A data subject access request (DSAR) from a customer, ex-employee or another party has the potential to distract your valuable business re–sources from their core duties, divert management attention and where obligations are not met, expose your company to reputational damage and financial penalties.
DSARs can be received from anybody who you store data on within your organisation and at any time. This obligates the organisation to provide all relevant information that you have on the person in question within one month of receipt.
Johnson Hana has extensive experience in supporting clients in responding to DSARs with a combination of experienced legal professionals, industry leading technology and project management expertise. The following are some of our top tips for organisations preparing for or responding to an access request:
1. Fail to prepare, prepare to fail
Identifying and implementing best practice in advance of receiving a DSAR is key to the success of your response. Observing good “data hygiene” by using a retention policy and routinely deleting data that is no longer required can minimise the volume of data that must be sifted through on receipt of a request. Maintaining a data inventory showing what information is stored and on which systems will allow you to target your searches depending on who the data subject is.
On the human side, identify your key resources in advance of receiving a request. Who will be responsible for leading the response? Is there a dedicated point of contact within the IT department to help with the technical side of things? And who will review documents before sending? A simple process covering the key steps needed will stop you from scrambling when a request arrives.
2. Keep your eye on the clock
The legislation requires that you respond to the request without undue delay and at the latest within one month of receipt. This time starts when anyone in your organisation receives the request, regardless of role. However, will that person recognise the request for what it is? We often speak to clients who have lost the first five days as a request languished in a customer service queue or passed from desk to desk looking for the right owner. Some basic awareness training can ensure that the request is identified and treated with the right level of urgency.
Separately, assess the size of the request as soon as possible (see our point on scope below). If the volume and complexity warrant it, consider whether it is necessary and appropriate to avail of the time extensions within the legislation.
3. Review scope is everything
If you do not know what you’re looking for, you’re at a disadvantage from the start. Ensure that the scope of the request is clear. If the original request does not give a date range or if it seems unduly broad, it is entirely appropriate to reach out to the data subject to clarify. Often people have a specific motivation for the request and can be agreeable to using search terms or date ranges if it means a faster response. This will all prove valuable during the data gathering stage where your IT team can exclude documents immediately, saving costly and time-consuming review.
Also consider your exemptions when it comes to data – are there considerations around legal privilege on some correspondence or industry specific exemptions such as journalistic privilege? You will also need to consider the rights of third parties in your response and how you can exclude their personal data from the request.
4. Getting it done
While you are answering the major questions regarding the review, don’t lose sight of the operational side. Once documents are gathered, how will you review them? Printing documents and redacting manually might work for small volumes of data but quickly becomes unruly. It also creates issues around revisions, quality checks and even secure storage. There are many technology options out there but how quickly can they be put in place? Who will carry out the necessary admin? And will your reviewers require training in advance?
Also important is considering how to control the review. With a deadline looming it is important to be able to track not only how much work is done but predict how quickly the remainder will be completed. Quality is also a key concern. Do you need a process where documents are double checked before sending? Accidentally disclosing a third party’s data during a review is a real concern and needs careful consideration.
5. When to call in the experts
Know when to ask for help. Organisations often underestimate the complexity of responding to a DSAR until they are in the midst of it. Some red flags that can indicate the need for external assistance include:
- Large volumes of data which cannot be reduced through discussion with the data subject;
- Insufficient team size to work through the data within the required time limits; and
- Data that is particularly sensitive, complex or may be subject to litigation in the future.
As an example, several of our clients are happy to deal with a DSAR from their customers but would look for assistance on a request involving a long serving employee has left on less than positive terms. For others, there is a value in handing off any and all DSARs to allow their employees to focus on core duties.
A specialist provider like Johnson Hana can bring significant advantages over completing a review in house or using a traditional law firm. We can bring specialist technology to bear to dramatically reduce the number of documents for manual review, sometimes by up to 90%. We also provide a rapidly scalable team of experienced and fully qualified legal professionals to complete your review to a high standard.
Finally, we provide professional project managers who have extensive experience with DSARs to lead the review team, address issues and keep you informed on progress. All of this is delivered at cost savings of up to 50% compared to a traditional provider such as a law firm.
For more information, please contact us by email: [email protected]
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. It does not purport to constitute legal advice and should not be relied upon by any party.