In my job, I am fortunate enough to speak to many people involved in ensuring their organisation is GDPR compliant. Whenever you engage, there is always a tale to tell about Data Subject Access Requests how challenging, how easy, how long! Here’s a few anecdotes that might resonate with you…
“We had a legal case that took 70 days to service. Yes, that was one person solidly on it for 70 days. We had to get an extension from the ICO.”
“We put three people on one case to get inside the ICO deadline. We managed to do it in 21 days.”
“It takes us 2 weeks to service a request. We only get two a year so its not a problem. The organisation down the road though gets 2 a week and they’ve taken on an extra three staff to service the demand.”
The ICO website contains some fantastic advice for organisations and individuals alike. There’s even a template letter to use for making a data subject access request.
"Dear Sir or Madam
Re: Subject access request
Please supply the data about me that I am entitled to under data protection law relating to:
- my personnel file
- emails between ‘person A’ and ‘person B’ (from 1 June 2017 to 1 Sept 2017)
- my medical records (between 2014 and 2017) held by ‘Dr C’ at ‘hospital D’
- CCTV camera situated at (‘location E’) on 23 May 2017 between 11am and 5pm
- copies of statements (between 2013 and 2017) held in account number xxxxx.]
If you need any more data from me, or a fee, please let me know as soon as possible. It may be helpful for you to know that data protection law requires you to respond to a request for data within one calendar month."
The receipt of such a letter is enough to inspire many to leave the building via the nearest exit and never come back. Anecdotally, I heard of one organisation that had asked for it to be taken down from the ICO site!
What’s the problem?
The first problem is actually finding the data. The sample letter above has requested data from at least 5 different systems. Most requests however will not be so specific and many organisations may in fact have hundreds of systems in play that may contain data pertaining to the individual. Even with a reasonably good means of access to all of the systems (and that’s not a given) you could easily be looking at a conservative 30 minutes per system to find and extract the information.
Problem two is having found it, you need to collect it into one place, review it, ensure it is relevant and importantly does not contain data about any other data subject. After all, you don’t want to cause a data breach by servicing a subject access request!
Is there a better way?
Certainly the first problem is solvable and there’s some advice buried deep on the ICO web site that points the way…
“Know what information your organisation holds, who it is about and where it is stored. Auditing and indexing your information properly will make it easier and more efficient to deal with information rights requests.”
Tools such as Infoboss help to solve this problem. They gather together all of the data into a manageable, reportable and importantly searchable data store to enable you to quickly and efficiently find the information you are looking across multiple data stores and extract it into one place. They also provide an audit trail of who is doing it and when.
The second problem of reviewing and redacting information is for now still largely a manual activity, but tools like Infoboss can help you to anonymise, truncate and redact certain information on the fly, reducing the manual effort.
Using Infoboss automated data monitoring enables you to ensure the processes used to collect and store data are complied with. For example, when writing a letter always include a unique customer reference to enable the document or email to be easily identified. Infoboss can check these data assets as they’re stored and alert the data owner if an issue occurs. Enabling early intervention and resolution which in turn will make the process of servicing a data subject access request much easier in the long term.
Clearview Infoboss is a new technology designed to help quality, compliance and assurance teams to achieve more with the limited resources at their disposal. It is cost effective, easy to use and fast to implement. Yielding almost immediate savings in time and costs associated with discovering and checking data. If you’d like to discover how, why not watch our video on “Automated data monitoring for quality and compliance purposes” or get in touch for a discussion on your digital data quality and compliance challenges and how we can help.