7 minute read 15 Dec 2020
Man writing with laptop next to survey form

How to comply with data subject access requests

By Meribeth Banaschik

Ernst & Young – Germany Forensic & Integrity Services Partner

Attorney and former litigator. Provides talent and experience in eDiscovery solutions, managed document review, data protection compliance, disputes and contract management.

7 minute read 15 Dec 2020
Related topics Assurance Forensics Risk

The shift to a remote workforce makes a clear compliance strategy to fulfill data subject access requests (DSARs) more important than ever.

In brief
  • DSARs are becoming one of the most difficult aspects of data privacy compliance.
  • DSAR compliance depends on innovative workflow design and strategic use of technology.
  • Key performance indicators of a DSAR workflow are turnaround, cost, capacity and scalability.

Since 2018, organizations covered by the EU’s General Data Protection Regulation (GDPR) have had to disclose personal data upon request of the data subject or face harsh penalties. Besides the GDPR, more and more data protection and privacy laws, such as the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD), are requiring organizations to identify personal data; disclose, correct or delete data upon request; and demonstrate regulatory compliance.

Organizations that fail to comply with relevant legislation face substantial fines, litigation and reputational damage that can cost customers.

The different data privacy regulations across the globe provide similar rights for individuals – including employees and customers – to access, correct or delete personal data held by an organization. Data subjects can also request information on how their data is processed, stored and shared. This article focuses on aspects of DSAR compliance programs that are applicable to most data privacy regulations, although for ease of discussion, we use the GDPR definitions of “data subject” and “data subject access requests (DSARs)” as general references.

A recent Gartner survey found that it costs an average of US$1,400 for organizations to manually process a DSAR, with most taking more than two weeks to respond.1 The most difficult aspects of processing DSARs involve locating personal data in an unstructured format, monitoring data protection practices of third parties and data minimization.2

The differences between the GDPR, CCPA and any other privacy regulation must be carefully addressed by legal counsel. Variances mean any workflows created for one regulation may require modifications to comply with another. Any organization that becomes subject to new privacy legislation should use the opportunity to assess whether existing processes can be revised to improve compliance, efficiency and cost-effectiveness.

Sharing data with third-party vendors

When an organization receives a request to delete personal data, the GDPR requires notification to all downstream parties that received or processed the subject’s personal information. Under the GDPR, data processors share responsibility for fulfilling requests with data controllers.

Processor due diligence is specifically outlined under Article 28 of the GDPR. To meet the accountability and responsibility requirements, controllers should regularly assess how vendors protect the personal data they receive. Both the GDPR and the CCPA require detailed written contracts between businesses and vendors that process data.

Automation and data analytics are increasingly being used to reduce the time and costs of third-party due diligence, while offering new risk and business insights.

DSAR workflow design

Building a standard methodology is critical for streamlining the process, meeting relevant regulatory and legal requirements, and engaging all stakeholders in an effective and efficient manner. Considering that the data privacy regulatory landscape is still fast evolving, a clearly defined workflow will enable the organization to stay agile and effectively respond to changing compliance requirements.

DSAR workflow diagram

When designing a DSAR workflow, there are some important performance indicators to consider:

  • Cost — is the financial and human resources required to fulfill a request. Businesses that calculate this only by the person-hour rate of the team processing requests may miss the opportunity losses incurred when diverting resources. Third-party billing must also be included.
  • Capacity — is the volume of requests a business can fulfill in the required time frame. Businesses that cannot address all requests within mandated deadlines face penalties and reputational damage.
  • Scalability — is the ability to address the global expansion of data privacy regulations, resulting in DSAR growth. Multinational organizations need to understand how a workflow that satisfies the regulatory requirements of one jurisdiction might also fulfill the requirements of another.

The differences between the GDPR, CCPA and any other privacy regulation must be carefully addressed by legal counsel. Variances mean any workflows created for one regulation may require modifications to comply with another.

One of the biggest challenges of creating an efficient DSAR workflow is coordination among various stakeholders, not just the legal and compliance function. The IT team will become increasingly critical as DSAR workflows require the support of various technologies and systems. Cybersecurity professionals need to provide input on data protection issues as personal data moves from secured storage to delivery. The client-facing functions can be an excellent resource for creating workflows that align with customer experience.

Companies often struggle with verifying the requestor’s identity, gathering data from multiple departments and siloed systems, and addressing legal issues related to disclosure. This means functions must work together to create a workflow, with each department taking ownership for its part of the process. For example, responding to employee data requests requires the compliance and legal functions to work closely with HR and business leaders to consider the rights of impacted coworkers and managers.

DSAR and data mapping

It is vital to gain a clear understanding of the personal data governed by relevant privacy legislation. Data maps align personal data to an organization’s information systems and provide a clear view of data sources that may be requested, including data kept by third parties. Organizations that know precisely where personal data is stored can better protect that information and apply appropriate retention and minimization policies.

Data mapping helps track data through its life cycle, from collection and processing to retention or removal. As personal data moves from one jurisdiction to another, it may be subject to different privacy regulations. Data mapping also helps to determine whether personal information is used or stored beyond its original, lawful purpose.

Storing identical personal data in various formats spread among different systems violates GDPR data minimization regulations and makes responding to DSARs more time-consuming and costly. When handling rectification or data deletion requests, good data governance is essential to confirm that data corrected or deleted in one system is automatically updated everywhere.

The fast-evolving privacy compliance landscape will likely require companies to tweak their DSAR program to take into account changing requirements and new regulations. Advanced tools, such as self-service privacy portals, AI-assisted automation and sophisticated case management, will increasingly become the norm.

Using technology to enhance a DSAR workflow

Many companies are retooling traditional electronic discovery tools and workflows used in document reviews for DSAR compliance because of their ability to handle unstructured data and address complex data processing requirements. Machine-learning algorithms can continually improve the ability to locate relevant data across multiple systems, reducing costs and increasing capacity. Investing in automation technologies can make the DSAR workflow more accurate and shift compliance professionals into higher-value tasks.

Self-service portal for DSAR intake and identity verification

A basic online DSAR intake tool doesn’t necessarily require complex technologies or skills to build. Implemented correctly, it can save resources, bring consistency and improve customer relationships. Strong identity verification is critical to make certain that data doesn’t fall into the wrong hands. There are also many ways to augment an intake tool using artificial intelligence (AI) and automation technologies. For example, an automated identity verification solution can compare scanned user documents and selfies against multiple public data sources.

Data redaction in review and processing

Data redaction tools are indispensable during DSAR review and processing. They help to reliably obfuscate or remove sensitive information unrelated to the data subject and prevent it from being shared.

Data encryption for secure delivery

The final step of the DSAR fulfillment process needs to be handled with appropriate security measures that minimize the risk of a data breach. Data encryption technologies are often used for safe transfer to the data subject.

Case management with audit trail

A robust case management tool is essential to enable all DSAR stakeholders to work together. It should take into consideration all the steps resulting from a DSAR, including how requests are collected, processed, reported and delivered. The case management tool should allow legal professionals to conduct reviews for relevancy, privilege and confidentiality; offer global accessibility; provide clearly defined key performance indicators; and include an audit trail that can stand up to regulatory scrutiny.

Whether or not a company has cross-border dealings, the fast-evolving privacy compliance landscape will likely require it to constantly tweak its DSAR program to take into account changing requirements and new regulations. Advanced tools, such as self-service privacy portals, AI-assisted automation and sophisticated case management, will increasingly become the norm for responding to requests.

This will help companies to lower costs, maintain regulatory compliance and satisfy a public that is increasingly placing a premium on privacy.

  • Show article references

    1. “Market Guide for Subject Rights Request Automation,” Gartner, www.gartner.com, 21 February 2020.
    2. “IAPP-EY Annual Privacy Governance Report 2019,” IAPP-EY, www.iapp.org, 2019.

Summary

Building an effective DSAR compliance program requires cross-functional collaboration, good data mapping, innovative workflow design and strategic use of technology.

About this article

By Meribeth Banaschik

Ernst & Young – Germany Forensic & Integrity Services Partner

Attorney and former litigator. Provides talent and experience in eDiscovery solutions, managed document review, data protection compliance, disputes and contract management.

Related topics Assurance Forensics Risk