If your business has been on the receiving end of data subject access requests (DSAR) over the years, you will understand the length of time these take to process. We all know and respect the need for individuals to have the right to request a copy of all data held on them by an organisation. However, given the introduction of The General Data Protection Regulation (GDPR) in May 2018 and the growing prevalence of businesses using multiple digital platforms, the potential scope of an individual’s data footprint has increased exponentially and therefore so has the time and resource these requests require. Responding to DSAR has now become a costly and risky activity if not well managed.
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information. It is a fundamental right for individuals. It helps them understand how and why you are using their data and check you are doing it lawfully.
Large organisations, in response to an increase in volume of requests have now gone as far as employing teams of people purely to manage and respond to data subject access requests. Some businesses are electing to settle employee tribunals out of court and paying the price in settlement fees to avoid the process of trawling through records as part of a DSAR from employees. Gone are the days where this can be managed off the side of someone’s desk!
If your business requires you to process people’s data – it’s worth taking the time now to consider the long-term impact of data subject access requests.
Is your business operationally ready to respond to these requests, especially as the volume and scope of them is likely to keep growing? Alas, there isn’t any technology that can manage these requests for you (yet). So here are 6 practical steps to ensure that DSARs don’t consume unnecessary time, money and pain in your business or distract you from your core business activities and objectives.
Make sure you are fully aware of the scope of what has to be included in your responses to these requests. It’s no longer just systems, documents or emails but also includes anything written about an individual on social media platforms (Facebook, LinkedIn etc) and messaging services (WhatsApp) as well as any other comms platforms you use internally (Microsoft Teams, Skype, Zoom etc). It is only once you get your head around the full scope, that you’ll be able to put the necessary processes and training in place internally to ensure you fully comply with the requirements. The Information Commissioner’s Office have ample guidance – start here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/
Are you a data controller or a processor or both? At The Curve Group, we are both – we process our own data and also data on behalf of clients. It is always the data controller who is ultimately responsible for complying with DSAR, not processors. However, if you are a processor, you will likely have clauses in your contracts with clients or partners (the data controllers) that clearly set out what is expected of you in your role as a data processor.
Put yourself in the shoes of both the individual requesting the data and the person in your business responsible for collecting the data. How is the request received? Who takes responsibility for compiling the data and how do they do it? Responding to DSAR can require a lot of time and work within a short timeframe.
Once you’ve done your research, identified your responsibilities and mapped out the processes, it’s key that your policies and processes are updated to reflect the requirements. Check your GDPR / Data Usage policy and make sure it contains sufficient detail about any data that’s in scope, how to respond to DSAR as well as who the go-to people are in the business to support the responses. It’s also important to check other policies which include information on how social media, mobile phones and messaging platforms should be used so that all employees are made aware that these platforms are also in scope for access requests.
Educate your Line Managers and employees on the implications of DSAR. Train them on your policy and explain the processes to them. Make sure they realise the full scope of where data can be extracted from – it will probably make them more mindful of what they are writing down and the data they are keeping, which in turn will embed better practices and protect your business from litigation.
Ask your Data Protection Officer to submit monthly reports on all forms of data requests to your Executive Committee. It’s really important that a running log is maintained, and new requests are shared with the leadership team. That way, it’s easier and quicker to identify and remedy any processing issues you may have or recognise where any additional training is required.
As an outsourcer, we have invested significantly in our data processes in order to give our clients the assurance that we fully comply with the requirements of GDPR. We also have robust processes in place to manage any DSAR. Ultimately this means that individuals receive their data in an efficient time period, our clients comply with the legislation and our teams are not distracted from delivering our core services to our clients.
If you haven’t yet made room for processing DSAR into your business, now’s the time. DSAR is not going to go away. If anything, it’s likely to become increasingly commonplace. So the more your business can prepare, the less impact processing the requests will have.