Seven Considerations When Preparing for GDPR DSARs

Is the board listening? We all know that GDPR will be enforced from 25^th May 2018, but is your board aware of their new privacy obligations? While there is substantial GDPR coverage in the technical press, has the message got through to senior management?  Are their preparations adequate?

Get Ready - ICO announces communication plan - In January, during the ICO hosted webinar ‘Personal data and the GDPR – building consumers trust and confidence’ a spokesman said that later this year, on 8^th April, the ICO will announce their key communication messages ‘that help bring the GDPR to life in a practical and proportionate way to UK citizens ‘.  So like it or not, public awareness of their rights and freedoms is starting soon. 

Data Subject Access Request (DSAR)– one of the privacy obligations that management will need to provide for, is the obligation to allow  data subjects access to their personal data. The GDPR states that the reason for this obligation is ‘in order to be aware of, and verify the lawfulness of the processing’ (Recital 63).

What’s new with DSAR’s versus SAR? There are 3 key changes between the existing Subject Access Request of the Data Protection Act and GDPR DSAR. These are

• Administrative charges are dropped. Currently a organisation can typically charge £10. With GDPR, this is no longer the case although the ICO advises ’ that you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive’
• The ICO advises that ‘information must be provided without delay and at the latest within one month of receiving the request.
• If the data subject requests the information in a electronic form it must be done so.

Factors Driving the Demand for DSAR’s & Areas of Management Concern

Supervisory Authorities across Europe will be highlighting new privacy rights – these awareness communication programmes targeted at EU citizens (such as the UK ICO’s mentioned above) will undoubtedly lead to increased demand for DSAR handling.

Fee’s for DSAR are dropped- the absence of any fee’s on the data subject’s part  may prompt some citizens to submit DSAR’s whenever they are disgruntled with an organisation. This may create administrative pressures which may be burdensome and may make meeting the 30 day processing requirement unachievable.

DSAR volumes may be difficult to predict- the number of DSARs will be hard to forecast. If volumes are substantially higher than the current SAR requests additional resources will be required

Avoiding Administrative fines by Supervisory Authorities – If DSARs are late or incorrect,  the data subjects will have the right to approach the Supervisory Authority to complain. Depending upon the circumstances this may initiate an administrative fine.

Permission for’ Class like’ actions’ – it will be possible for data subjects to work together on a joint action.

Getting ready for GDPR DSAR Handling

Organisation’s  should consider the following when setting up their DSAR processes:

• Define roles & responsibility – make sure everyone in the organisation knows how to play their part in the DSAR process and ensure your data protection officer (or legal champion) is kept informed of the receipt and progress of DSAR handling
• Establish policies & procedures – review and revise existing policies and procedures to establish an efficient process for handling DSAR requests which includes the search element.

• Minimise personal data held – wherever possible securely erase personal information (in line with your data retention policy) that is no longer required by the organisation

• Understand what personal data is held and processed – As part of the GDPR preparations make sure the organisation’s data catalogue is accurate and up-to-date so that you understand what personal data is held and processed for your data subjects

• Validate existing personal data held- confirm that the logical data catalogue (as prepared by staff) is correct. For organisations with large amounts of data in their possession, this is best undertaken using electronic search technology.

• Train staff – Staff need to be able to identify potential DSAR’s and understand what their role & obligations are with regards to the response.

• Consider efficiency measures to improve DSAR responses and make your GDPR programme sustainable– organisations may want to explore the assistive technologies to improve their GDPR & DSAR preparedness. These will include:

1. Workflow planning to automate and report on the progress and history of DSARs.
2. eDiscovery technology that incorporates machine learning to boost response times and accuracy of DSAR responses.
3. earning to ensure staff are trained in DSAR handling.
4. Policy & procedure engine to ensure staff have access to current documentation.
5. The use of Governance, Risk & Compliance (GRC) technology to integrate items 1 to 4 above so that the organisation has a accurate DSAR dashboard, with good record keeping and a effective internal GDPR communication process to keep all stakeholders aware so that DSAR’s can be delivered on time or highlighted for escalation when they are slipping behind.

GRC-ISMS Plus

DLP Assured Ltd are specialists in governance, risk and compliance having worked in the industry for decades. If you have concerns about your adherance to the GDPR and your ability to conduct DSARs, take a look at GRC-ISMS Plus. GRC-ISMS plus is a cloud based Governance, Risk and Compliance system that is designed to help staff engage with an organisation’s information governance programme. The system provides a range of services to automate and simplify governance tasks.