As the EU General Data Protection Regulation compliance date nears, many companies have been taking steps to understand the new rules and are now looking for solutions to start tackling the nitty-gritty tasks needed to avoid massive financial penalties.
One of those tasks are data subject access requests. Several articles in the GDPR focus on giving data subjects the right to see what information an organization holds on them. TrustArc recently came out with their DSAR tool, and now another company is offering a similar solution.
Raptor Compliance’s software allows companies to handle data subject access requests primarily through back-end services. A company can install the software for their website, and users can either fill out a data subject access request via an account they already have with the company’s website, or through a form Raptor Compliance provides. The form then asks the user for 10 data points in order to verify the subject’s identity.
From there, the back-end machine kicks in, according to Raptor Compliance CEO Dominic Staiger, CIPM. The software takes the information from the existing login or the data points and searches every database within an organization to find the necessary details needed for the request.
“Once the data has been collected from the databases, it goes through a process where we ensure the quality of the data, and ensure that we cross-reference the data to make sure it is the correct information,” Staiger said. “For example, you can have the same name as someone else, but with a different spelling.”
Having the ability to locate information across a wide array of databases is why Raptor Compliance is aiming its software at medium- and large-sized enterprises. Staiger said larger organizations often do not know where information is located within their databases, which could be spread across many locations within legacy systems.
“Our software basically tells the company where data is actually stored for that individual, and by having more and more requests, you can do a data mapping exercise within the company automatically,” Staiger said. “By doing that, management can look at a report on a large screen where they have connections between different databases and datatypes that are in there, and get a bird’s-eye view of an organization, and that’s something you can send to the executive board.”
After the information is gathered, the report is ready to be sent back to the data subject. The information will be delivered on a status page generated from the request, or possibly by email. The subject will be able to access the data through an encrypted link, where they can download it straight to their computer.
The report delivered to the data subject is one of three Raptor Compliance’s software generates. The other reports contain information delivered to the data subject about the nature of the processing operations and an internal compliance report detailing all the steps taken in obtaining the information, the length of time it took to finish the request, and any users involved.
Staiger said while the solution would ideally be fully automated, a lot of companies are more comfortable having the human element play a part in the DSAR process.
“What they want to do is reduce the amount of the manual aspect parts of it, basically the identification process and the data gathering process, but they still want to have an in-between manual process of someone who actually says OK to release the data,” said Staiger, who added organizations will especially want someone to approve data releases when the information is more sensitive in nature.
With the GDPR looming, companies have been forced to change their views on sharing information with users, as the rules have given them no choice but to do so. While companies are slowly coming to grips with having to disperse information, Staiger said companies are running into technical issues, as they never had to deal with anything such as a DSAR before.
When asked about the importance of DSARs, Staiger believes they can help add a layer of transparency to an organization’s behavior.
“By having such a right to access your data and get information on how data is used, the more individuals who request data, the more the enforcement of the data protection laws will be ensured,” Staiger said. “The companies will have to provide information about what they are actually doing, and by doing that in an electronic form, certain privacy foundations will be able to monitor the information they provide, and to see disparity between the services they provide, and how they process the personal data.”
The road for Raptor Compliance will be a challenging one going forward. Staiger admitted they will not be able to help all of their current customers immediately, as his team consists of 12 staffers. The company is optimistic, however, it will be able to add 30 to 40 employees over the year to help as they continue working with the C-suite, compliance managers, and IT departments to bring their software to the forefront.