Dealing with data requests

Companies of all sizes have been dealing with Data Subject Access Requests (DSARs) since the introduction of the Data Protection Act in 1998. These allow an individual to request a copy of any personal data that an organisation holds on them, but since May the General Data Protection Regulation (GDPR) has made some significant changes, especially on how businesses must respond.

Before the new GDPR regime came into force, businesses had 40 days to comply with requests, which has now been reduced to one month, and companies can no longer charge a £10 fee for each DSAR. Most importantly, from a financial perspective, the fines for failure to comply with a request have increased substantially.

“If an organisation fails to comply with a DSAR, then they could be facing steep fines. The fines should be imposed on a case-by-case basis and take into consideration what each case involves, but they must be ‘effective, proportionate and dissuasive’,” explains Mark Anderson, senior project consultant at leading end-to-end eDiscovery company Complete Discovery Source (CDS).

Under GDPR, penalties can be as much as €20 million or 4 per cent of annual turnover, whichever is greater. In certain cases there can also be criminal liability and reputational damage for being named as one of the first companies to fall foul of the rules. Yet, according to Mr Anderson, not enough businesses know the ins and outs of DSARs until they actually receive one.

For example, firms should be able to allow DSAR requests electronically and have procedures in place to act on a request almost immediately. “As there is only a one-month turnaround, every day really counts. You don’t want to be spending the first week of a request working out how to deal with it or understanding what one is,” says Mr Anderson.

Organisations should be proactively preparing for receiving a DSAR, and get a clear sight and an in-depth knowledge of their systems. There should also be workflows in place that can quickly identify personal data and answer questions like “Is HR using a document management system that stores data?” and “Could employees have been texting each other personal information on business devices?”

Mr Anderson says: “It’s quite surprising how many businesses don’t know exactly where their emails are stored or what systems they use internally. So having a specific person such as a compliance officer or IT specialist within the organisation who can say ‘we have this number of systems and this is where data is stored’ is key.”

Organisations should be proactively preparing for receiving a DSAR and get a clear sight and an in-depth knowledge of their systems

Even for organisations with strong IT resources, it often proves difficult to create a DSAR framework from scratch or reply to an unexpected request within the deadline. But companies such as CDS are able to support businesses through the DSAR process by employing advanced analytics to look at the textual content of all potential documents that may need to be disclosed and thereby reduce the amount of information that has to be reviewed.

“We start by working with clients to identify, collect and extract relevant personal data through a process called data-mapping. Once this data is extracted, we then process the data to make the required documents searchable and run a process called de-duplication, so we only provide one copy of each document. We then utilise analytical tools to reduce the document population by removing further duplicative data,” says Mr Anderson.

The risks of going it alone when dealing with a DSAR need to be considered. Not having the right tools in place to discover which documents need to be provided can lead to either an under-disclosing or over-disclosing of personal data.

“One of the complications with a DSAR is that you can’t disclose another individual’s personal data to the requester. By using our redaction tool kit, we allow a company to redact a user’s personal information electronically, either manually or through automated tools. This helps to streamline the entire process to meet the tight timeframe,” Mr Anderson concludes.


For more information please visit