Complying with data subject access requests continues to be a challenging area of EU General Data Protection Regulation implementation. Since Article 15 of the GDPR mandates that data subjects have a right to request a copy of their information, organizations are experiencing a surge of DSARs, and the pressure is on data controllers as the arrival of the California Consumer Privacy Act is expected to spur another increase in these requests. This challenge is compounded as companies must figure out how to authenticate the identity of requesting data subjects while filtering out fake DSARs.
Luckily, the IAPP-EY Annual Governance Report 2019 gives insight on how some companies are coping with their DSARs. The findings suggest that DSARs may pose a compliance risk for some controllers, the method used for handling DSARs may correlate to how difficult they are to process, and unstructured data is a major contributor to the difficulty of managing DSARs.
It is unsurprising that challenges managing DSARs could lead a company to fall out of GDPR compliance. The report reveals that companies that found it difficult to fulfill DSARs were less likely to fulfill them. Moreover, those who found it difficult to fulfill DSARs were more likely to take a month or longer to respond to requests. This may suggest that some companies are struggling to remain legally compliant with the GDPR because of these requests. Considering that Article 12(3) of the GDPR grants a one-month period to respond “without undue delay” to data access requests (which might be extended by two months “where necessary”), struggling with DSARs presents a significant compliance risk for controllers.
Therefore, the report reveals patterns in how controllers handle DSARs. According to the report, around half of the firms that receive DSARs have a dedicated team to handle them. Unsurprisingly, the controllers who found DSARs difficult were less likely to have a team dedicated to handle them. The report also spoke to the type of process used to handle DSARs. Two-thirds of the respondents handle DSARs manually, and one-third use a combination of manual and ad hoc processes. Those who reported difficulty with DSAR requests were more likely to use manual and ad hoc processes to handle their requests. This suggests that there is a relationship between how difficult DSARs are for firms and the methods the firms use to handle them. Clearly, a dedicated team or some sort of system for managing DSARs in a non–ad hoc style, if feasible, makes DSARs easier to manage. This is likely why some companies are developing solutions both for data subjects and controllers alike to manage DSARs.
The root of organizations’ challenges handling DSARs appears to be unstructured data. According to the report, “locating unstructured personal data” was widely reported to be the most difficult DSAR-related issue by more than half (56%) of study respondents. Unstructured data is information found outside a relational database; this information can be found in emails, physical or digital documents, photographs, videos, etcetera. It is commonly accepted that 80% of all business information is in the form of unstructured data. It is no wonder that unstructured data presents an obstacle to companies responding to DSARs when the personal information of the requesting data subject may reside in an unknown void of client communication, employee work products, disparate documentation and media.
Hopefully, overcoming issues with DSARs is just another growing pain of the new GDPR regime. The challenges associated with verifying identities and locating personal information largely exist because companies of the pre-GDPR era organized information without data portability and individual access in mind. While companies work on mapping and restructuring their data repositories and streamlining their response processes, it is critical that they continue to respond in a timely and appropriate manner to DSARs. More than anything, the report reveals that that DSARs are hard — and no company is alone in this new struggle.
If you want to comment on this post, you need to login.