Handling DSARs – Getting to Grips with Personal Data

Personal data oils the machinery of our modern online lives. But as time has passed, our relationships with online services, mobile devices, and other data hungry systems have matured. To reflect this, regulations are designed to enforce privacy-enhanced personal data control using data subject rights. These rights are reflected in regulations such as the EU’s General Data Protection Regulation (GDPR) and are increasingly included in other regulations across the world such as the California Consumer Privacy Act (CCPA).

One such data right that has far-reaching implications is the ‘right of access’ to personal data. This right is instituted using a process known as a ‘Data Subject Access Request’ or DSAR. But do your DSAR processes and procedures enable you to locate personal data across multiple devices, datastores, and apps to fully accommodate the right?

What is the ‘right of access’?

The right to access data is encapsulated in recital 63 of the GDPR, which states:

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

A data subject, that is, a person covered by the GDPR has a fundamental right to access any data held about them. Without access to personal data, a data subject would not be able to use other data rights under GDPR, such as the ‘right to erasure’ or the ‘right to rectification’.

What is a DSAR and how does it work?

A ‘Data Subject Access Request’ or DSAR, acts as the medium to provide a data subject with access to their personal data. It is a vital tool in the application of the GDPR.

When an individual (data subject) requests access to their data, the DSAR process kicks off and the company handling the request has 30 days to process it.

But what does this mean in reality?  The right to access is a fundamental right that provides the rails for other rights. As such, it requires data diligence, which in a hyper-connected complex world of data is not easy. A DSAR is enacted using a process. The steps of which typically encompass the following stages following a request:

Stage 1: Record the DSAR in a DSAR log

Stage 2: Verify the requester’s identity. This should include a check of that person’s rights to the information requested. You should also identify any derogations.

Stage 3: Direct the request to the correct business area/function

Stage 4: Collect the information together to deliver the right, e.g. electronic records, 3^rd party processors, etc.

Stage 5: Review the requested data but protect any other individual’s personal data that may be available in the records by using a redaction tool or conducting a manual redaction.

Stage 6: Respond by sharing the data with the requester and add the task to the DSAR log.

What data does the right to access cover?

Personal data covers a wide remit under GDPR and other similar regulations. This wide remit creates one of the difficulties in delivering on a DSAR. GDPR does not specifically set out what personal data is. Instead, the GDPR has a broad definition of personal data, and includes ‘special categories’.  The GDPR under Article 4 defines personal data as:

“‘personal data’ means any information relating to an identified or identifiable natural person “

The GDPR does give examples, but they are just that, examples:

• Name
• Address
• Age
• identification number
• location data
• an online identifier, e.g., IP address or cookie identifier

And then there are ‘special categories’; the UK’s Information Commissars Office (ICO) lists these as:

• Race
• Ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where this is used for identification purposes)
• Health data
• Sex life
• Sexual orientation

Article 15 of the GDPR sets out what must be provided when a DSAR request is made, this includes:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

 As can be seen, a right of access request is a lot more than just giving a user a list of data. A DSAR is about context too. How is that data processed and why, are important contextual aspects of fulfilling a DSAR.

Managing the DSAR process

The enactment of the GDPR has also meant that consumers are increasingly aware of their data rights under the regulation. As a result, DSARs are increasingly common. The UK’s ICO reported in their 2019/20 Annual Report that they dealt with 39,000 complaints from the public and the number of contacts from the public since the launch of GDPR has increased by 70%. The public knows their rights and wishes to implement those rights and a DSAR is the first step in doing so.

Successful compliance with the right to access is about managing the process lifecycle of a DSAR. There are many moving parts, from ID verification (GDPR Recital 64), scalability/accessibility of access, and management of volumes. One of the core challenges in dealing with a DSAR is simply finding the personal data requested. As shown above, this is a wide remit and is also contextual. This latter element adding a layer of complexity to the location and management of these data. Data visibility is a known issue across industry, adding context and this creates clarity issues. Key challenges in achieving DSAR compliance include:

• Contextual data
• Linking data to an individual
• Scalability across multiple apps and data stores
• Volume handling of DSAR

Case study: SCL Elections Limited (company)

An ICO enforcement notice on SCL Elections Limited is an interesting read. It points out the types of data not included in the DSAR. The case started when an individual complained about the company’s response to their request for data access, believing that not all his data or how it was used, was disclosed. The commissioner ruled in the complainant’s favour and set out a series of reparations that must be made by the company:

• A description of the personal data processed by the data controller about the complainant;
• a description of the purposes for which that data are being processed;
• a description of the recipients or classes of recipients to whom the data are or may be disclosed;
• copies of the information constituting personal data about the complainant in an intelligible form in accordance with the requirements of section 7 of the DPA and the Sixth Data Protection Principle, subject only to the proper consideration and application of any exemption from, or 10 modification to, section 7 of the DPA provided for in or by virtue of Part IV of the DPA which may apply; and
• a description as to the source of that personal data.

Technological help in handling a DSAR

Meeting the requirement of a DSAR is complex, takes time, and can result in fines and loss of customer trust if not adhered to correctly. Technology can lend a helping hand in meeting a DSAR in the 30-days required. There are two key areas where technology can play a key part in DSAR execution:

1. Discovery of Personally Identifiable Information (PII) – a needle in a haystack

One of the biggest challenges in quickly and effectively meeting a DSAR is in gathering, locating, and discovering personal data. Analysis can frequently run to millions of lines of data, hundreds of thousands of emails, etc. Manual searches are not a viable option and compliance is at risk if this task is not automated. Systems such as the Savannah eDiscovery and Redaction platform, Savannah can be used to discover Personal and Special Category Data and then map this against GDPR exposure across the entire electronic estate of an organization. This can then be used to map to a data subject and apply effective redaction.

2. Redaction – closing the loop on data exposure

When personal data is located, it may be associated with the data of other individuals. It is vital to close off any possible personal data exposure by using redaction technology. Once data is located, Regulatory Technology (RegTech) platforms can redact third party personal data.

However, technology alone cannot ensure compliance with a DSAR is met. The lifecycle challenges require oversight by an expert such as a Data Protection Officer (DPO). The most powerful combination is always a qualified individual leveraging advanced RegTech, such as through the JSIG DSAR-as-a-Service

Perfecting the DSAR process

Getting a DSAR right and meeting the requirements of complex regulations like the GDPR is about creating and defining a DSAR process. Having to meet regulatory compliance is not easy for any organisation and can distract from core business activities. However, Data Subjects must be able to exercise their rights. Privacy regulations are rapidly being enacted across the world, with the US, for example, looking to harmonise its approach with a Federal Privacy Regulation. With these regulations comes the fundamental right to access personal data. A DSAR can be requested by anyone wanting to access their data and without giving any reason. Relatives, guardians, and other legal representatives can also request one. The volumes and scalability of handling mass numbers of DSARs have become a burden that is alleviated using technology. By applying due process, designed to meet a DSAR, a business can continue its core operations whilst confidently meeting its compliance obligations.