10 Oct 2019
How GDPR Data Subject Access Requests can become a nightmare for clients of expert calls
Legal disclaimer: All information in this article is general information only. It is not intended to constitute legal advice, nor is it intended to address your specific requirements. Organizations should take independent legal advice regarding their own provisions for data protection.
Imagine that an expert in one of your past projects sends an email asking to get access to all the personal data that your organization holds on her. A much dreaded Data Subject Access Request (DSAR) under GDPR.
That doesn’t sound too bad, one might think*.* Well, think again. Personal data under GDPR is much more than just name, address and phone number. In fact, it’s any information relating to an identified or identifiable natural person. Information such as work history, biography and biometric information all classify as personal data, even if the person’s name has been removed from the record.
As soon as you download an excel file with expert profiles, add comments to it or email it to your colleagues, your company will become a data controller of that data. And as a data controller, your company is required to respond to DSAR:s from individuals within one month of receipt.
The DSAR process
In order to respond to the DSAR within the given timeframe, you need to have a structured workflow in place. Preparation is key, and organizations that are ready and aware of what steps that need to be taken will save a lot of time and resources.
Identity verification
The first thing you need to do when you receive a DSAR is to verify the identity of the requestor, making sure that the individual behind the claim is really the person he or she claims to be. This can be done in several ways, for example by requesting a copy of the requestor’s ID.
Data identification
The next step is to identify which data that is covered by the DSAR. At this stage, you need to ask yourself the following questions:
Which information is requested, all information that mentions the individuals, or only certain records?
Are all of the requested files readily available?
Where are they available? Emails, databases, cloud storage, hard drives, local storage, removable media, hard copies, phone recordings?
What departments and/or personnel have access to these sources?
Do we have backups? Who in the team might have a local backup?
Are any of the documents classified or intellectual property of the company?
Collection
The collection phase encompasses gathering all of the potential sources within scope into one central repository. The IT department will play a significant role in the collection exercise, but they will need cooperation from other departments and personnel. All steps and decisions made should be documented, as they may be required if the completeness of the DSAR is queried by the requestor or the authorities.
Handover
Once the data is collected, the next step is to review it and eventually hand it over to the requestor. Some of the things that you need to take into account in this step are:
Who is responsible for reviewing the data before it is sent over?
Does the review team have an adequate level of knowledge in the privacy domain?
Who will make the final decisions on privileged or confidential documents?
How Inex One can support your DSAR process
Inex One allows you to manage all your expert network contacts within one platform. You can review expert profiles, add internal team notes, and schedule calls, all without having to download one single spreadsheet. All data is processed within a closed and encrypted ecosystem, meeting the highest international standards.
In case of a DSAR, the Inex One Information Security Team is there to give you the support you need to identify and collect the requestor’s personal data. A DSAR can cause significant costs and administrative burdens on an organization. Having a structured plan and smart technology in place will help significantly, and reduce the risk of non-compliance. Contact us to learn more.
*The GDPR impacts organizations in the EU/EEA, and any organization that processes data of EU residents (such as holding personal data of an individual engaged in an expert call).