving large volumes of information. Where there are small numbers of documents at play AI may not offer benefits over and above human review, however using a software tool for redacting documents is still more favourable than the “old” redaction pens!
A theme identified by both companies was that of an intelligent approach to data extraction and manipulation.
Donald MacDonald of Consilio acknowledges the role to be played by AI in selecting and performing redactions on data, noting that the use of AI “applies some consistency to the process”. This removes the issue with complex DSARs where multiple individuals are required to work on a DSAR, and inevitably human logic and decisions result in inconsistencies in the way in which exemptions are applied and documents are redacted.
In terms of audio and video content, Mark Anderson of CDS highlighted the use of transcription and facial recognition to enable effective searches, as well as the ability to translate information into English where this is needed, saving hours of manual review time in some cases.
Donald explained that solutions can potentially identify “themes of interest” which may be of real interest where the DSAR relates to a specific event or process, where the use of natural language queries and the results they produce can be contrasted with more traditional search methods.
Getting the most out of AI assistance
Mark highlights that the use of AI can create a more strategic approach to fulfilling a DSAR and offered some helpful tips:
- Find out what solutions are on offer. Mark notes that “many vendors offer AI powered features that may not be fully utilised.”
- Apply quality control before hitting a live environment by running parallel tests in your data environment, comparing manual and AI assisted review, which was identified by Mark as a “low risk way to evaluate performance.”
- Don’t forget to review the performance of the use of AI, reflect on lessons learned and the value brought to the process by AI, setting you up for increasing confidence in results.
What potential advantages do AI enabled solutions offer when compared with traditional methods?
Speed of and cost reduction were recognised as advantages and a uniformity in approach which may be missing from human review when handling DSARs.
Mark also points to “increasing evidence that AI, when properly trained and deployed can outperform human reviewers in terms of accuracy.”
Donald identified that natural language questions may lead to more intuitive responses from the data when compared with key word searches. A more nuanced approach.
The flipside to this, as acknowledged by both providers, is that, whilst AI is advancing at a significant rate, these technologies are still in their infancy. Mark identified a weakness in many AI models’ ability to draw inferences across documents rather than viewing them in isolation, something which a human reviewer is more readily able to do and both organisations recognise the continuing need for quality control, from initial testing to human input in the review with Donald commenting that the output “should be validated and signed off by the review team.”
Data protection in the use of AI
Before deploying AI to assist with responding to a DSAR, organisations will need to undertake testing to ensure they are confident that the output will be accurate. Organisations will also need to check whether data that is input into the platform is being used by the platform provider for their own purposes (for example to train their model to continue to improve their products). A full and effective risk analysis based on the particular use case and the circumstances of the DSAR in question, should therefore be undertaken, taking into account applicable data protection and AI regulations.
Organisations will need the assistance of the platform provider for this. Companies operating in this space should be used to data protection and AI related enquiries and should therefore be able to provide information needed to justify the approach taken when deploying AI for such purposes.
The future
So what does the future hold for AI assistance when handling DSARs?
Mark predicts a shift from a fully assisted human review process to end-to-end automation envisaging a situation where one can “input a plain-language explanation of the request specifying scope, subject, timeframe and have the system automatically identify relevant documents, perform redactions, exclude third-party data, and generate a disclosure-ready bundle for release.”
Both interviewees predicted increasing accuracy with AI as the technology develops which, as anyone who has spent some time using large language models can attest, seems to be happening at pace.
Donald considers an area in which AI could assist in future is in “targeting documents before extraction from the source applications to avoid large volumes of irrelevant material being pulled and reviewed” and the use of natural language prompts to identify privileged/sensitive or confidential information which may need consideration prior to disclosure.
We also wonder if AI may have a role to play in the provision of information in a meaningful manner. The ability to digest and summarise large quantities of technical data could prove useful in situations where simply providing the raw data would not provide meaningful information to the individual.
Whilst it is still early days, there certainly seems to be potential for real time and cost savings and it is only through this phase of trialling, reviewing, refining and testing that we can hope to make these tools more useful in the long run.
Even if you have no immediate plans to use AI to assist with responding to DSARs, it is advisable to get familiar with and keep abreast of the changes in these technologies, to understand the risks and the benefits associated with them and to know what your obligations are in respect of deploying them.
Our thanks to Consilio and CDS for taking the time to give us their insight into the evolving world of AI assisted DSARs.
Learn more about Relativity-nominated technology from CDS that provides solutions for DSARs by clicking here.
