Data subject access request
A Cost-Effective, Technology Enhanced Solution
Read views from our UK Head of Managed Services on how DSARs will be impacted by COVID19
There are a host of challenges in finding an effective end to end solution, including:
- Costs & Clarity
DSAR recipients report high levels of frustration with costs, resulting from expensive resources and outdated commercial models. Pricing uncertainty is also a common pain point.
IT Departments will often struggle to locate and collect Personal Data which is unstructured and from disparate systems.
- Manual Workflows
Many providers often do not leverage technology and workflow solutions to their fullest potential. Failure to do so makes DSARs more expensive, time consuming, and stressful than they need to be.
- “Silver Bullet”
Some providers may claim technology alone can fully address the DSAR challenge. But the breadth, nuance, and risk of GDPR require a combination of technical and manual workflows.
There is a 30-day deadline, unless an extension is obtained. Without a bespoke DSAR solution, meeting this deadline can be problematic.
Morae’s DSAR solution is end-to-end. From planning to disclosure and everything in-between, our team of data privacy experts can support you in every respect.
|Policy, Planning & Procedures Morae will assist in preparing to respond to any DSAR request, delivering a data impact assessment, data mapping, implementing intake technology, and ensuring ongoing compliance and support.|
|Data Sourcing, Searching, and Collection Forensically collect the content from the relevant sources the DSAR pertains to. We can do this at scale and across any source including iManage Work.|
|Data Processing for Review & Redaction Morae deduplicates, deNISTs and processes data quickly into a workspace dedicated to your matter with a bespoke DSAR module automatically deployed, and optimized for Secure Remote Review.|
|DSAR-Specialised Project Management Specialised project management for these engagements is critical to success. Our team works closely with yours to incorporate your preferences and ensure you are aware of progress. Morae Project Managers are experts in defensibly reducing DSAR data populations.|
|Personal Data Review Morae will utilise the Relativity platform to deliver review of the personal data. The review will be performed by a data privacy review specialist. Tailored coding will be used against each document to denote personal data status, redaction requirements, relevant issues, privileged status, etc.|
|Redaction During review, it is critical to avoid disclosing a third party’s personal data, business sensitive or privileged material. Our team has multiple methods available to ensure quick, simple and defensible redaction across the reviewed content, working with the firm throughout.|
|Disclosure & Reporting Communication at this point is critical. Also important is collating the final production set of redacted content, conversion to a chosen format and multilayer checks on substantive content. Our QA and controls will ensure the firm has total confidence in the outcome.|
Engage Morae on an as-needed basis whenever an internal or external requirement arises
Partner with Morae to support all of your DSARs to achieve substantial cost savings, consistency and rigour
Have peace of mind knowing Morae is supporting your DSAR matters as required
Frequently Asked Questions & Insights
What is considered Personal Data?
GDPR defines Personal Data as any information that relates to a natural person who can be identified from the information held by an organisation, either directly or indirectly in combination with other information. Examples include: name, aliases, nicknames, addresses (incl. emails), telephone numbers, date of birth; Identifying details including online identifiers; HR, Health or Financial Records; Identifications numbers; or Expressions of opinion about the individual.
What is a Data Subject Access Request (“DSAR”)?
General Data Protection Regulation (“GDPR”) grants a natural person (“Data Subject”), the right to obtain access to their Personal Data from an organisation. The purpose of this right is to help the Data Subject understand how and why the organisation is using their data.
Do I have to comply with the DSAR?
Failure to respond to a DSAR in a timely manner may result in a fine of up to €20m or 4% of annual global turnover, whichever is higher.
Who can submit a DSAR and to whom?
This can be made by anyone regarding access their own personal data, or the information of another if they are acting on behalf of that Data Subject. Usually the DSAR is made by an individual with a prior or current relationship to the organisation, for example current or former employees, clients, customers, suppliers, and others.
Does the Data Subject have to use a specified medium to submit a DSAR?
No, GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or made verbally, and can be made to any part of your organisation, including by way of social media.
How long do I have to respond?
You have one calendar month to respond to a request. This should be calculated from the date you received the request (working day or not). One may request an extension by a further two months if the request is complex or numerous. However, recent ICO guidance regarding enforcement during the pandemic states: ‘We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.’
Once I find a Data Subject’s Personal Data, is there anything I should do before disclosing to the Data Subject?
Yes, consider whether there is a business requirement to analyse and redact the data prior to disclosure. If during the course of responding to a DSAR, an organisation provides a third party’s personal data, privileged content, or business-sensitive information, this could be considered a data breach, waiver of attorney-client privilege, or may compromise other important business interests.
How do you verify the Data Subject?
Verification involves confirming that the Data Subject is who they say they are, or that the individual is entitled to the requested information. This can be done in several ways, including by requesting UK government-approved forms of identity, carrying out a phone conversation with the Data Subject and asking questions only they would be able to answer, or by receiving a power of attorney / written authority to act on behalf of the Data Subject.
Are there DSAR types?
Not per se but, in our experience, data volumes and risk vary greatly across two common “types” of DSAR Requestors: (1) customers and (2) former employees/contractors.
How much data should I expect for a DSAR
As a starting point, we have seen DSARs that return hundreds of documents or hundreds of thousands of documents. Much of this will depend on the DSAR “type” as well as any scoping that is performed with the Data Subject. Defensible data reduction is a key element of the overall DSAR end-to-end process.
Where can I find data for a DSAR?
Given the breadth of the GDPR definition of Personal Data, it is possible for Personal Data to be held in a structured format such as client folders and management systems, or in unstructured formats like emails, chats, and shared workspaces.
Is there technology that can help with DSARs?
Yes, technology can facilitate various steps (intake, validation, data mapping, collection) and can enhance efficiency in others (identifying Personal Data, performing redactions). Be wary of any false promises of automated, “button-click” solutions. The nuances of DSARs require a combination of workflow and technology.
How do I perform DSAR analysis on large volumes remotely?
For DSARs that initially return high volumes of data and require a team to perform analysis, it is critical to find a provider with a secure and remote delivery capable solution.
What does a DSAR response look like?
When sending out a response, the GDPR requires that the information is provided in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. The GDPR further suggests that the information should be delivered through a secure portal.