Don’t panic: A practical guide to handling Data Subject Access Requests

13th September 2019Blog

Are you ready to get in touch?

  • 0207 448 8500
Request a Call back

Now, where did I put that…?

In this blog post, Northdoor explains how the number and variety of systems in the typical organisation can make it extremely challenging to respond to Data Subject Access Requests (DSARs) within the time-limits set by the GDPR. By introducing automated data classification and by using Northdoor’s web-based DSARs response solution, organisations can save significant time and effort while reducing their risk of non-compliance.

man in a suit touching round circles connected

Even in organisations that set very high standards for data governance, the sheer number of systems makes it possible to overlook data. For those of us who work in more typical organisations, where rules on data classification may be a little more flexible, and where business users may occasionally slip below the corporate radar, the data we’re looking for can seem like the proverbial needle in the haystack.

Not being able to find a relevant email or document is certainly annoying, and it could occasionally mean the difference between closing a sale and losing out to a competitor. But when it comes to compliance with data-protection legislation, improperly governed data represents a far more significant risk. Under the General Data Protection Regulation (GDPR), individuals have the legal right to access, amend or delete personal data held by companies and other organisations. If your organisation receives a Data Subject Access Request (DSAR) verbally or in writing, you get just one month to respond – with financial and reputational penalties for non-compliance.

Rising tide of DSARs

Dealing with DSARs is potentially a major drain on internal resources, because personally identifiable data on individuals is typically spread across a bewildering number of documents, databases, file stores, cloud applications, offsite backups, paper-based records, email systems, and archives, as well as in systems hosted by suppliers and partners. question mark in the middle of colourful lines in a circle

If your organisation’s response to an inbound DSAR is a more or less blind panic, followed by a desperate hunt through multiple systems, you need to address the challenge before it becomes overwhelming. At present, DSARs are relatively rare; in the future, a major corporate data breach could see the emergence of service providers that automate the DSARs process – along the lines of companies that handled PPI mis-selling claims on a no-win, no-fee basis.

How would your organisation cope if you started receiving hundreds or thousands of DSARs every day?
How would your manual processes to find structured and unstructured data scale up to the challenge?
And how would you avoid releasing any information that should legally be withheld from the requester?

The right response

There are two topics to address if you want to handle DSARs efficiently and effectively: the data classification process and the DSARs response processes. The first means making sure that you have an automated way to classify all data – structured and unstructured – so that you know systematically what data you hold and where it resides. This is no small task, but excellent packaged solutions are available that enable business users to set and enforce rules and policies for the ongoing discovery and classification of data.

The second topic – response processes – means putting in place a clear and controlled digital workflow to deliver accurate DSARs responses within the prescribed deadline.

Drilling into the workflow, the key elements to cover are as follows:

  • identify the incoming DSAR (which could come from many sources, including social media)
  • establish the response timeline (for complex cases, it may be possible to extend the normal deadline)
  • identify and gather the relevant data (including potentially clarifying the request with the submitter of the DSAR)
  • remove any data that should be withheld (for example, information concerning another individual)
  • finalise and send the response (including the legal basis for holding/processing the data and other details).

The good news is that Northdoor has done the hard work so that you don’t have to. Our Data Subject Access Requests Solution provides a standardised framework for receiving requests through a user-friendly web portal, validating them, managing them centrally, automatically applying for extensions where appropriate, finding the required information (supported by a data classification solution) and securely returning the requested information to the applicant. What’s more, the low-cost Northdoor solution delivers business value within hours of deployment, by eliminating huge volumes of frustrating manual searches.

For more information on how Northdoor can help you classify your data and increase the speed and accuracy of DSARs responses, contact us today.

Our Awards & Accreditations