Blog  •  October 05, 2021

Start the Conversation

Honeypot Field to Catch Bots
Honeypot Field to Catch Bots

The Clock is Ticking: Getting on top of DSAR Requests

Guardum is now Data Protect Solutions.

Ask anyone responsible for Data Subject Access Requests (DSARs) and they will tell you their biggest challenge is responding to them in time. And no wonder. Searching through vast amounts of information sources to locate and extract the data specific to the subject, while responding within the statutory 1 month, is a race against the clock. Failure means having to ask for an extension or suffer the prospect of penalties imposed by the regulator.

Find the data, wherever it is

Once the identity of the requester and their right to the information has been verified, the search for anything relating to them begins. Often this can be like looking for a needle in a haystack as their data could be in any of the files or documents an organization holds, both digital and physical. This could be letters, emails, application forms, subscriptions, or transcripts of any telephone conversations. Also, the chances are that this is scattered in various locations such as on-premises servers, in the cloud, or even a good old-fashioned filing cabinet.

Then there is the fact that very few of these documents are going to be mapped as containing information about the data subject. This means that information could be missed, which will not go down well with the requester (especially if they already hold the information being sought, which is a common tactic) or the regulator when they find out. This can result in legal action.

Once the data has been collected, any personal or sensitive information not connected to the data subject needs to be redacted or anonymized which is a hugely time-consuming process if you are not using the right tools. 

Preparation is key

Gathering all this information manually, then redacting it, takes a large number of employee hours. To respond in time, some organizations throw additional manpower at the problem with one in five organizations estimating DSARs cost them up to $33,000 (approximately €28,000). Also, there is the possibility that the data provided will be incomplete.

To save time, stress and money, organizations need to put in place systems that enable them to quickly find sensitive information held in both structured and unstructured formats, wherever it is located. Data Protect Solutions by DFIN can do this by scanning all data for personal information as soon as it hits the system, a solution that is especially effective across unstructured and difficult to process file types. This also applies to hard copies of data which, thanks to partner solutions, can be digitized and brought into a common environment for searching and classification. 

With these processes in place, finding specific details about a data subject can happen automatically with the push of a few buttons. Data Protect Solutions can also automatically redact any information so that this information is protected. All that is needed is a review of which data have been extracted to confirm redaction or anonymization is correct and then this can be sent to the requester.

When it comes to sending the relevant information to the requester, an organization has to include a report justifying its actions. However, many organizations are not doing this and in the event of a complaint, Data Processing Officers (DPOs) have to go back through their files to see why they sent out the information they did.

DSAR by DFIN, in contrast, allows annotation notes to be created at the page, document, and phrase-level to record why the information was redacted or not while creating reports and highlighted copies of the documents. This enables DPOs to step back into a DSAR far more quickly and efficiently than any manual process.

With DFIN's DSAR software, completing a DSAR is quick and simple, freeing up valuable time and resources. While the clock is ticking, the 30-day deadline is no longer a race against time.

Darren Wray

DFIN