The difficulty with DSARs

The difficulty with DSARs

By Steven Orpwood, Business Analyst and DPO

February 2020

 

Almost 21 months into the application of the GDPR, things should have settled down. Governance structures should be in place, policies and associated processes should have been created and testing should be scheduled. Organisations should be data protection savvy.

 

Perhaps it’s true for some, but for many, the word “should” is key. What should be in place and what should be working effectively and efficiently, is not.

 

In particular, a recent report highlights organisations’ failure to correctly manage the basic right of data subject access requests. DSARs are potentially difficult to fulfil, due to the volume of data and complex storage mechanisms, and in addition, they can incur a significant internal cost, and be resource intensive. But the concept is simple, i.e. receive a request, validate the requestor, collate the data, review, remediate where necessary, and send to the data subject. Yes, requests requiring significant volumes of data add complexity but clear communication with the requestor can potentially reduce the impact of even this hurdle.

 

This process, which should be so well rehearsed, exhibits a particularly high failure rate; in particular regarding the verification of requestor ID and providing the data requested within the timescales set out in the regulation. In fact, the report suggests that less than 50% of organisations are able to respond in the required timescales, and only a fifth of companies ask for proof of ID – surely a recipe for disaster.

 

So what can be done to manage this situation?  Well several things will help. First, it’s essential that you review the data you hold and how it’s stored, and construct a data inventory and associated maps. Admittedly, this is a big task, but it’s essential to demonstrate accountability, purpose limitation and data minimisation, as well as giving you a route to fulfilling access requests. Secondly, you can test your processes, a simple step but one that is often missed, or planned but never executed. A test is the only way to establish your weaknesses and pinch points. Finally, a tool that automates much or all of the process will remove much of the cost associated with a resource heavy manual process. At Aim, we have developed dataBelt® to fully manage the entire GDPR process, including DSARs – from indexing structured and unstructured data to making access requests manageable in a fraction of the time, and at a fraction of the cost.

 

Click here to find out more about dataBelt®.