Data protection contraventions, remote working, and redundancies are stacking the deck against compliance and HR teams. In this four-part series, Aiimi Senior Product Designer Tom Rankin explains how the Aiimi Insight Engine automates the Data Subject Access Request process for a speedier, compliant, and more user-friendly response.

Daily news coverage of data protection violations read by our tech-savvy population is driving DSAR awareness and, in turn, more data subject request applications. This trend is currently compounded by redundancy-related employee requests, stacking unrelenting pressure on your human resource and compliance departments. And this rise in requests isn’t going to fade away any time soon. The one aspect you can control is how to optimise your DSAR strategy by automating the process. Let’s dive in to find out more about personal data access rights, cost implications for your business, and the key challenges facing your organisation – and how the Aiimi Insight Engine can help you solve them.

Counting the cost of DSARs – the impact on your business

Under Article 15 ‘The Right to Access’ of the 2018 General Data Protection Regulation (GDPR), we all have the right to access personal data – and to ask organisations whether they’re processing or storing our personal information. Partners, contractors, customers, and clients can also submit DSARs verbally over the phone or in writing via social media, email, letter, and so on.

Legally, individuals don’t have to pay a fee nor mention the terms GDPR or DSAR in their request – they can simply ask for confirmation of what personal data is being held about them, why it’s being held, and how it’s being used. It’s an uncomplicated and effortless process for the individual. But for your organisation, the financial and human resource costs of processing significant numbers of requests are huge.

And you’re not alone. According to a Ponemon Institute and McDermott Will & Emery report, 80 per cent of organisations find GDPR implementation more difficult than other data privacy or security requirements. For instance, a recent survey from Gartner reported that manually processing one single DSAR costs businesses more than US$1,400 and, on average, each DSAR response takes over two weeks to process. Sounds familiar? Added to this, it’s predicted that 65 per cent of our global population will have its personal data protected under modern privacy regulations by 2023, representing a rise of 10 per cent on 2020, escalating the challenges already facing your compliance teams. Plus, as we’re all too aware, there’s the added risk of data subject complaints, and draconian penalties if your business fails to process requests correctly or within the Information Commissioner’s Office (ICO) timeframe, along with reputational damage. It’s a collective uphill struggle, and no organisation is immune.

Managing DSARs – the problem with manual processing

So, it comes as no surprise that your compliance and HR teams need to manage your DSAR process with upmost care and speed. Your teams must accurately log each request – regardless of its wording, file type, or source system – notify each data subject request of its receipt, find the personal data they need to process the request, track its development across the entire end-to-end cycle, and finally disclose the DSAR response quickly and compliantly to the individual within the one-month breathing period.

Diagram of the end-to-end DSAR process, with input from the Oeganisation, ICO, and technology (The Aiimi Insight Engine). The DSAR process: Identifying the Data Subject Type, reviewed by Compliance Manager, passed to correct Request Processor, reviewed for accuracy and redaction by a Second-Stage Reviewer.

This is a tough call and, as the sheer number of DSARs being lodged climbs ever higher, it’s not going to get any easier. If your organisation is manually tracking and tracing all your DSAR requests and manually searching for all the relevant personal data you’ve got on file from a multitude of structured (e.g., documents, spreadsheets, and databases) and unstructured (e.g., emails, recorded telephone or video conversations, texts, and social media posts) sources, you’re facing a vastly time-consuming and resource-heavy challenge – and it’s near impossible to be 100% sure that you’ve discovered every single nugget of personal data that needs to be disclosed. So, finding an automated system that drives your end-to-end DSAR process is a key consideration, empowering your teams to successfully process and disclose compliant DSARs on time, every time, no holds barred.

Processing DSARs – the solutions to simplify, speed up, and audit your requests

Given that each DSAR is unique, and the decision-making loop involves so many of your key employees, your business is challenged with maintaining a consistent process and response for all your requests. To better understand this collaborative effort and help address any sticking points along this user journey, here at Aiimi, we reached out to a broad range of organisations to find out more about the complexities of their DSAR processes.

Through speaking to compliance managers, heads of departments, and request processors, we found that as no two DSARs are ever the same, you need to consider three key variables when processing your DSARs. Each comes with its own challenges and solutions, which we’ll be covering in more detail in our subsequent three DSAR blogs. In summary:

  1. DSARs are submitted by a wide range of data subject types, ranging from employees, through customers, to job applicants, and so on. Not all your request processors will necessarily be equally familiar with the nuances of processing each data subject type. And sensitive personal data may well be saved in many formats and scattered across a wide range of different repositories and diverse systems. Discovering, extracting, and collating all that data into a single DSAR Collection is a real challenge. So, it’s important that you automate your search and discovery to share knowledge across your organisation. This will simplify and speed up your DSAR process.
  2. Every request is different, and each data type is specifically related to its data subject. So, you need to ensure that data marked for disclosure is reviewed by your head of department and/or compliance manager to ensure it can be safely disclosed in its current format – and that no third-party or compromising information is included. To do this effectively, you need to automate your redaction, review, and disclosure process to govern your decision-making for a more auditable response.
  3. Third, all your disclosed DSAR information should be supported by a covering letter contextualising the response and, if necessary, explaining why you’ve removed or redacted specific data. Your disclosed data also needs to be supplied in a consumable format, alongside our policies and procedures documentation, and shared in one complete package using a secure method of delivery. For this to happen, you need to automate your supporting documentation process to deliver consistent responses.

Automating DSARs – the streamlined collaborative user experience

The only way to approach the spiralling time and cost drain of DSAR requests is to replace any laborious and costly manual processing you have in place with a more intuitive, user-focused, and automated system. And to achieve this, we’ve developed and added a whole host of new features to our Aiimi Insight Engine, each carefully crafted to support all your employees. At the end of play, adopting a collaborative and consistent end-to-end user experience will enable you to carry out more timely and compliant data subject responses.

During our three subsequent blogs, we’ll delve deeper into how your organisation can facilitate an automated search and discovery strategy to enhance knowledge sharing across your teams; automate your data privacy and compliance processing for best-practice auditable decision-making; and automate your disclosure process to deliver a more consistent DSAR response. Whichever way you cut it, automation is the name of the game, streamlining your entire DSAR-processing user journey.

Ready for a DSAR solution that automates your discovery, redaction, and disclosure processes? Book your 30-min demo to see the Aiimi Insight Engine in action.

Automate your DSARs end-to-end with the Aiimi Insight Engine. Book your 30-min demo.