Data subject access requests – how to take away the stress of dealing with them

Who hasn’t felt anxious when a data subject access request (DSAR) lands in your email inbox, from an employee, customer, student or parent of a pupil or any other data subject whose personal data you hold and process as a data controller or processor?

There is the request itself, asking for everything – every piece of data you hold about the individual, but then it is mixed up with other data that you hold about other data subjects who are not making a request for disclosure of data, but who feature in the data you hold about the requester. Is it scoped in time? How much data do you hold in the period of time that they distilled their request to? Then there is the 1 month time limit for disclosure. No one wants to be caught out, not complying with the time limit, for fear that a complaint will be made to the Information Commissioner’s Office (ICO) and a case worker will be on your back. No one wants to incur a fine for failure to comply with a DSAR, let alone be found to have unlawfully or unfairly processed personal data. As a team that specialises in helping our clients with DSARs, we know how to help you, from establishing whether a request is manifestly unfounded and excessive, to advising on information that can be withheld because an exemption applies such as legal privilege, or because it simply does not relate to the data subject making the DSAR or identifies other data subjects (identifiers).

So, having sent your Data Protection Officer or IT department to drill into your IT systems including email boxes of anybody and everybody who has ever emailed or received an email from the data subject who has made the DSAR, you have several Megabytes worth of data, which you have no way of knowing whether it is relevant or duplicated. You know it contains information about other people, but the prospect of physically printing the data off and asking an army of people to redact out manually or using a pdf programme with a redaction facility fills you with utter dread. The sheer number of hours and days this will take will use up capacity you do not have and will be a huge distraction, because people who have other jobs to do, will be taken off those jobs to conduct a huge redaction operation. Even if you attempted to first put the documents in chronological order and remove any duplicates to reduce the redaction time, this process in itself is hugely time-consuming. As a team with a wealth of experience in sifting through information forensically, we know how to de-duplicate and de-clutter data.

How do we do this?

We have a technological state of the art piece of new software that enables us to analyse data efficiently and in a fraction of the time that it would otherwise take for you to do it manually. By minimising manual efforts and reducing the need for extensive redaction, our solution offers significant time and costs savings. Our software can also:

• Identify the data that falls within defined creation dates, so that disclosure is only confined to information that is asked for in a defined period and cull the rest
• De-duplicate actual and near duplicates and de-clutter data and cull that data
• Identify the relevant data subject from personally identifiable information and identify all other data subjects to then redact out those other data subjects from the data to be disclosed
• Search for specific initials of data subjects or payroll numbers or post codes that are all potentially disclosable, so that they remain included within the data to be disclosed
• Create audit or working copies of the data disclosure bundle showing the proposed redactions for checking and approval by you
• Create redacted version for sending to the data subject in chronological order
• Preserve the original data in raw form, so that in the event of a dispute involving the ICO investigating a breach of the SAR disclosure obligations, we can show the process that has been undertaken from raw data, to working redacted data to redacted and disclosed data
• Create reports of data culled, removed, data that does not contain text or is corrupted or is in non-accessible files or is password encrypted.

As a modern law firm using class leading technology, we deploy that technology to help our clients in times of critical need, where there are risks in getting it wrong, such as disclosing someone’s else personal data when complying with a SAR.

Our meticulous forensic lawyers will review the disclosure bundle to check that it is fit for disclosure.

What’s it cost?

No two data subject access requests are the same, the file sizes of the data will dictate how much time the software will take to complete each stage (above) and how much lawyer time we need to devote to oversee the process, review the redactions and disclosure bundle thoroughly before the DSAR is complied with.

So when you have a DSAR land on your desk, don’t hesitate to call us and we can help you comply.