DSARs can be a significant administrative and financial burden for organizations in the UK. A typical response for a mid- to large-scale DSAR is traditionally best served by following the well-trodden path of the Electronic Discovery Reference Model (EDRM), from collection of data to processing, search term application, review and redaction and finally, production to the requestor in via a Disclosure bundle of PDF files.
Get the guide: Comprehensive Guide to Data Subject Access Requests (DSARs)
This model has existed for many years and is favoured for its defensibility and ubiquity. However, there are risks associated with applying the EDRM model in a DSAR response – and many DSAR service providers seem to overlook that there is an alternativeto the traditional model response that cuts cost, time, and risk.
Below, I’ll explain the risks and burdens inherent in the conventional approach to DSAR response, and how using the extracted text method reduces these.
The increasing burdens of DSAR response
Today, it is increasingly common for former employees and customers to submit DSARs as a precursor to or even alongside litigation or dispute procedures.
Contributing factors include:
- DSARs are commonly made by employees, ex-employees, or customers, who may use the process as an evidence-gathering operation.
- Organizations have reported a significant rise in the number of DSARs over the last few years. The Information Commissioner’s Office (ICO) indicates that complaints regarding the right of access make up the majority of data protection complaints.
- Processing DSARs can be a costly and time-consuming exercise because of the large amount of data involved.
- Organizations must dedicate resources to identifying, locating, reviewing, redacting, and appropriately presenting the requested data within a one-month timeframe.
- Organizations dealing with DSARs internally will need to dedicate resources to both identifying and locating the requested data, and reviewing, redacting and appropriately presenting it – all within a one-to-three month timeframe.
Related: How to Submit a Data Subject Access Request (DSAR) + Example DSAR
Challenge: The EDRM model and the risk of redactions
The fact that the EDRM model is familiar territory to law firms has no doubt accelerated its application to the DSAR model. However, there is inherent risk associated with applying the EDRM model in a DSAR response – primarily relating to redactions.
Related: How to Respond to a Data Subject Access Request (DSAR) 📚
Redactions are slow, labour-intensive, and error-prone. A single missed redaction which reveals third-party personal data, or confidential information, to the data subject, can at best cause embarrassment to the data processor, and at worst constitute a data breach in its own right.
Bringing in additional quality control and rigour around processes can help to mitigate some risk, but there are challenges here, as well. It can mean needing to devote additional resources, which means either introducing an additional cost or further limiting the productivity of the organization or firm as resources get reallocated to addressing the DSAR.
These steps can also add additional time onto an already time-sensitive process, essentially adding more risks in an attempt to mitigate them. Remember that both the GDPR and CCPA have stringent requirements in regards to the timing of a DSAR response. While a necessary step, additional quality control and rigour around processes can also add time into the process — time that may not be available to remain GDPR or CCPA compliant.
Related: Data Subject Access Requests (DSARs) for GDPR and CCPA Compliance
Understanding the ICO’s DSAR expectations is key
The UK’s Information Commissioner’s Office (ICO) offers a lifeline in their guide to organizations about how information is supplied to the requester.
The right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal data. You may therefore provide the information in the form of transcripts of relevant documents (or of sections of documents that contain the personal data), or by providing a print-out of the relevant information from your computer systems. While it is reasonable to supply a transcript if it exists, we do not expect controllers to create new information to respond to a DSAR. Although the easiest way to provide the relevant information is often to supply copies of original documents, you are not obliged to do so.
This represents a completely different approach, one that doesn't involve document reproductions, redactions, over-disclosure, or duplication of effort. There is no requirement that original documents be shared as part of the DSAR response, meaning that the effort and risk associated with redactions can be avoided entirely with the extracted text method.
Reduce DSAR response time and risk: The extracted text method
Rather than collecting, redacting, and then producing redacted copies of documents containing the subject's personal data, the data processor can copy the subject’s personal data, as found in their records, to a new document and provide that instead.References to the source material can be included as needed, but the source material itself can be omitted, eliminating the need for redaction as well as the potential risks it can introduce.
There's no risk of further data breaches down the line and the only administrative burden is the approach to the collection, hosting, and subsequent deletion of the documents.
Prioritize DSAR efficiency and risk reduction with DISCO
At DISCO, we encourage our clients to consider efficiency as a primary driver in any disclosure matter, and the extracted text method to DSAR compliance represents just that.
Whenever possible, we will recommend the best solution for our clients, and our dedicated review management and professional services teams are on hand to assist in exploring these options. Learn more about partnering with DISCO for your DSAR needs.
Did you know? DISCO Ediscovery can also be a vital tool in streamlining DSAR response while reducing costs, thanks to its dethreading, deduplication, and mass redaction capabilities.
Preparing DSAR responses with DISCO Ediscovery also ensures compliance. In accordance with the GDPR, DISCO's Data Processing Addendum, including the EU Standard Contractual Clauses (SCCs), is incorporated into customer agreements as a standard practice. DISCO is also certified through the Data Privacy Framework with respect to US/EU data transfers. These documents and the associated technical and security measures support DISCO's compliance with the GDPR.
.png)
