Data Subject Access Requests are on the increase, completing them an increasing nightmare. According to a report by Peter Tyndall, Ombudsman, Information Commissioner, and Commissioner for Environmental Information of Ireland, 39,904 data subject access requests were made to public bodies alone last year in Ireland. In the same report, Tyndall noted a 179% jump in Freedom of Information requests since 2009. More than 40,000 requests were made under the Freedom of information act last year(2019).
Have you asked you asked yourself the following questions? If you received a DSAR or FOIA tomorrow how would you deal with it? Do you need help with urgent data requests? Can you access your data quickly and easily to fulfil DSAR and FOIA requests in the time allowed?
We invited Margaret Julian, founder of GDPR Audits to give us her Top Tips for completing Data Subject Access Requests.
Top Tips for Completing a Data Subject Access Request
Companies, it would seem, are receiving more Data Subject Access Requests in 2020 than they have in recent years. It does make you wonder if Covid19 has had an impact on this increase or do we just want to blame everything on the coronavirus.
Nonetheless, if one lands on your desk do you feel that you are armed to deal with it? We have put together top tips for completing a data subject access request to help you do just that.
1. Know who it is to go to
Time is of the essence when dealing with a data subject access request. Given that you have a month to respond to one, you don’t want to be wasting time having it go from desk to desk. If your company has a Data Protection Officer, then it’s an easy task. But if not, then it’s important that all staff are aware of what the process is. So, if you don’t already have a policy, then now is the time to draw one up to ensure that it gets to the right person at the right time.
2. Focus on the request, not the individual
This is particularly important if the request has come in from an employee. The request may be made on the back of an internal dispute or as a result of disciplinary action. The employee themselves may be known to be vexatious. The request may even contain aggressive language. Nonetheless, it is best to be careful in your assessment of whether a request is complied with or not, as it is very difficult to justify a refusal of a request.
3. Never assume you can use an extension
Whilst the initial timeline is one month, it is possible to request to extend the timeline up to two further months. However, not starting the process straight away will put you on the back foot and an extension should only be justified if, from the start you can see that it will take longer than a month to process. It is best to notify the individual at the start rather than waiting for the deadline to be up.
4. Set the scope of the request
If an individual looks for “everything”, it is acceptable to ask them if it is possible to be more specific. They may have something in particular in mind, that is on a particular system. Try to avoid using the term “narrowing your scope”, as it may appear like you are limiting their request. It’s also worth noting that a Data Subject Access Request applies only to personal data, and a request for commercial documentation will fall outside the scope of the request.
5. Don’t be worried about what you find
All employees should be aware of the rights of individuals in relation to their data. Particularly that a copy of personal data held can be requested. Having policies in place that ensure you think before you write in an email or file about a person will reduce the chances of any nasty surprises in an access request (which can lead to legal cases). Always keep it factual, not personal.
6. Know how and when to redact
The GDPR allows for a subject access request to be made once it doesn’t affect the rights and freedoms of others. So, if there is information about a third party in the same file/page/email, this must be redacted. Unless of course, you have the consent from that individual. It is also worth remembering, (particularly for point no 5) that an opinion given in confidence is exempt from a subject access request, and this may be redacted also.
7. You must justify all redactions
Before you get happy with your black marker (or more sophisticated technology) remember that you must document a justification for every redaction you make.
8. Consider reducing the data that you hold
We are of course obliged to only hold information that is necessary to carry out our work, but the more data you hold, the more nightmarish a subject access request can be. This could particularly be relevant for unstructured data. Having generic mailboxes for departments instead of using personal email address will be one less area to have to trawl through when it comes to a subject access request.
9. Be aware of the various forms a subject access request can come in
Don’t be fooled into thinking it has to be a formal process. A subject access request can come over the phone, through social media or in any other format. Make sure your frontline staff recognise this and can escalate it immediately, the clock is ticking!
10. Be kind to yourself – let technology help you
No one wants to be that poor soul that must trawl through system after system to compile a response. It takes up time and resources that could be put to good use elsewhere. Research how technology can make the process easier for you and don’t be filled with dread at the suggestion of a Data Subject Access Request.
If you are still bogged down at the thought of a subject access request or anything else GDPR related, get in touch. We love all things GDPR and we were set up to help companies like yours to navigate through the regulation. Our aim is to get you on that golden road to compliance! We are just a zoom or a team meeting away from a quick chat so contact us on [email protected]
Many thanks to Margaret Julian for her contribution to this weeks post. We hope you found her top tips helpful. For more information on this topic view our most recent on-demand webinar where Margaret was a guest speaker- So you’ve gotten a DSAR – Now what?
Let Technology Help You
As Margaret has said above, be kind to yourself and let Technology help you. Let’s think about it, how would you manage to search all the Terabytes of data to find a single piece of information in the tight timeframe? and all while fulfilling your day to day activities? DSARs cannot be ignored. Data controllers have a statutory obligation to respond to requests of this nature and failure to do so could lead to enforcement action.
Electronic searches and eDiscovery tools cannot competely replace human involvement but thy can conduct alot of the ‘early stage’ work to limit the amount of human intervention. As a result of the Covid outbreak, employees off sick, and remote working our time is precious. Tools can automate the process and enhanve reliability. It is not just a question of cost saving but time saving also.
Waterford Technologies Solutions offers full Search, Retrieval, Review, Tagging and Export for DSAR’s and eDiscovery investigations. Sign up for a customised demo today and you can see first hand how our solutions search through millions of Email and File data in seconds. ComplyKEY’s advanced search interface and extremely fast response time enable you to quickly and easily respond to legal discovery requests.