Even outside of the current pandemic, Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs) can seem an administrative burden on any business and a drain on the DPO’s already stretched resources. Whilst the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. has acknowledged that its regulatory programme is taking a pragmatic approach during the COVID-19 outbreak, it still stressed that compliance with the GDPR (including responding to DSARs) should not take a back seat.
Unfortunately, our experience is that, even with the best intentions, this is not occurring across the board with many DSARs remaining unanswered and some Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.s automatically initiating the two month extension without properly evaluating the complexity of the request first.
In this article we look at a number of tools which could be utilised to prevent DSARs gathering dust in the “to do” pile and help to manage your compliance risk during the outbreak and after normality returns to your business.
Seek clarification
You are entitled to ask individuals to specify the data or processing activities to which their request relates. However, you are not allowed to demand they limit or narrow the scope of their request. In asking a requester to define their request, they could provide information which helps you identify the exact information they are looking for – almost a helping you, to help me approach. Whilst some requestors may still will want to see ‘everything’ about them, others will be equally grateful to receive a targeted approach which will allow them to focus upon the parts of their disclosure which are crucial to them. You should be mindful that taking this approach will still require you to respond to their request within one month, unless it is complex.
Robust Records Management processes
For those of you actively involved in disclosure requests for litigation or under Freedom of Information legislation, you will recognise the importance of having strong e-discovery processes. The same is applicable in respect of DSARs and all data retrieval should be a seamless exercise. Data should primarily be stored in structured forms on your key line of business systems (i.e. CRM, HR, Finance systems etc). Unstructured data or storage (i.e. file servers, local storage on personal devices etc.) should be avoided. The business should be able to easily locate information about an individual, a certain matter or a transaction. Time lost (and costs incurred) trying to source records in connection with responding to requests could be used as an incentive for business change.
Planning your resources and delegation
By their volume and complex nature, DSARs will take time away from the DPO, diverting their focus away from their core tasks. Businesses need to recognise that DPOs need resources to fulfil their tasks and should not regularly be diverted from activity which stops them from achieving this. This can be addressed in a number of ways, either by:
One potential approach you may wish to consider is triaging DSARs based upon the risks to other Data Subjects, you the Data Controller and other stakeholders (such as law enforcement agencies). There is no reason why those requests that pose limited or no risk to any parties be facilitated by the relevant Departments – i.e. “could I request a copy of my training records?” could be responded to by the Training Department with ease. Even in the most complex of cases, it may be that you call upon Departments to offer their specialist knowledge, experience and insight into the matter to help you classify the nature of the data, organise the collection and assembly of the DSAR return, while ensuring that those within the Data Protection function retain the final decision making authority.
Make policies and procedures everyone’s business
You will no doubt have heard the catchphrase that Data Protection is everyone’s responsibility. In this instance, it’s very much the case. A DPO working in isolation is ineffective. Embedding compliant policies, procedures, ways of working, etc. requires input and engagement across the company. It brings learning opportunities in terms of record discovery and management, it allows managers to identify inconsistencies in their approaches and evidence recording, but it also gives useful opportunities to revisit service delivery and identify any failures. Whilst appearing burdensome at the outset, working on a DSAR can give the wider business useful intelligence that they may never had the opportunity to extrapolate.
Utilise redaction software functionality
It is not our position to recommend one product over another, but technologies and software has improved massively. Whilst useful, redaction software should be treated with caution as a series of commands or instructions still cannot replace the autonomy and decision–making skills of the experienced Data Protection practitioner with black marker pen in hand!
Similarly, redaction software can also reinforce the delegation model. The fact that the redactions do not have to be applied until the file is finalised, allows for a delegated worker to have an attempt at identifying potential redactions. This acts as a safe ‘first pass’ prior to the Data Protection decision maker looking through the file and removing or adding any potential redactions they see fit.
Don’t be afraid to say something is excessive or manifestly unfounded
Inherently people don’t like saying no, especially when applying customer service values. The same can occur in respect of DSARs with an inherent fear of advising someone that their request is excessive or manifestly unfounded. Often decision makers will revert to default and ‘just deal with it’ rather than necessarily tackling the problem head on. Whilst we don’t have comprehensive statistics for the use of this provision under the GDPR, we can only look into the experiences that Freedom of Information legislation offers. Within Central Government, their most recent Freedom of Information Statistic Bulletin showed that the slightly comparable vexatious exemption was keenly avoided and only used in 0.45% of instances in Q1 of 2020. Is there a similar fear rate in respect of DSARs?
The key fundamental to be aware of is that you must be able to justify your decision to the Information Commissioner. There is guidance on the ICO’s website that indicates the hallmarks of such requests, and this should be reviewed and considered thoroughly.
Avoiding the difficult conversation never resolves the problem and can set a dangerous precedent (i.e. “why has my request only now become unreasonable?”). We encourage that decision makers are brave and tackle the issue by focusing upon the wider compliance programme and data subjects as a collective whole, rather than ploughing a disproportionate use of resources into the one troublesome data subject.
Conclusion
Our responsibilities to data subjects remains the same, regardless of the ICO’s approach to investigation and enforcement, and the right of access continues to be a cornerstone of data protection fundamentals. Building and assessing your DSAR strategy is one of the times when compliance and business efficacy marry up perfectly. The goal of administering a DSAR is to understand what your customer wants, know where it’s located and deliver it in a cost-effective, efficient and legally sound manner. And, after all, isn’t that the goal of any business processA series of actions or steps taken in order to achieve a particular end.?
The DPO Centre offers a DSARs response service to review your DSAR policies and procedures and provide you with the necessary support to make any required amendments. For further information, please use the form below to contact us.
Fill in your details below and we’ll get back to you as soon as possible