It’s that time of year… no, not when bands of trick-or-treaters are traipsing up your walk, but when the ghoulish specters called data subject access requests (DSARs) are going to start flooding in.
If your organization has already had its first DSAR come and be completed, take a moment to breathe. Or, fix yourself a drink, depending on how the response went. Fulfillment of a DSAR means the organization has accomplished something new and possibly very difficult, especially if the request came from a former employee or long-time customer.
When ready, take time to reflect on the process of responding to the request. An examination of how the response went can be just as broad an assessment of the organization’s information governance framework.
Performing a post-mortem of the response to the request may identify opportunities for the organization to mitigate regulatory risk. Below are some questions to consider:
Was the DSAR recognized and routed as expected?
- Did the organization identify the request immediately as a DSAR? (Not all requests will mention the law permitting the request. But even then, just as in Poltergeist, "they’re heeeeere!")
- Did the request come in through the anticipated means?
- Did the request have the data you needed to verify the requestor’s identity and execute the response? (If not, determine if there are fixes to be made to the process on your end)
- Did the process provide the level of service data subjects should expect from your organization? A privacy response is like Candyman—if data subjects don’t believe in the response, it won’t have the same power.
Where did the relevant data reside?
- How was it found? (If there isn’t a way to look for personal data across the enterprise in unstructured forms, consider unstructured data discovery tools)
- Where was it and how did it get there? Was it:
- In the cloud?
- Like Jason Voorhees from Friday the 13th, chained to an anchor at the bottom of Camp Crystal Data Lake? (Consider what personal data should be included in the data lake in the first place and the access controls around that data, and how to locate it quickly and take a machete to it)
- On IT assets that were not known to exist/shadow IT?
- On endpoints? Hardcopies? Emails? In emails as unstructured attachments?
- In voicemails or audio recordings? (Consider whether transcription of audio files could provide an easy way to index and search through them for personal data, and find any that may be in A Quiet Place)
- Retained after all retention schedules had run, and not caught by your organization’s version of The Purge where open season is declared on old, redundant records? (Consider examining purging practices and secure destruction).
- On systems from an acquisition that have not been fully integrated into your organization’s ERP systems?
- Needlessly duplicated like pod people from Invasion of the Body Snatchers?
If unexpected data was found in any unexpected place, determine a way to close the feedback loop and use it as an opportunity for improvement, and impetus to apply a more rigorous process. Remember, like in A Nightmare on Elm Street, regulators will be expecting your business to be able to find personal information in all of your data, even your data dreams…
How did the response handle tricky situations?
- Was the request possibly made by a disgruntled employee as a prelude to a lawsuit, for a chance at free discovery? Did this influence the response? Should it? Remember that all work and no play made Jack Torrance a dull boy in The Shining.
- Was certain data retained for investigation, law enforcement, or insurance reasons?
- Was a legal hold involved?
- Was the data backed up and hard to access?
- Was there any co-mingling of other data subject's personal data along with the requestor's?
If this data was involved in a legal hold, burdensome to access, or was otherwise complicated to access, consider engaging with outside counsel or consultants to help streamline your legal hold process, identify data held in hard to access backups and help segregate data where possible.
Was the response timely?
- If it was close to the 30-day requirement, why was it, and what made it close? (Be glad it wasn't The Ring's seven days.)
- Can the response timeframe be shortened?
- Is the organization OK with the perception of reaching out to data subjects to request more time when needed?
- Is a contemporaneous and defensible record of the request and its response maintained in the ordinary course of business?
If the process took longer than it should, consider forecasting the number of access requests expected, to see if an adjustment in resources is necessary. Determine if using internal or external resources to examine the process in shortening the request is a high or low priority for the company.
DSARs are scary, and unfortunately, unlike Halloween, they can haunt all year long. They won’t ever be a treat, but teams that take the time to build repeatable processes for them and implement learnings from successes and failures, will make them much less tricky.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.