Digital Subject Access Request DSAR
While the regulations are quite succinct about what needs to be done about individuals who request the information an enterprise holds about them, there are quite a few nuanced implications that should not be overlooked.
To summarize some key points:
· Established process for reviews of requests and packaged output. This includes the criteria for ensuring positive identification.
· Established means to make the repository of this collection of data most secure.
· The individual(s) being tasked to collect this information may be required to have access to an expansive number of secure systems and this creates a potential attack vector. This repository and how it is created is an ideal candidate for a DPIA.
· It is very likely that the incidents that bring about complaints and regulatory fines will arise from DSARs that go inadequately answered within the allotted time and/or responded to improperly.
The DSAR process and procedures are a “Team” effort involving HR; IT; Legal; Operations; Finance; Facilities; and Security. Not to be taken lightly, it wouldn’t be wise to assign this function to a part time administrative function. Once individuals become aware that this requirement exists, it will open up the number of requests for deletion, edits, and omission.
The magnitude of the effort and consequences from underestimating the ramifications is most often a very real issue. Imagine what details exist. Travel has a note to say the employee XX has to travel with a comfort pet. HR put out a newsletter with photos of the employee at the company picnic standing on a picnic table. Customer details in invoices; paid for travel to corporate outings; shipping details; and gifts ordered and sent to their home.
Along with requirements for the requests to be facilitated by any number of means, (phone, fax, email, website form, etc.) there needs to be a timed process strictly adhered to. The first, and often most important step, is due diligence in verifying identification and validity of the request. Some firms have already run aground by failing at this step. A divorcing spouse has gotten access to data that proved her estranged husband was not at a business trip, as he asserted, during a certain time period.
Once the request is approved, every step is well defined and placed to a fixed timeline. A relevant reported KPI would include the number of requests and where they stand on the regulated timeline. Something overlooked or forgotten due to job change or vacation is not a viable defense to Regulators.
Discipline and rigor should be baked into the process…not a task or project but a comprehensive new policy and procedure is required. Reviews and approvals are essential. Intake requires an approval once identity is validated to ensure the appropriateness of the request. For example, data that would include information on a 3rd party should not be included in the response without the 3rd party’s explicit permission. Proprietary information must be protected, there, a fixed review team is important.
Once the information is collected, another review is necessary. Aside from creating a standard “package” to organize and deliver the information, the approval process is a must before releasing the response. Key step across the entire process is an automated means to establish end to end paper trail. “Show your work” is a pivotal concept with Regulators. Having automatic reminders, ticklers and escalation steps is a necessity.
The final thought is the importance of communication. IF the timeline of 30 days is not likely a possibility, then the rationale needs to be communicated. Every step in the process could be supported through consistent communication. The communications can be formatted and timed to facilitate the process.
In closing, the Regulations are not going away. If anything, there are a great deal more coming. Doing it right, up front, will save significant monies and frustrations down the road.