Data Subject Access Requests – Five top tips for processing a request

Data Subject Access Requests, or DSARs, can be a thorn in the side of any organisation. The complexity of providing a response to a DSAR can come from data volumes or from the situation itself, especially if the DSAR is made as a precursor to litigation by a current or former employee. The level of effort involved in processing a DSAR in accordance with the expectations of the Data Protection Commission can be surprising for those who haven't been through the process before – and for those who deal with a large volume of DSARs it quickly becomes clear that a structured and documented approach is crucial.

ALG Solutions has assisted our clients on hundreds of DSARs over the last few years. Our experience in providing project managed, technology-driven and process oriented approaches to DSARs has been invaluable in supporting our clients. Here are our top five tips for managing a successful DSAR response.

  1. Act quickly
    While one month may seem like plenty of time to respond, the amount of work required, particularly in the initial stages, is often underestimated. Where the DSAR is received in a contentious situation, or where you don't have a routine DSAR process in place, identifying, extracting and reviewing data can prove to be a complex and time consuming task. It generally involves multiple stakeholders across your organisation from IT, to compliance, to HR with possible input from legal. While an extension of up to two months on this timeframe can be availed of for complex DSARs, the faster you begin to act (and ask for help), the more time that can be spent on reviewing the data that may ultimately need to be produced.
     
  2. Find all the data
    Don't forget to identify all the places where the data subject's personal data might be stored – emails and HR systems are easily identified as relevant data storage locations, but personal data could be stored in financial or customer databases, patient records, shared file servers, as well as less obvious locations such as recorded audio from phone calls or CCTV systems. The most commonly forgotten source of personal data is on mobile devices supplied owned by the data controller  – Whatsapp, Slack or text messages sent via work devices may be in scope for a DSAR, and should be considered.
     
  3. Spend time on filtering
    From our experience with large scale DSARs, technology is your friend. No matter how careful you are with scoping data, it's likely that you won't be handing over all the data which you've gathered. Leveraging technology is the most efficient approach to pinpointing the personal data within your collected data, and the filtering itself can be approached in two ways. You may be familiar with the more traditional approach of using search terms, date ranges, or data types. However, more advanced technology using artificial intelligence can also be deployed. One example is using a technique called "concept clustering", which groups documents into buckets based on the topics or themes contained within them. It's then easy to spot which document buckets can be set aside, or which buckets need to be looked at more closely for personal data. In order to decide on an approach for filtering, an understanding of what the data subject is looking for with their request is critical. If the data subject can narrow their request to specific topics or types of data (e.g. relating to a HR process), the filtering will be much more effective in isolating the personal data you need to find and the data subject wants to receive. 
     
  4. Decide redaction approach
    Most DSAR responses will involve a level of redaction of the data set responsive to the request. This is generally to protect privileged or commercially sensitive information, or third party personal data. The extent of redactions required can be agreed depending on a number of factors – for example, the type of record being produced and whether or not it contains a lot of third party information.  More practical considerations may also come into play such as the time and cost of redacting all third party data, or the risks involved in minimising the level of redactions. Regardless of what approach you decide to adopt to redactions, this decision should be made as early as possible in the process, so that redactions can be applied consistently across the data. Changing your mind about the redaction approach mid-way may cause delays, as work might need to be re-done in line with the new approach. ALG Solutions leverages technology to apply redactions automatically wherever possible, so that a consistent approach is baked into the process, and human error and cost is minimised.
     
  5. Record decisions
    Throughout the process of responding to a DSAR, many decisions will need to be made. For example, decisions about the scope of the request, how to filter the data, and even decisions about individual documents and whether or not they contain personal data of the data subject. It is critically important to keep a record of all material decisions that have been made as this record will enable you to respond to queries that might be raised by the data subject or the Data Protection Commission later on. Examples of decisions to be recorded include whether documents should be withheld due to exemptions (whether on the grounds of privilege or another exemption provided for in the GDPR), the reason for each redaction, and who made difficult decisions in respect of the response and why those decisions were made. Technology can also facilitate the record keeping for a particular DSAR, in particular allowing for decisions or records to be keep alongside the data itself. This means that for any particular document or file, the entire history of its collection, filtering, review and redaction can be recorded automatically by the technology, and referenced at a later date. The software platform used by ALG Solutions, which is called RelativityOne, also allows for collaboration between the ALG team and our client. This is very handy in practice as clients can view the data, make their own comments, and even approve or edit redactions as required in real time.

How can we help? 

If you need external support in managing DSARs, or are simply looking to improve your own internal DSAR procedures, ALG Solutions can provide the guidance and advice that you are looking for. 

Our Employment team also regularly advise employers on processing DSARs and recently delivered a knowledge seminar which contains some tips and tricks on how to handle large scale employee DSARs. This is available to clients with access to KnowledgePlus: Handling data subject access requests (DSARs) under GDPR.

Date published: 31 May 2022