Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

DSAR Best Practices and Workflows an Organization Should Follow

In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests.

Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance:

Review and Update Privacy Notices and Policies

The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to:

  • Obtain certain information from the controller beforehand, and without asking for it
  • Be made aware of whether a controller is processing their data and how it was collected
  • Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data
  • Demand that their personal data be erased and no longer processed (right to be forgotten)
  • Ask the controller to restrict the processing of their data
  • Receive their data in a structure, commonly-used format for transmission elsewhere (data portability)
  • Object to the handling of their data at any time (in certain circumstances)
  • Not be subject to decisions based solely on automated processing
  • Withdraw consent at any time during processing

In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018.

Create and Implement a DSAR Process

Your company needs to have a process in place to address:

  • How you will enable DSARs, e.g., offering a standardized online form for submission
  • What those who receive DSARs will be required to do
  • How requests to obtain or delete data will be processed
  • How to efficiently and securely handle responses to the data subject

According to the GDPR, controllers must demonstrate compliance with the law and monitor the requests received. This should be done by tracking how many DSAR requests are made each month, how many requests are being accepted and rejected, and prioritizing the oldest requests to ensure that a response is made within one month, as required by law. Monitoring your process will allow you to revise it if necessary, allocate the appropriate amount of resources, and identify any gaps in your workflow.

Weigh Your Options for Hosting and Automation

You will need to consider your hosting options for providing the data to the requestor: either in-house servers hosted behind the organization’s firewalls, or externally through the use of a communication portal.

Automation can often be seamlessly integrated into your internal systems, and can be extremely helpful in the handling of DSARs by ensuring that:

  • Critical deadlines are met
  • Requests are verified
  • Data exempt from disclosure requirements is identified
  • Assignments to facilitate responses are made
  • Extensions are requested promptly
  • You are tracking your response process

Freeing up your team from manually tracking and storing data will increase efficiency, cut operational overhead, enable a more accurate response, and prevent your organization from wasting time on inauthentic DSAR requests.

Educate Employees

One of your biggest challenges will probably be how to train critical employees. Those requiring training will likely include:

  • Support personnel and other employees who receive the requests
  • Those who will be responsible for implementing the requests
  • Your internal privacy team

To minimize the risk of costly sanctions for noncompliance, your staff will need to understand the importance of prompt response to a DSAR request.

Do you know of any other best practices to follow when responding to DSAR requests? Tell us about them in the comments!

About the Author

Jason Velasco on EmailJason Velasco on FacebookJason Velasco on Linkedin
Jason Velasco
Founder/eDiscovery & Information Governance Advisor at eDiscovery Advisory
Jason Velasco is an electronic discovery industry veteran with more than 20 years of experience assisting organizations conceptualize, initiate, manage and complete big-picture transformation in electronic discovery, information governance, and data compliance solutions.

Jason is the founder and lead advisor for the eDiscovery Advisory practice providing valuable and insightful guidance to eDiscovery and Information Governance challenges.

He has direct in-house experience with a global financial institution and a financial regulator developing solutions around eDiscovery workflows, legal hold, legacy data, and matter management systems.

He has conducted more than 350 computer forensic examinations for civil litigators and has provided expert witness services related to electronic evidence topics and data preservation issues.

Jason has also conducted more than 700 CLE courses on topics such as eDiscovery, document retention, preservation archiving, collection methodologies, email archiving and compliance, effective communication with IT, and the technical aspects of electronic evidence.

Jason is currently certified as a Certified eDiscovery Specialist (ACEDS), Information Governance Professional (ARMA), AWS Cloud Practitioner (Amazon), & O365 MS-900 (Microsoft).