As people grow more aware of their privacy rights, companies are facing more DSARs than ever before. Fulfilling these requests is a legal requirement for organisations operating under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR). However, the increased use of social communication channels – such as Slack, Microsoft Teams, Vivo, WhatsApp – has made responding to DSARs more challenging and complex.
In a recent webinar discussion with Waddington Brown, a well-respected HR consultancy in the East of England, our Data Protection Officers (DPOs), Matt Spall and Pippa Scotcher, shared their insights on managing DSARs amidst the surge of workplace social communication.
Matt, who leads our DSAR-specialist team, and Pippa, who brings a wide range of data protection experience, discussed the unique ways that social communication channels impact DSARs and how organisations can better manage this content.
In case you missed the webinar, this blog covers the key discussion points, including:
But before we delve into the details, let’s clarify what a DSAR is.
A Data SubjectAn individual who can be identified or is identifiable from data. Access Request (DSAR) is a fundamental right under the General Data Protection Regulation (GDPR) that grants individuals (known as data subjects) the right to obtain a copy of the personal information that an organisation holds about them, as well as other supplementary information.
Handling a DSAR requires careful management. It is important to understand that a DSAR can be requested in any way – written or verbal – and does not have to specifically mention data protection regulations. Organisations are legally obligated to acknowledge and complete a DSAR within one calendar month, unless there are multiple requests, or the request is considered complex.
You can learn more about DSARs here: Processing DSARs: 5 Essential steps
Social communication channels have quickly become integral to modern workplaces. Platforms such as Slack, Microsoft Teams, Vivo, WhatsApp, and even social media sites like Facebook and LinkedIn play a significant role in daily operations.
These channels facilitate real-time collaboration and have evolved from simple messaging tools to comprehensive platforms that include file sharing, video conferencing, and integrations with other business applications.
The GDPR does not specifically state that social communication channels must be included in a DSAR. However, the legislation establishes an individual’s right to access a copy of all personal dataInformation which relates to an identified or identifiable natural person. held by organisations. This implies that if personal data is processed or shared through social channels, it should be available on request.
The UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) is more explicit in its guidance, stating that organisations using social communication channels for business purposes must search these platforms for personal information when responding to a DSAR.
‘It depends on the data that is stored on these platforms. Remember, it’s only personal data about an individual that falls within scope of a DSAR. ‘Professional’ or ‘business as usual’ information generated during someone’s job will not be in scope. And differentiating between the two in a more ad-hoc, informal setting can be challenging.’
‘Using personal apps on a personal phone for work purposes – like WhatsApp – creates complexities. Although it could be argued that these apps fall under DSAR obligations when used for company-sanctioned tasks, accessing an employee’s personal device raises significant privacy concerns.’
Messaging platforms like Microsoft Teams, WhatsApp and Slack use data formats such as JavaScript Object Notation (JSON), eXtensible Markup Language (XML), and Comma-Separated Values (CSV). These structured and unstructured data formats can make it difficult to retrieve specific messages, often requiring extensive filtering. Also, certain formats need converting to a common format for reviewing, which can be time-consuming and increases the risk of inaccuracies.
Export functionality also varies across platforms. Some offer export tools with comprehensive HTML-formatted outputs, whilst others limit exports to public data only. Subscription levels can also affect export features, meaning some plans would require substantial configuration to access and compile the data necessary for compliance.
Social communication channels naturally encourage a more casual tone compared to traditional email. This informality can lead to individuals expressing thoughts or opinions they might hesitate to share otherwise, including unprofessional remarks about a colleague.
Search functionality
Searching for relevant personal data in social communication channels can be challenging, especially when employees use nicknames for colleagues. For example, if an organisation frequently uses the nickname ‘Daveyboy’ rather than David, it might be easier to locate messages associated with the nickname.
However, complications can arise when a data subject requests information using initials. These initials may appear frequently within common words or overlap with internal acronyms, complicating the search processA series of actions or steps taken in order to achieve a particular end..
Keep in mind that unique job titles can also serve as identifiers, helping to pinpoint specific individuals.
As mentioned previously, accessing any relevant data from social communication channels on personal phones can be complex, especially when determining whether the use is company-sanctioned or not.
Communications on company-issued phones are generally in scope, provided the organisational policies clearly state that the device and its content are the property of the organisation.
Messages exchanged on personal phones for personal use are typically not considered in scope for a DSAR.
Work-related messages on personal phones may only be considered in scope if the organisation has explicitly sanctioned or is aware of the communication group. In these cases, a well-defined policy can support data retrieval efforts, though challenges around personal devices may still arise.
Social communication channels don’t have to spell disaster for DSARs. Here are 5 best practice tips for managing these platforms in a DSAR-friendly way.
Your internal policies should include these key areas:
Platform use guidelines – Establish which platforms are approved for business use and outline expected usage across devices (e.g. work or personal phone, laptop).
Data management and archiving – Provide clear instructions on how data should be managed and archived.
RetentionIn data protection terms, a defined period of time for which information assets are to be kept. policy – Set a short retention period for social communications. As these platforms typically aren’t used for storing critical documents, shorter retention periods can make it easier to locate relevant information for DSAR responses.
Regular training and awareness programmes can help employees understand their responsibilities regarding data handling.
Train staff on the appropriate use of these channels, highlighting what should and shouldn’t be shared. For example: If you wouldn’t want the person to see a comment, avoid putting it in writing.
It is important to consult with your IT team about the specific information you will need if you receive a DSAR. There may be limitations due to licensing and you will need to consider making adjustments or exploring alternative platforms that will better serve your data retrieval needs.
Review your current platform licensing agreements to determine if an upgrade could enhance your organisation’s data management capabilities and improve search functionality. Higher-tier licences generally offer more robust search functionality, allowing for easier retrieval of data.
If you haven’t encountered a DSAR before, it is a good idea to conduct a dry run to test your processes. This practice will help you to pinpoint areas for improvement and make the necessary changes before a real request arrives.
As social communication channels become increasingly integral to workplace interactions, organisations must recognise the accompanying complexities and adapt their DSAR processes accordingly. Understanding the challenges of data retrieval from these platforms is essential. By updating policies, training staff, collaborating with IT teams, reviewing licensing arrangements, and conducting practice DSAR responses, organisations can effectively manage requests and protect personal data. Embracing best practices is vital for ensuring compliance and maintaining a culture of transparency.
Watch the Waddington Brown DSAR webinar with DPOs Matt Spall and Pippa Scotcher.
______________________________________________________________________________________________________________________________
In case you missed it…
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible