Revealing article by the team at Squire Patton Boggs analysing the results of their survey of ninety companies on experiences with DSARs. Their findings mirror our own experiences where we see them being increasingly used and especially in relation to a workplace issue.
I do not see this trend abating and companies need to be prepared to deal with them in an efficient and effective manner otherwise trouble could be brewing from the ICO or appropriate regulator depending on jurisdiction.
It is beneficial to have a tried and tested plan to put into action when a DSAR lands rather than employing a wait and see approach. The first step of which is to get a thorough understanding of where within your organisation data resides. That is normally a question most people think is straight forward to answer. However you’d be surprised how and where data spreads within an organisation...generally for well intended reasons! Therefore it is important to fully understand your data landscape and appreciate where to look, should a DSAR arrive.
The next question then becomes how do I interrogate that data landscape to pull out responsive data? There are various technical tools and techniques that can be used to identify and prioritise personal data across data sets to try and automate this as much as possible. But unfortunately, it is not a perfect science and someone will end up looking at data that may be subject to a DSAR before it is replied to. Technology can also make this less painful and more efficient using techniques born in the eDiscovery world.
We are seeing this as an increasing challenge for clients and are regularly helping them manage these issues.
DSARs are being used increasingly by individuals who are more aware of their rights, and often in the context of a workplace issue. We anticipate that this trend is likely to grow. Consequently, businesses need clear policies and procedures to enable them to deal with them in accordance with the GDPR and the DPA to avoid attracting the attention of the ICO and any subsequent enforcement action.