Oyster IMS offers a unique and proven solution
Experience
We have many years’ experience in the information governance arena, supporting clients with DSARs and other data protection services.
Full solution
We bring together a blend of strong consulting skills, practical advice and technical capabilities, backed by an expert support team.
Scale
Our team will allow you to scale up your DSAR response capabilities to cope with increased demand in volume and complexity.
Partners
We work only with the very best partners in the field of data protection, search and disclosure, offering clients a number of engagement and deployment choices.
This high-level summary shows some key features that a DSAR management process should include.
Organisations are reporting a number of significant challenges in achieving an end-to-end DSAR solution, including:
Increasing volume External factors are causing significant increases in the volume of DSARs being received. This is driving pressure on limited resources, leading to higher costs and increasing the risk of non-compliance. A survey by Guardum found that 75% of organisations are having difficulty meeting these compliance obligations.
Complexity DSARs frequently create an obligation for expert review, which might include advice on disclosure and redaction. Some requests entail careful consideration of sensitive data, as well as understanding of the implications for third parties and legal representatives.
Accuracy The accidental disclosure of a third party’s Personal Data, or the release of privileged, confidential, or business sensitive material is harmful to business interests and may be considered a data breach.
Urgency Failure to respond promptly to a DSAR can result in a fine. However, there is a 30-day deadline to comply. Without an efficient DSAR solution, this tight deadline can cause problems. The Guardum survey reported that 48% of DSARS take over 30 days to complete.
Cost Organisations receiving DSARs face increasing costs when scaling up, due to limited expensive resources and inflexible processing solutions.
Locating data Operations and IT Departments will often struggle to identify, locate and collect Personal Data held in unstructured systems and spread over multiple repositories. How do you know if you have found it all?
Processes and Workflows Manual DSAR processing is no match for a technology-supported solution. Manual processing alone is much more expensive, time consuming, risky and stressful.
A complete solution A ‘plug-in’ technology alone cannot address these DSAR challenges. DSARs must be handled within the overall scope of the GDPR; so it’s essential to employ qualified expertise with deep understanding of the subject, as part of a bespoke technology-supported solution.
It’s a process that needs managing.
It might be possible to manage DSARs using emails and message templates for internal and external communications, with spreadsheets for record-keeping and calendar entries to ensure timely processing. However this approach is suited only in low-volume applications and much smaller organisations. Increasing volume of DSARs will drive up resource costs and introduce risks to both performance and compliance.
So, once planning, policies and procedures are established, and you have completed your data mapping it’s far more reliable and cost-effective to use an integrated, scalable system to manage all the processing.
Oyster IMS recommends the OneTrust Data Subject Rights Management platform, which our clients use to streamline the handling of DSARs and automate as much as possible of the process.
Our team are experienced and accredited in the setup, usage and ongoing support of this powerful and effective DSAR solution.
OneTrust offers a unified application to control and streamline the management of DSARs for all organisations, covering these key functions:
The critical step of locating information can be addressed by manual searches across all your repositories, or by using an automated “discovery module”, or can be provided as an expert discovery service using specialist tools.
We can help you to understand the pros and cons for each approach to locating personal information for a DSAR response.
Book an online demo of our DSAR processing solution
Oyster IMS works with partners including technology experts and sector specialists to provide bespoke, end-to-end DSAR solutions for our clients.
Technology to Power Privacy, Security and Trust
OneTrust technology powers privacy, security and trust programs. More than 5,000 customers use OneTrust to build integrated programs that comply with the GDPR, ISO27001, CCPA, LGPD, PDPA and hundreds of the world’s privacy and security laws.
A trusted solution provider to legal and compliance departments worldwide
Data Sourcing, Searching, and Collection
Forensically collect the content from the relevant sources the DSAR pertains to. Morae can do this at scale and across any source including iManage Work.
If you have any questions about DSARs, please contact us for advice.
What is a Data Subject Access Request, or DSAR?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
Individuals may exercise the right by making a written ‘Data Subject Access Request’, or DSAR.
How can a DSAR be made?
An individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase ‘subject access request’ or mention Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is important to write and implement a policy for recording details of the requests you receive, particularly those made by telephone or in person.
Do we have to reply to a DSAR?
In almost all cases the answer is “yes”.
If a request is within the scope of the Data Protection Act (there are a few exemptions), you are required to comply and must provide the information requested.
You can also refuse to comply with a subject access request if it is:
In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the individual why you consider the request to be manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.
How long do we have to respond to a DSAR?
You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receiving any information requested to confirm the requester’s identity.
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
What steps should we take before we respond to a DSAR?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.
If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month.
Who can make a DSAR?
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement.
The Information Commissioner’s Office provides more detailed guidance on third party DSARs and on requests for information about children.
What should we provide when we respond to a DSAR?
An individual is entitled only to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is essential that you establish whether the information requested falls within the definition of personal data.
In addition to a copy of their personal data, you must also provide individuals with the following information:
Who should manage the response to a DSAR?
Responsibility for complying with a subject access request lies with your organisation, as the data controller.
Your DPO will generally be responsible for fulfilling a DSAR, if you haven’t appointed a DPO, the responsibility should be given to someone with up-to-date data protection knowledge and training in GDPR compliance.
If you don’t have the internal expertise, qualifications and practical experience in this area of data protection you could be well advised to get some professional support.
If you use a processor, you need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the processor. You may not extend the one month time limit on the basis that you have to rely on a processor to provide the information that you need to respond.
What happens if we fail to respond to a DSAR?
To fail to respond to a DSAR is to break the law.
Under the Data Protection Act 2018, fines of up to €20 million, or 4% of a business’ annual global turnover in the preceding financial year, whichever is higher, could be imposed by the ICO for non-compliance with data subject access requests.
So far, the practice employed by the ICO is to issue an enforcement notice, before taking legal and punitive actions.
© Copyright 2024 Oyster IMS | Web design by Union 10 Design
