Data Subject Access Requests (DSARs)
Data Subject Access Requests (DSARs)
For over 10 years, Morae has supported the largest organisations and their legal advisors with Data Subject Access Requests (DSARs). We help solve the challenges created by DSARs.
Read views from our UK Head of Managed Services on how DSARs will be impacted by COVID19
View our On-Demand Webinar to learn about practices in responding to increased DSAR volumes
There are a host of challenges in finding an effective end to end solution, including:
DSAR recipients report high levels of frustration with costs, resulting from expensive resources and outdated commercial models. Pricing uncertainty is also a common pain point.
IT Departments will often struggle to locate and collect Personal Data which is unstructured and from disparate systems.
Many providers often do not leverage technology and workflow solutions to their fullest potential. Failure to do so makes DSARs more expensive, time consuming, and stressful than they need to be.
Some providers may claim technology alone can fully address the DSAR challenge. But the breadth, nuance, and risk of GDPR require a combination of technical and manual workflows.
There is a 30-day deadline, unless an extension is obtained. Without a bespoke DSAR solution, meeting this deadline can be problematic.
Morae’s DSAR solution is end-to-end. From planning to disclosure and everything in-between, our team of data privacy experts can support you in every respect.
Engage Morae on an as-needed basis whenever an internal or external requirement arises
Partner with Morae to support all of your DSARs to achieve substantial cost savings, consistency and rigour
Have peace of mind knowing Morae is supporting your DSAR matters as required
GDPR defines Personal Data as any information that relates to a natural person who can be identified from the information held by an organisation, either directly or indirectly in combination with other information. Examples include: name, aliases, nicknames, addresses (incl. emails), telephone numbers, date of birth; Identifying details including online identifiers; HR, Health or Financial Records; Identifications numbers; or Expressions of opinion about the individual.
General Data Protection Regulation (“GDPR”) grants a natural person (“Data Subject”), the right to obtain access to their Personal Data from an organisation. The purpose of this right is to help the Data Subject understand how and why the organisation is using their data.
Failure to respond to a DSAR in a timely manner may result in a fine of up to €20m or 4% of annual global turnover, whichever is higher.
This can be made by anyone regarding access their own personal data, or the information of another if they are acting on behalf of that Data Subject. Usually the DSAR is made by an individual with a prior or current relationship to the organisation, for example current or former employees, clients, customers, suppliers, and others.
No, GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or made verbally, and can be made to any part of your organisation, including by way of social media.
You have one calendar month to respond to a request. This should be calculated from the date you received the request (working day or not). One may request an extension by a further two months if the request is complex or numerous. However, recent ICO guidance regarding enforcement during the pandemic states: ‘We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.’
Yes, consider whether there is a business requirement to analyse and redact the data prior to disclosure. If during the course of responding to a DSAR, an organisation provides a third party’s personal data, privileged content, or business-sensitive information, this could be considered a data breach, waiver of attorney-client privilege, or may compromise other important business interests.
Verification involves confirming that the Data Subject is who they say they are, or that the individual is entitled to the requested information. This can be done in several ways, including by requesting UK government-approved forms of identity, carrying out a phone conversation with the Data Subject and asking questions only they would be able to answer, or by receiving a power of attorney / written authority to act on behalf of the Data Subject.
Not per se but, in our experience, data volumes and risk vary greatly across two common “types” of DSAR Requestors: (1) customers and (2) former employees/contractors.
As a starting point, we have seen DSARs that return hundreds of documents or hundreds of thousands of documents. Much of this will depend on the DSAR “type” as well as any scoping that is performed with the Data Subject. Defensible data reduction is a key element of the overall DSAR end-to-end process.
Given the breadth of the GDPR definition of Personal Data, it is possible for Personal Data to be held in a structured format such as client folders and management systems, or in unstructured formats like emails, chats, and shared workspaces.
Yes, technology can facilitate various steps (intake, validation, data mapping, collection) and can enhance efficiency in others (identifying Personal Data, performing redactions). Be wary of any false promises of automated, “button-click” solutions. The nuances of DSARs require a combination of workflow and technology.
For DSARs that initially return high volumes of data and require a team to perform analysis, it is critical to find a provider with a secure and remote delivery capable solution.
When sending out a response, the GDPR requires that the information is provided in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. The GDPR further suggests that the information should be delivered through a secure portal.
Get in touch with us to learn more.
More Discovery Solutions
Audio.IQ is our proprietary audio analytics solution that recognizes patterns, discovers links, and ultimately decodes your audio information.
Morae developed the Chat.IQ parser to address our financial services client needs to parse Bloomberg Chat and email data.
Cyber Solutions – Data Breach Response
Morae can help you meet your obligations for cyber breach response with a powerful combination of AI and machine learning technology coupled with a deep and highly scalable bench of experienced cyber reviewers.
Morae offers a defensible solution to the complex process of data migration. Our data migration experts boast a long history of success in migrating massive volumes of data for the world’s largest companies from a wide variety of platforms into our low-cost, RelativityOne or Relativity, ISO-certified on-prem environments.
RelativityOne Partner of Record
Our playbook enables you to be efficient and effective in delivery and costs. End-to-end best practice guidance across the Electronic Discovery Reference Model (EDRM), presently in use by global corporates having significant litigation and investigation portfolios, internal and external governance, and Morae as a cost-effective extension of their teams.
Secure Remote Review
Document review, in the context of litigations and investigations, has traditionally taken place within secure review centers. COVID-19 compels us all to adapt to extraordinary circumstances.
eDiscovery / eDisclosure Advisory Services
Improving the speed and reducing the cost of information and discovery management are our passion. We deploy strategies using AI alongside more traditional technologies, resulting in cost-effective solutions and optimum performance.
eDiscovery Managed Services
Processing, hosting and review for responsiveness are just table stakes. We help you get to end results, which means
understanding the data and uncovering the facts.
Leveraging AI and TAR, we deploy advanced analytics and predictive modeling to get to relevant information faster.
Our four-step approach to review leverages technology and subject matter expertise.