DSAR Best Practices and Workflows an Organization Should Follow

By |2020-07-07T15:05:10+00:00June 30th, 2020|Categories: eDiscovery, Information Governance, Privacy|Tags: , , , , |

In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests. Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance: Review and Update Privacy Notices and Policies The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to: Obtain certain information from the controller beforehand, and without asking for it Be made aware of whether a controller is processing their data and how it was collected Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data Demand that their personal data be erased and no longer processed (right to be forgotten) Ask the controller to restrict the processing of their data Receive their data in a structure, commonly-used format for transmission elsewhere (data portability) Object to the handling of their data at any time (in certain circumstances) Not be subject to decisions based solely on automated processing Withdraw consent at any time during processing In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018. Create and Implement a DSAR Process Your company needs to have a process in place to address: How you will enable DSARs, e.g., offering a standardized online [...]

Responding to a DSAR Request

By |2020-07-07T14:59:23+00:00June 10th, 2020|Categories: eDiscovery, Information Governance, Privacy|

In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests. An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR: Conduct a Data Inventory Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information.  The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements. Organize DSAR Requests You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data.  There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery. Fulfill the Request A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated [...]

DSARs 101: What to Expect When Doing Business with EU Customers

By |2020-07-07T14:54:19+00:00June 4th, 2020|Categories: Information Governance, Privacy|Tags: , , , , |

For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk. Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges. What is a DSAR? On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system). Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU. The General Data Protection Regulation The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located. According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online [...]