Answering the subject access requests (SAR) that stem from Article 15 of the GDPR may be the requirement best approached by applying a bit of e-discovery problem solving and best practices
From early case assessment to legal hold notifications, there are numerous aspects of the eDiscovery toolkit which can be repackaged and repurposed for compliance to the EU’s General Data Protection Regulation (GDPR). However, answering the subject access requests (SAR) that stem from Article 15 of the GDPR may be the requirement best approached by applying a bit of eDiscovery problem solving and best practices. Rethinking the SAR as essentially an eDiscovery exercise can reduce GDPR headaches, streamline SAR response protocols, and save time and money.
So just what is a SAR? Under Article 15 of the GDPR, individual data subjects have the “right of access,” or the right to review their personal data held by a data controller, as well as the right to obtain information related to the processing activities carried out on that personal data. Data subjects are to be provided a copy of the personal data subjected to processing, as well as related processing information including:
- Purposes for processing the data;
- Categories of personal data implicated;
- Recipients of any data transfers;
- Storage period for the data;
- Details of data rectification and erasure rights;
- Details on the right to lodge a compliant with a supervisory authority;
- Data source of non-directly collected personal data;
- Existence of any automated decision making, including profiling, on the data processed.
The right of access is a critical individual right, as it enables data subjects to examine the personal data held on them by a controller, as well as confirm the necessity and legality of processing. While the GDPR expands the scope of the right of access and the nature of SARs, right of access as a data protection concept is not new or novel. Access is one of the fair information practices (FIPS) required under the 1995 Data Protection Directive (the pre-cursor to the GDPR), and SARs were a key element of the data protection legislation which implemented the directive in many EU Member States. The SAR is perhaps most notorious in the UK, where the right of access under section 7 of the UK’s 1998 Data Protection Act has been widely exercised.
Under Article 12 of the GDPR, data controllers generally are required to respond to a SAR within 1 month.
For those organizations less familiar with EU data protection law, responding to subject access requests will likely pose a number of substantial administrative burdens. SARs can arrive from a variety of data subjects: not only from customers and external individuals, but also from internal employees, ex-employees, temps, contractors, job applicants, and others. Moreover, given the extensive volumes of unstructured data (such as email) held by most business and organizations, pinpointing personal data relevant to a SAR request may involve a time-consuming and potentially expensive process fraught with practical difficulties. Bear in mind that personal data under Article 4 of the GDPR is extremely broad (“any information related to an identified, or identifiable, natural person”), much broader in scope than Personally Identification Information (PII) as defined under many U.S. state data breach laws.
Furthermore, unrelated data and irrelevant data should often be eliminated or redacted, and third-party personal data must be excluded from the information provided pursuant to the SAR, complicating matters further.
The process for searching and reviewing unstructured data and emails in response to a SAR can, and often has, taken on aspects of the eDiscovery document review process. And, indeed, there are significant advantages to be had in viewing the process as something akin to eDiscovery, establishing a SAR response protocol well-rooted in the established, standard operating procedures for handling a discovery exercise.
For example, consider approaching a subject access request with the following steps:
- The “Meet and Confer” – The access right that data subjects enjoy under the GDPR is not without limitations; in fact, the scope of the SAR response depends largely on the ask. Data controllers are only required to furnish the specific information requested. Accordingly, both GDPR Recital 63 and the subject access request guidance released by the Information Commissioners Office (ICO, or the UK data protection authority) encourages communication with a data subject to clarify the data requested and target the SAR response accordingly. Data controllers are also protected against manifestly unfounded or excessive requests, so establishing a clear communication channel with the data subject will ensure not only that the rights of the data subject will be duly honored, but also that the burden on the data controller is focused to only what is truly necessary for the specific request.
- The “Processing” – Data-mapping and data governance technologies, including those built into Cloud platform providers like Microsoft Azure and Amazon S3, can be effective in using native automation to detect personal data, PII and sensitive data. Implementing these technologies across corporate directories, databases, applications and systems can be a means of meeting a number of requirements of the GDPR. Search functionality such as pattern and regular expression (RegEx) will also greatly assist in reducing the time, cost and legwork associated with tracking down specific personal data in conjunction with a SAR.
- The “Review” – Even with automation technologies in place, a modest review of some documentation will often be necessary in connection with the SAR. Opinions on data subjects, as well as data or information related to philosophical religious beliefs, are difficult to pinpoint through automation, but are nonetheless considered personal data under the GDPR and may be relevant to a SAR. A SAR protocol that employs an experienced team or set of out-sourced personnel that can thoroughly and quickly move through a document review process, ensure proper quality control, and provide a defensible and well-rounded review of the documentation will be essential in ensuring that SAR requirements are met.
- The “Production” – The process for finalizing and ultimately providing a SAR to a requestor will often depend on the nature of the data subject making the request. However, in many cases, handling subject access requests can be streamlined by creating an automated dashboard from which individual data subjects can view the full nature and extent of personal data held in an organization’s systems. From the dashboard, the user can also acknowledge data transfers, consent to processing (where necessary), and request deletions. This approach is further underscored by Recital 63, which specifically states: “where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.” Dashboards may be populated by way of the data-mapping and data governance technologies referenced above, and a similar process can also be used to complete and fulfill the Article 30 records of processing activities requirement of the GDPR, as well.With implementation of the GDPR in just 4 months time, if your organization is still trying to get a handle on just what is involved and required under Article 15’s Right of Access, chances are you’re in trouble.
But then again, maybe not. If your organization has ever engaged in an eDiscovery exercise ahead of litigation or as part of an internal investigation, the path to compliance may be better established than you think. As with much of the GDPR, re-tooling cybersecurity, data governance, and eDiscovery best practices to spearhead and streamline the compliance is a sensible and practical means of getting the job done.
Written by Ryan T. Costello, Esq., CIPP/E Operations Manager, eTERA Consulting in Europe. Ryan can be reached at firstname.lastname@example.org.