How to prevent DSARs becoming a bigger problem than they need to be
Posted on 02/09/22
Responding to Data Subject Access Requests (DSARs) can be a daunting task, made more so by the 30-day response-deadline imposed by the ICO. However, it doesn’t need to be stressful.
The key considerations when responding to a DSAR are:
- Where is the raw information dataset residing that needs to be initially reviewed?
- Within the raw information dataset, what data is structured (i.e., in databases) and what is unstructured (i.e., in email and collaboration systems)?
- Whether they are relevant to the final submission or not, is there likely to be other people’s personal data within either the compiled structured dataset, or the unstructured dataset?
- If there is likely to be other people’s personal data contained in the dataset that is not relevant to the final submission, how are you going to identify other people’s personal data and ensure it is not included in the final disclosure?
- Is there likely to be duplicated information in the compiled dataset (e.g., emails that may have been forwarded or replied to)?
- If there is likely to be duplicated information, how can you efficiently cull the duplicated information, so you don’t waste time reviewing the same information more than once?
- Who else will you need to involve in the review process?
- How are you going to efficiently redact any company-confidential or third party personally identifiable information?
- How are you going to securely share the final disclosure?
- How are you going to ensure you meet the 30-day imposed deadline?
While this list may seem exhausting to read, it doesn’t need to raise the stress levels – let us provide some context.
Raw data
Regarding the first two points around raw information, 10% of all-data is structured. This means it is residing in databases, such as an HR system or a Customer Relationship Management (CRM) system, and by inference is easy to access and review.
It’s the 90% of unstructured data however that can sometimes cause customers a challenge as this is normally residing in email systems, collaboration systems, such as Teams, and any other system that does not have pre-defined (database) fields. Our advice to customers is OVER COLLECT as much unstructured data as possible when conducting a DSAR, so upload as many files as possible into the Smartbox.ai solution and let the technology do the heavy lifting. This reduces the risk of key information being missed and increases the quality of the final disclosure.
Personally Identifiable Information
If you know the name(s) of the people you are looking for, it’s easy to find references to them. This elementary search technology has existed for over a decade. The challenge is making sure you are not accidentally disclosing personal information of any THIRD PARTIES. Smartbox.ai solves this problem as it automatically highlights every reference to personally identifiable information, regardless of whether it relates to known people of interest or not. You can then choose to redact the information or not.
Duplication
Data duplication can cause significant effort-waste. In the studies we can conducted, 63% of all data collected for DSARs is duplicated. If this data is not de-deduplicated before the review process takes places, the process can seem demoralising and inefficient as the same information ends up being reviewed over and over. A better way is to use AI technology to read the entire dataset and CULL the duplicated data automatically. This is exactly what Smartbox.ai does. This approach ensures you only review a piece of information once, saving significant time and money.
Collaboration and Review
It is often the case with DSARs that more than one person needs to be involved in the review and approval process. The challenge however is how you securely and efficiently share the dataset and allow multiple stakeholders to work it. Systems like Microsoft Teams or Microsoft SharePoint help to a degree here, but they don’t have the tools needed to manipulate the data as necessary. Smartbox.ai’s collaboration capability is designed exclusively for this function and allows you to involve MULTIPLE stakeholders in the review process.
Redaction
Redacting information can be a very long process, particularly when there is multiple, and sometimes thousands, of documents to redact. One way is to review and redact a document-at-a-time, however this can be a mind-numbingly boring and slow process and can unnecessarily prolong the DSAR disclosure. To counter this, Smartbox.ai allows you to redact a word, phrase, or segment of information from EVERY file in your dataset with the touch of a button, saving you hours of time and reducing the risk of accidental disclosure of information that should have been redacted.
Secure disclosure
When you have redacted and prepared the bundle for disclosure, the question is how best you do it. You can of course use email or one of the file transfer services, however, you can very easily lose control of the disclosure and won’t always have evidence that it has been received and accessed securely. Smartbox.ai solves this problem by allowing you to send a secure link to the individual concerned. When they receive it, they simply need to click on the link and will instantly gain access to the secure disclosure from within the Smartbox.ai environment. This improves the security of the information transfer process and provides an AUDIT TRAIL that the information has been safely received.
Tracking
The final stage relates to tracking. There are some simple workflow tools you can use to track where you are with a particular DSAR, however, Smartbox.ai has an inbuilt tracking functionality, allowing you to use a single solution for the entire DSAR process.
To learn more about Smartbox.ai, book a demo today.