Even in organisations that set very high standards for data governance, the sheer number of systems makes it possible to overlook data. For those of us who work in more typical organisations, where rules on data classification may be a little more flexible, and where business users may occasionally slip below the corporate radar, the data we’re looking for can seem like the proverbial needle in the haystack.
Not being able to find a relevant email or document is certainly annoying, and it could occasionally mean the difference between closing a sale and losing out to a competitor. But when it comes to compliance with data-protection legislation, improperly governed data represents a far more significant risk. Under the General Data Protection Regulation (GDPR), individuals have the legal right to access, amend or delete personal data held by companies and other organisations. If your organisation receives a Subject Access Request (SAR) verbally or in writing, you get just one month to respond – with financial and reputational penalties for non-compliance.
Dealing with SARs is potentially a major drain on internal resources, because personally identifiable data on individuals is typically spread across a bewildering number of documents, databases, file stores, cloud applications, offsite backups, paper-based records, email systems, and archives, as well as in systems hosted by suppliers and partners.
If your organisation’s response to an inbound SAR is a more or less blind panic, followed by a desperate hunt through multiple systems, you need to address the challenge before it becomes overwhelming. At present, SARs are relatively rare; in the future, a major corporate data breach could see the emergence of service providers that automate the SARs process – along the lines of companies that handled PPI mis-selling claims on a no-win, no-fee basis.
How would your organisation cope if you started receiving hundreds or thousands of SARs every day?
How would your manual processes to find structured and unstructured data scale up to the challenge?
And how would you avoid releasing any information that should legally be withheld from the requester?
There are two topics to address if you want to handle SARs efficiently and effectively: the data classification process and the SARs response processes. The first means making sure that you have an automated way to classify all data – structured and unstructured – so that you know systematically what data you hold and where it resides. This is no small task, but excellent packaged solutions are available that enable business users to set and enforce rules and policies for the ongoing discovery and classification of data.
The second topic – response processes – means putting in place a clear and controlled digital workflow to deliver accurate SARs responses within the prescribed deadline.
Drilling into the workflow, the key elements to cover are as follows:
The good news is that Northdoor has done the hard work so that you don’t have to. Our Subject Access Requests Solution provides a standardised framework for receiving requests through a user-friendly web portal, validating them, managing them centrally, automatically applying for extensions where appropriate, finding the required information (supported by a data classification solution) and securely returning the requested information to the applicant. What’s more, the low-cost Northdoor solution delivers business value within hours of deployment, by eliminating huge volumes of frustrating manual searches.
For more information on how Northdoor can help you classify your data and increase the speed and accuracy of SAR responses, contact us today.