For compliance, internal investigations, and legal departments, the GDPR created a whole set of new obligations. Not only do data breaches have to be reported, but all subjects whose information has been breached must be informed.Additionally, it is now possible for any citizen of the European Union to issue a “Subject Access Request” or a “Right to be Forgotten Request”.
Under the GDPR, individuals have the right to access their personal data, which is commonly referred to as a Subject Access Request, or issue a Right to Be Forgotten request. Individuals may make such subject access request verbally or in writing. You then have one month to respond to that request. In most cases, you cannot charge a fee to deal with a request. Prior to GDPR, there were many grounds on which such a request could be refused, however under Article 15 of the GDPR, the rights of the data subjects have significantly grown.
As a result, we have seen a steep increase in the number of such requests all over Europe. Where article 15 of the GDPR was designed to help concerned citizens to get more access to their personal data, it is now also (ab)used by upset employees or dissatisfied customers in legal disputes. As the cost of such request can be enormous to a company, it is considered to be an effective tool to force the other party into a higher settlement in legal disputes.
A typical request consist the name of the person (including various spelling variations and nick-names) and then all kinds of information they are interested in. This could be data related to a job application, credit application, or project they participated in. All such data then needs to be collected, processed, reviewed and produced in a common format (often PDF) and disclosed to the requestor.
During the review, a large part of the work is related to protecting confidential information from the company and personal data from other data subjects. This can be done by anonymization or pseudonymization, a process similar to that of public records requests as known to public organizations.
Either subsequently or additionally, a data subject can request erasure of the data from a data controller (which needs to be done within a month!), provided the data meets any of the following conditions:
- The data is no longer needed;
- The subject withdraws previously granted information to process their personal data;
- The subject exercises their right to object to the processing of their data;
- The data is unlawfully used by the Data controllers and/or processors;
- Data has a legal requirement for retention;
- The data was collected when the data subject was a child.
There are some exceptions such as compliance, legal requirements to hold data or matters of national security or public interest, but one should not seek to use such exceptions lightly.
So, in general, a subject access request means a lot of work for your organization, and when you are not prepared or you do not use technology, it can also be very disruptive, and can get expensive if you do not meet the deadlines or requirements.
Using eDiscovery technology to deal with Subject Access Request can help you tremendously:
- Collect information directly from the relevant sources (office 365, email boxes, file shares, projects in SharePoint);
- De-duplicate the information: up to 80% of all documents are duplicates, eliminating those automatically saves a huge amount of work;
- Automatically unpack containers of files (ZIP, PST, NSF) and make every individual component searchable;
- Enrich non-searchable data such as images, scans, non-searchable PDF’s or audio so truly every component can be searched;
- Analyze, classify and organize information for fast review;
- Use auto-redaction to anonymize or pseudonymize personal and confidential information;
- Automatically convert all electronic file formats to one common format and burn in redactions.
In short, using smarter technology leads to better, faster, more efficient and less disruptive handling of GDPR subject access requests.