How to handle your first GDPR Data Subject Access Request
Recital 63 of the GDPR states:
“a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
Data Subject Access Requests are not new with GDPR but GDPR has introduced some updates and changes which need to be considered and do make the data discovery and labeling process more complex.
Organizations who receive a DSAR need to comply at no cost (in most cases) and without delay within a month.
The fact that organizations have started receiving such requests goes to show that GDPR is now, as expected, impacting resources whether you like it or not.
PII data which has been collected over the span of the organization’s lifetime, now has to be easily discoverable and securely accessible to fulfill GDPR compliance and avoid hefty fines.
The collection of such data has proven to be quite complex, resource consuming and at the end of the day, expensive for organizations.
There have been a variety of examples even before the GDPR regulation came into place. Where such requests have been reported to carry with them a significant cash value of hundreds of thousands of dollars. For example, in the case of data subject access request of Deer vs University of Oxford, going through half a million emails in order to respond to the individual’s rights, has been estimated to cost $150,000.
What would a DSAR look like?
We recently received such a request. The details of the request can be seen in the DSAR email screenshot below:
Let’s break down the request to understand further what needs to be done:
The source of the data
Where did you get the data?
It could be from a marketing activity that the user registered to, an event the user attended and got scanned at, a partnership, a deal you made or any other source for that matter. Depending on where the data is, may give you an indication of where and why it was collected. Imagine how long it would take to locate the data for the specific user if you don’t know where it is?
The purpose of processing
What was the purpose of processing the data?
It could be almost anything depending on what your business does. Could be patient data for health records, could be for a sales opportunity or just a user that got logged in the systems for other purposes.
List the Categories of Personal Data concerned
This one is quite tricky as GDPR has enhanced the range of what is considered as personal data.
GDPR states with the following:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
With such a large range of potential data to be considered as personal, context becomes very important. The context of which it was collected and the context of which it is stored.
Context is tricky because understanding context is based on the ability to think like a human.
List the recipients which the personal data was disclosed to
In this case you have to figure out if this data was shared and if so, who was it shared with. Again, a task that takes time and resources and information that is hard to find within the wealth of data you manage on a daily basis.
Your retention period for storing the personal data
Do you know how long the different pieces of data are stored and how long you intend on storing them? Do you have a policy in place for data storage period?
Information regarding the transfer of personal data to a third-country or other organisation
- Name of country or organisation
- Safeguards in-place that data will be held securely
Deletion and minimization of data
“I exercise my right under GDPR for all my personal data held by Cognigo to be securely deleted and confirmation of that deletion to be sent to me.
Failure to comply with this request within 30 days will result in a complaint being lodged with the UK Information Commissioner’s Office (ICO).”
Users can request to delete all saved Data and receive confirmation. This under regular circumstances may require access to multiple system’s, databases, Cloud storage, CRM, Emails etc… and could take weeks to figure out.
This is a real challenge and definitely one that CISOs and Privacy Officers would appreciate a solution to that could save time and human resources upon every DSAR that comes in.
For us at Cognigo, we had it quite simple, all our Data is constantly under inspection and under strict data security policy controls, therefore we only needed to type the customers email in the “Datasense” search bar and the full information was immediately available as a report (DSAR Report Template can be found here).
Cognigo’s DataSense combines artificial intelligence and cognitive computing to discover, label, categorize and govern personal identifiable data and enforce data security policies automatically and continuously across the enterprise.
“With privacy laws in flux and customers increasingly aware of their privileges, capabilities to enhance privacy protection are paramount for organizations worldwide. Granular insight in privacy risk and control over personal data are top of mind for security and risk management leaders.”
Source: Gartner’s Cool Vendors in Privacy Management. Published 27 April 2018
