Data Subject Access Requests (DSARs)
For over 10 years, Morae has supported the largest organisations and their legal advisors with Data Subject Access Requests (DSARs).
We help solve the challenges created by DSARs.
Read views from our UK Head of Managed Services on how DSARs will be impacted by COVID19.
View our On-Demand Webinar to learn about practices in responding to increased DSAR volumes.
There are a host of challenges in finding an effective end to end solution, including:
Costs & Clarity
DSAR recipients report high levels of frustration with costs, resulting from expensive resources and outdated commercial models. Pricing uncertainty is also a common pain point.
IT Departments will often struggle to locate and collect Personal Data which is unstructured and from disparate systems.
Many providers often do not leverage technology and workflow solutions to their fullest potential. Failure to do so makes DSARs more expensive, time consuming, and stressful than they need to be.
Some providers may claim technology alone can fully address the DSAR challenge. But the breadth, nuance, and risk of GDPR require a combination of technical and manual workflows.
There is a 30-day deadline, unless an extension is obtained. Without a bespoke DSAR solution, meeting this deadline can be problematic.
Morae’s DSAR solution is end-to-end. From planning to disclosure and everything in-between, our team of data privacy experts can support you in every respect.
Policy, Planning & Procedures
Morae will assist in preparing to respond to any DSAR request, delivering a data impact assessment, data mapping, implementing intake technology, and ensuring ongoing compliance and support.
Data Sourcing, Searching, and Collection
Forensically collect the content from the relevant sources the DSAR pertains to. We can do this at scale and across any source including iManage Work.
Data Processing for Review & Redaction
Morae deduplicates, deNISTs and processes data quickly into a workspace dedicated to your matter with a bespoke DSAR module automatically deployed, and optimized for Secure Remote Review.
DSAR-Specialised Project Management
Specialised project management for these engagements is critical to success. Our team works closely with yours to incorporate your preferences and ensure you are aware of progress. Morae Project Managers are experts in defensibly reducing DSAR data populations.
Personal Data Review
Morae will utilise the Relativity platform to deliver review of the personal data. The review will be performed by a data privacy review specialist. Tailored coding will be used against each document to denote personal data status, redaction requirements, relevant issues, privileged status, etc.
During review, it is critical to avoid disclosing a third party’s personal data, business sensitive or privileged material. Our team has multiple methods available to ensure quick, simple and defensible redaction across the reviewed content, working with the firm throughout.
Disclosure & Reporting
Communication at this point is critical. Also important is collating the final production set of redacted content, conversion to a chosen format and multilayer checks on substantive content. Our QA and controls will ensure the firm has total confidence in the outcome.
Engage Morae on an as-needed basis whenever an internal or external requirement arises
Partner with Morae to support all of your DSARs to achieve substantial cost savings, consistency and rigour
Have peace of mind knowing Morae is supporting your DSAR matters as required
Frequently Asked Questions & Insights
GDPR defines Personal Data as any information that relates to a natural person who can be identified from the information held by an organisation, either directly or indirectly in combination with other information. Examples include: name, aliases, nicknames, addresses (incl. emails), telephone numbers, date of birth; Identifying details including online identifiers; HR, Health or Financial Records; Identifications numbers; or Expressions of opinion about the individual.
General Data Protection Regulation (“GDPR”) grants a natural person (“Data Subject”), the right to obtain access to their Personal Data from an organisation. The purpose of this right is to help the Data Subject understand how and why the organisation is using their data.
Failure to respond to a DSAR in a timely manner may result in a fine of up to €20m or 4% of annual global turnover, whichever is higher.
This can be made by anyone regarding access their own personal data, or the information of another if they are acting on behalf of that Data Subject. Usually the DSAR is made by an individual with a prior or current relationship to the organisation, for example current or former employees, clients, customers, suppliers, and others.
No, GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or made verbally, and can be made to any part of your organisation, including by way of social media.
You have one calendar month to respond to a request. This should be calculated from the date you received the request (working day or not). One may request an extension by a further two months if the request is complex or numerous. However, recent ICO guidance regarding enforcement during the pandemic states: ‘We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.’
Yes, consider whether there is a business requirement to analyse and redact the data prior to disclosure. If during the course of responding to a DSAR, an organisation provides a third party’s personal data, privileged content, or business-sensitive information, this could be considered a data breach, waiver of attorney-client privilege, or may compromise other important business interests.
Verification involves confirming that the Data Subject is who they say they are, or that the individual is entitled to the requested information. This can be done in several ways, including by requesting UK government-approved forms of identity, carrying out a phone conversation with the Data Subject and asking questions only they would be able to answer, or by receiving a power of attorney / written authority to act on behalf of the Data Subject.
Not per se but, in our experience, data volumes and risk vary greatly across two common “types” of DSAR Requestors: (1) customers and (2) former employees/contractors.
As a starting point, we have seen DSARs that return hundreds of documents or hundreds of thousands of documents. Much of this will depend on the DSAR “type” as well as any scoping that is performed with the Data Subject. Defensible data reduction is a key element of the overall DSAR end-to-end process.
Given the breadth of the GDPR definition of Personal Data, it is possible for Personal Data to be held in a structured format such as client folders and management systems, or in unstructured formats like emails, chats, and shared workspaces.
Yes, technology can facilitate various steps (intake, validation, data mapping, collection) and can enhance efficiency in others (identifying Personal Data, performing redactions). Be wary of any false promises of automated, “button-click” solutions. The nuances of DSARs require a combination of workflow and technology.
For DSARs that initially return high volumes of data and require a team to perform analysis, it is critical to find a provider with a secure and remote delivery capable solution.
When sending out a response, the GDPR requires that the information is provided in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. The GDPR further suggests that the information should be delivered through a secure portal.
Stay in tune with change
Want the latest news and insights from our industry? We’ll keep you updated on all the trends and issues in risk, legal and compliance – just hit the button to receive our newsletter.