How to Improve DSR Processes
Data subject requests (DSRs) are a complex and often confusing challenge under GDPR. This article, from data privacy and IG experts at FTI Consulting, discusses ways to streamline DSR operations and ensure they don’t overwhelm legal and compliance teams.
with co-authors Nina Bryant and Tom Hiney
It’s a new year, bringing the excitement and potential that every new year brings. Fresh opportunities, clean slates, hope for successful resolutions. With the end of 2018 and the ringing in of 2019, it’s likely that your organization has been immersed in reflection of successes and shortfalls, as well as planning for the year ahead. In governance, risk and compliance, a significant portion of these musings will center on the General Data Protection Regulation (GDPR) and assessing how and to what extent the regulation will impact your organization moving forward.
The issue of data subject requests (DSRs), is a key area under GDPR that teams should be examining closely. Some organizations have already experienced their initial DSRs. If your organization is one of them, take a moment to breathe, or, depending on how the response went, allow yourself one more drink before your post-holiday detox. Fulfillment of a DSR means the organization has accomplished something new and possibly very difficult, especially if the request came from a former employee or long-time customer.
Whether the process was conducted smoothly or not – or your organization falls in the category of those who have yet to see their first DSR – the new year is an apt time to evaluate processes and improve efficiency. This includes revisiting broader information governance frameworks and implementing steps to streamline processes so that as requests flow in through the year, legal, compliance and privacy teams are not overwhelmed by them. Below are four steps to identify opportunities, mitigate regulatory risk and improve DSR processes:
1. Review DSR Intake
2. Close the Feedback Loop on Unexpected Data
To swiftly respond to a DSR, the team must be able to find personal data across the enterprise, from all sources. In many cases, unstructured data discovery tools are useful in enabling teams to quickly find what they are looking for across sources. Data may reside in the cloud, at the bottom of a data lake, in emails/attachments, in audio files, as hard copies or on IT assets not known to exist (i.e., shadow IT). The team should assess risks and controls associated with data, including where personal information should be stored, if this should be included in the data lake in the first place, access controls around that data, how to retrieve items quickly and what remediation or disposal efforts are needed. Any data that is redundant or stored beyond set retention periods should be identified and deleted. If during a DSR response, data are found in any unexpected place, ensure processing and application registers are updated or data remediated and consider how to apply more rigorous processes in the future. Regulators cannot be expected to be lenient with organizations that fail to follow best practices on data retention and disposal.
3. Be Prepared for Complex Situations
Requests can come from a disgruntled employee as a prelude to a lawsuit, by other parties to weaken the organization in the face of other disputes or on data that is under legal hold. Any number of challenging scenarios are bound to arise and potentially influence the DSR response. The team must know ahead of time how it is going to deal with challenges and uncharted waters. Often, outside counsel or other experts can be helpful in streamlining legal hold process, addressing co-mingling of personal data and establishing defensibility around retention of data that was kept for investigations, legal holds or other regulatory reasons. They can also help the team find information residing in difficult-to-access locations, such as backups, and segregate it when possible.
4. Practice Timeliness
The GDPR states that organizations must respond to DSRs within 30 days, and the life cycle of the request must also be documented. Teams should be consistently aiming to reduce response duration and avoid running up to the full 30-day timeframe. In cases where this is not possible, the organization should have a framework in place for reaching out to data subjects to request more time when needed. Forecasting the number of requests expected and allocating appropriate resources is an important step. Any combination of internal and external resources may be needed to ensure DSRs are appropriately prioritized and can be fulfilled in a timely manner.
DSRs can easily overwhelm an organization and may prove to be among the most difficult GDPR requirements to operationalize. They can hit at any time, from any data subject, and in any volume or level of complexity. The new year is a prime opportunity to build repeatable processes to deal with DSRs. Teams that that do so and implement learnings from successes and failures will be in a much better position to achieve compliance with data protection laws.
Nina Bryant is a Director at FTI Consulting in London and an expert and thought leader in Information Lifecycle Governance and Privacy. She is experienced at leading global programs to assess compliance with legal and regulatory requirements and developing and implementing solutions to reduce risk, drive cultural change and exploit the value from data and information.
Tom Hiney is a Senior Consultant at FTI Consulting, focused on GDPR compliance and implementation, HIPAA risk and gap assessment, privacy consulting, data governance consulting, project management, customer development and more.