5 minutes reading

How To Develop An Efficient And Defensible Data Subject Access Request Process Using eDiscovery

Under the General Data Protection Regulation (GDPR), EU citizens have the right to understand what personal data an organization holds on them. They are allowed to make sure the information held is accurate, too. What’s more, they have the right to request the amendment, deletion, or transfer of their personal data. This all starts by submitting a so-called Data Subject Access Request (DSAR). When a DSAR is filed, organizations must find, review, redact and produce relevant documents within thirty days. These requirements leave many organizations in a difficult situation. They struggle to comply. In part, this is due to a lack of efficient and cost-effective processes. 

The issue isn’t a small one, either. A growing number of organizations that have to deal with DSARs report a growing trend. It doesn’t affect only Europe-based organizations either. As GDPR governs the rights of individual EU citizens, the obligations of GDPR impact any organization that holds data on EU citizens. In recent years, the number of DSARs has been going up: between 2018 and 2020 the number coming in has doubled. 

The cost of DSAR 

For the individual putting in the DSAR, most of the process is usually free. Article 12(5) of GDPR ensures that under most circumstances the DSAR is free to make. A few exceptions do exist, especially with regards to further copies of the same dataset and/or repeat requests. In such cases, the recipient can declare the request “manifestly unfounded or excessive”. This would allow them to either charge an administrative fee or refuse the request outright. Either way, the onus to prove the request is unfounded or excessive is on the organization. Any administrative fee also has to be justified. If multiple copies of the same dataset are requested, an administrative fee can be charged per GDPR Article 15(3).

It can be difficult to track down exact cost estimates of a DSAR, as the way GDPR is applied in different countries varies, as do labor costs, for example. According to reports from 2020 out of the United Kingdom, the cost per DSAR was £4884. Each request would take a Data Privacy Officer (DPO) around 66 hours to process on average. In a survey organized by UK privacy expert Gardum, 100 DPO’s from companies with over 250 employees processed an average of 27 DSARs a month. That math works out to an average cost of over £130k a month on average. Keep in mind, most of that cost cannot be recouped from the requester.

Suffice to say, DSAR isn’t cheap, and with privacy awareness on the rise, the number of requests filed is unlikely to go down. Luckily there is a well-established solution to this new challenge. According to the IDC: “[DSAR] follow identical workflows to that of litigation response. The right eDiscovery provider will be able to quickly and effectively respond to data subject access requests and protect the organization from related compliance violations.”

Read on to find out how you can leverage eDiscovery technology to handle data subject access requests. 

eDiscovery 101 - Lead Mag Whitepaper DL

Download the whitepaper to learn how eDiscovery helps you easily sift through huge volumes of data and find all relevant documents for a case in a fast and cost-effective manner.

Find all the relevant data 

Any DSAR-related search begins by finding all potential sources of data. Any data source that may hold personal data belonging to the requestor must be collected. Once all sources are found, they must be searched. Irrelevant data will need to be discarded, while potentially relevant information needs to be kept for proper review. By using the data assessment tools provided by modern eDiscovery solutions (such as ours), you can perform these tasks faster than ever. By using the AI-powered review capabilities of eDiscovery solutions, you can discard irrelevant information duplicate information and other forms of non-responsive data.

This leaves the DPO with only the potentially relevant information to review and redact. Under normal circumstances, this is only a fraction of the entire collection of the data found. This allows for a much more effective process. 

Quick and efficient review of the collected information 

Team members can leverage the data analytics capabilities of eDiscovery solutions. This allows for a much faster review of relevant information. The review functionality of eDiscovery technology is able to highlight specific information. The highlighted information will usually be the reason it was labeled “potentially relevant”. Team members are then able to immediately assess the relevance of such a file (and, should they want to, files like it).

With the relevant sections highlighted, important information is less likely to be overlooked. This reduces the room for errors and further speeds up the process without sacrificing review quality. 

Redact sensitive information 

With the initial dataset now reduced to only the actually relevant parts, it must be redacted. Redaction is a crucial part of the process. It helps to protect against the inadvertent disclosure of personal and sensitive information. This is done by redacting that information prior to delivering it to the requestor. It is common for relevant documents to contain not only the information of the requestor but also from other individuals. Providing this information to the requestor is, in effect, a data breach. Therefore, such information should be taken out of the dataset in order to guarantee the privacy of others.

Many eDiscovery platforms have automated data detection capabilities. This allows them to find identifiable patterns in text, such as IBAN, email addresses, and dates of birth. Such information, information is always confidential. This is not the case for the data belonging to the requestor, of course. You can use automation to redact any information that is confidential. In practice, these functionalities eliminate the need for a manual review of every document. This further streamlines the process.

More advanced eDiscovery solutions also include AI and analytics tools. These tools will allow you to automatically detect the names of people, places, and the like. This enables these solutions to detect the names of other individuals. It doesn't matter if their information is entwined with the person making the request. Any and all of this information can be automatically detected and redacted. The redactions made by eDiscovery solutions are permanent, but can of course be made visible during the review. That way, reviewers remain in control of the process from start to finish. 

Produce your results in an accessible format 

Once the relevant data is identified, reviewed, and redacted, only one step remains. The recipient of a data subject access request has to complete their legal obligation by providing a report to the requestor. At this final stage, eDiscovery technology can still make the difference. These platforms include production workflows and associated rules to configure the production. It doesn’t matter if it concerns a single document or entire families of documents related to the individual. Platform users can select the responsive and validated results to add them to a production workflow. Through the export production wizard, they are then able to obtain the output, imaged and redacted ready to be shared with the requestor.

eDiscovery technology provides a full audit trail of the data. This allows every redaction choice and relevance decision to be saved. If there are ever any questions regarding the methodology of the DSAR production, they can be answered without issue. 

Conclusion 

At every stage of the DSAR workflow, eDiscovery technology offers an upgrade. Supported by eDiscovery platforms, more relevant information can be found. This information is then easy to review and redact. Once the process is complete, it is simple to produce a complete and secure set of data. For organizations that value experience, eDiscovery has been around in some form since the mid-1990s. Many eDiscovery solutions are built upon decades of experience. Their abilities have been tried and tested in American courts thousands of times. ZyLAB, for example, has been in the business of finding and producing information since 1983.

As privacy awareness continues to grow across Europe, the number of data subject access requests is unlikely to go down in the future. Finding a way to optimize the process of fulfilling those requests is of the utmost importance. eDiscovery technology is able to execute DSAR workflows without much tinkering needed. It can be put in place to reduce the cost and resource drain of your DSAR program. If you’d like to know more, don’t hesitate to reach out.