Second-stage reviews are crucial for your data subject access requests, but they’re no mean feat for your compliance team. Aiimi Senior Product Designer Tom Rankin explains how dynamic redaction DSAR tools step this stage up a notch for fast, consistent, and transparent responses to your subject access requests.

Before sharing your organisation’s DSAR responses directly with each data request subject, your DSAR teams need to first ensure that the contents are legally safe, compliant with your organisation’s policies and procedures, and contain appropriate supporting documentation.

By maintaining these high processing standards, you’ll minimise the risk of subsequent queries or complaints from the data subject – and be readily equipped with a complete audit trail for proof of compliance in case the Information Commissioner’s Office (ICO) comes knocking.

As second-stage reviews can significantly prolong an already time-sensitive process, they could be considered a luxury option. We think it’s a risk not worth the gamble. A far better approach is to find a technology solution that helps you automate your second-stage review process for a secure but swift response.

Automating second-stage reviews – consistent, compliant, and auditable

During our DSAR user research, we found that all the organisations we spoke to employ a second-stage review to vet their proposed DSAR responses. And for good reason. Second-stage reviews facilitate dialogue between different request processors querying exactly what data they think is safe to share.

Compliance managers and heads of departments associated with specific data subject types also get an opportunity to double-check that all pertinent policies and procedures are being correctly carried out.

Employing this second-stage review process ensures that:

  • All your same subject data type processes and responses are consistent.
  • All your responses are monitored for relevant redaction, including the removal of third-party data, for each respective data subject type and related policies and procedures.
  • All DSAR responses are in an auditable and defensible state. Your request processors need to reveal their decisions to your second-stage reviewers, and your organisation needs to demonstrate its decisions to your data request subjects.
  • All these evidence-based actions will help your DSAR team assemble a transparent auditing trail in response to any future data subject complaints or ICO queries. This is crucial for data privacy and compliance. Without DSAR automation, added to some of the new challenges of working remotely, it represents a real challenge.

Specifying second-stage reviewers for expert know-how

But how do you go about automating your second-stage review process? Using the Aiimi Insight Engine’s purpose-built DSAR software, it’s really simple, as your request processor can effortlessly ‘assign’ a DSAR collection or file to a specific second-stage reviewer or data owner with expert knowledge on that particular data subject type (i.e., customer vs employee DSARs). Triggering an automated email alert, the specific second-stage reviewer is notified to step in and rapidly troubleshoot any queries – whether to redact or disclose data within that file – making it easier and quicker for your compliance team to complete that DSAR request.

At this stage, files containing personal and sensitive information can also be moved or deleted, and files can even be updated with new risk levels (from say ‘low’ to ‘very high’) for better protection and governance. As these decisions are stored for potential scrutiny by future reviewers involved in the response, this step also details a documentation trail and fosters fosters DSAR team collaboration. And you’re safe in the knowledge that only data marked for disclosure will be packaged up up as part of the final DSAR response returned to the data subject on completion.

Redacting data to mitigate risk and meet ICO deadlines

And when it comes to redacting data, as the Aiimi Insight Engine’s data subject access request software automatically discovers and highlights all personal and sensitive data within documents across your entire enterprise, your compliance team can quickly and accurately find all instances of third-party personal information for prospective redaction.

Plus, our easy-to-use ‘mark for redaction’ tool then enables your second-stage reviewer to manually redact all relevant instances with ease. Additionally, using our DSAR disclosure status tool, your compliance teams can clearly label all items in a DSAR collection with mutually exclusive review statuses, such as ‘review’ or ‘redact’.

And once the second-stage reviewer hits ‘redact and save’, a completely new file is created with the redactions in place, which is then added your DSAR collection. Although this redacted file cannot be changed by the processor, the original file stays intact and is left where it is in case of future reviews or audits, as well as to support other DSARs that may require use of the same file. Equipped with the right data subject access request solutions, redaction’s a real cinch.

Invaluable checkpoints to facilitate faster processing

So, rather than prolonging your DSAR process, the Aiimi Insight Engine’s DSAR software ensures these invaluable checkpoints actually facilitate faster interactions between your DSAR processors and reviewers. Here’s a quick summary showing how this helps your DSAR process, and mitigates the risk of data that shouldn’t be disclosed from ever leaving your secure system.

  1. You can preconfigure a list of specific second-stage reviewers (in the DSAR settings area) for each respective data subject type, so your request processor can easily share a DSAR collection directly with the most relevant second-stage reviewer (or data owner).
  2. The second-stage reviewer (or data owner) is alerted via an email notification to review the DSAR collection, and can filter all files within that DSAR collection to show only those documents that need to be reviewed, pinpointing the exact support needed. All decisions – such as ‘redactions’ or modifications to the ‘disclosure’ status are saved – as evidence for potential audits.
  3. The second-stage reviewer (or other users, such as the request processor, data owner, or compliance manager) can easily view all original files in conjunction with redacted versions, as files are automatically tagged with a ‘redacted’ status to facilitate an informed ‘review’. Users can also filter all DSARs across the board based on this ‘redacted’ status to help mitigate risk.
  4. The DSAR dashboard clearly visualises the status of this entire end-to-end DSAR process by marking each subject access data request as ‘open’, ‘processing’, ‘second-stage review’, ‘complete’, or ‘overdue’. This not only supports collaboration but also ensures that your teams take immediate action on your highest priority risks and subject data access requests, so you meet your time-sensitive deadlines and mitigate possible data subject complaints or ICO audits. This also helps your team to check any sticking points hampering your overall productivity in data access subject request process.
Diagram showing how the Aiimi Insight Engine benefits request processors, second-stage reviewers, and the data subject by helping you find all personal data, then review, redact, and disclose your response in a timely fashion that's compliant with ICO requirements.

Compliant ready-to-disclose responses

So, when it comes to carrying out consistent second-stage reviews and reducing DSAR request costs, automating the key processes and tracking every decision and redaction ever made enables your compliance team to sprint through your entire end-to-end DSAR process. Your compliance team is now liberated from having to retrace their steps to disclosure (and supply lengthy explanations) in the case of data subject complaints.

And, on account of your transparent evidence-based audit trails, your organisation can stand up to any DSAR GDPR scrutiny by the ICO. Instead, you’re now free to press ahead on processing your illimitable DSAR requests with renewed speed.

Ready for a DSAR Solution that automates your discovery, redaction, and disclosure processes? Book your 30-min demo to see the Aiimi Insight Engine in action.

Automate your DSARs end-to-end with the Aiimi Insight Engine. Click here to book your 30-min demo.