Data protection contraventions and remote working are stacking the deck against compliance and HR teams. In this four-part series, Aiimi Senior Product Designer Tom Rankin explains how the Aiimi Insight Engine automates the Data Subject Access Request process for a speedier, compliant, and more user-friendly response.

Daily news coverage of data protection violations read by our tech-savvy population is driving DSAR awareness and, in turn, more DSAR request applications. This trend is currently compounded by redundancy-related subject access requests from employees, stacking unrelenting pressure on your human resource and compliance departments. And this rise in requests isn’t going to fade away any time soon.

The one aspect you can control is automating your entire DSAR process using purpose-built data subject access request software.

Let’s dive right in to find out more about personal data access rights, cost implications, and the key challenges facing your organisation – and how our DSAR Solution can help you resolve them.

Counting the cost of DSARs – the impact on your business

Under Article 15 of the Right to Access UK General Data Protection Regulation (GDPR), we all have the right to access personal data – and to ask organisations whether they’re processing or storing our personal information. Partners, contractors, customers, and clients can also submit data access subject requests verbally over the phone, or in writing via social media, email, letter, and so on.

Legally, individuals don’t have to pay a fee nor mention the terms GDPR DSAR request in their subject access request – they can simply ask for confirmation of what personal data is being held about them, why it’s being held, and how it’s being used. It’s an uncomplicated and effortless process for the subject. But for your organisation, the financial and HR costs of processing significant numbers of data subject access requests are huge.

And you’re not alone. According to a Ponemon Institute and McDermott Will & Emery report, 80% of organisations find GDPR implementation more difficult than other data privacy management or security requirements. For instance, a recent survey from Gartner reported that manually processing one single DSAR costs businesses more than US$1,400 and, on average, each DSAR response takes over two weeks to process. Sounds familiar?

Added to this, it’s predicted that 65% of our global population will have its personal data protected under modern privacy regulations by 2023, representing a rise of 10% on 2020, escalating the challenges already facing remote-working compliance teams.

Plus, as we’re all too aware, there’s the added risk of data access subject request complaints, and draconian penalties if your business fails to process DSAR requests correctly or within the Information Commissioner’s Office (ICO) timeframe, along with reputational damage. It’s a collective uphill struggle, and no organisation is immune.

Managing DSARs – the problem with manual processing

So, it comes as no surprise that your compliance and HR teams need to establish a sound data subject rights management process to expedite subject access requests. This way, your teams can accurately log each request – regardless of its wording, file type, or source system – notify each data access subject request of its receipt, find the personal data they need to process the request, track its development across the entire end-to-end cycle, and finally disclose the DSAR response quickly and compliantly to the individual within the one-month breathing period.

Diagram of the end-to-end DSAR process, with input from the Oeganisation, ICO, and technology (The Aiimi Insight Engine). The DSAR process: Identifying the Data Subject Type, reviewed by Compliance Manager, passed to correct Request Processor, reviewed for accuracy and redaction by a Second-Stage Reviewer.

This is a tough call and, as the sheer number of DSARs being lodged climbs ever higher, it’s not going to get any easier. If your organisation is manually tracking and tracing all your DSAR requests and manually searching for all the relevant personal data you’ve got on file from a multitude of structured (e.g., documents, spreadsheets, and databases) and unstructured (e.g., emails, recorded telephone or video conversations, texts, and social media posts) sources, you’re facing a vastly time-consuming and resource-heavy challenge – and it’s near impossible to be 100% sure that you’ve discovered every single nugget of personal data that needs to be disclosed.

So, finding an automated system that drives your end-to-end DSAR process is a key consideration, empowering your teams to successfully process and disclose compliant DSARs on time, every time, no holds barred.

Processing DSARs – the solutions to simplify, speed up, and audit your requests

Given that each DSAR is unique, and the decision-making loop involves so many of your key employees, your business is challenged with maintaining a consistent process and response for all your requests. To better understand this collaborative effort and help address any sticking points along this user journey, here at Aiimi, we reached out to a broad range of organisations to find out more about the complexities of their DSAR processes.

Through speaking to compliance managers, heads of departments, and request processors, we found that as no two DSARs are ever the same, you need to consider three key variables when processing your DSARs. Each comes with its own challenges and solutions, which we’ll be covering in more detail in our next three DSAR blogs. In summary:

  • DSARs are submitted by a wide range of data subject types, ranging from employees, through customers, to job applicants, and so on. Not all your request processors will necessarily be equally familiar with the nuances of processing each data subject type.
  • Personal data may well be saved in many formats and scattered across a wide range of different repositories and diverse systems. Discovering, extracting, and collating all that data into a single DSAR Collection is a real challenge. So, it’s important that you automate your search and discovery to share knowledge across your organisation. This will simplify and speed up your DSAR process.
  • Every request is different, and each data type is specifically related to its data subject. So, you need to ensure that data marked for disclosure is reviewed by your head of department and/or compliance manager to ensure it can be safely disclosed in its current format – and that no third-party or compromising information is included. To do this effectively, you need to automate your redaction, review, and disclosure process to govern your decision-making for a more auditable response.
  • All your disclosed DSAR information should be supported by a covering letter contextualising the response and, if necessary, explaining why you’ve removed or redacted specific personal data.
  • All your disclosed data needs to be supplied in a consumable format, alongside your policies and procedures documentation, and shared in one complete package using a secure method of delivery. For this to happen, you need to automate your supporting documentation process to deliver consistent responses.

Automating DSARs – the streamlined collaborative user experience

The only way to approach the spiralling time and cost drain of DSAR requests is to replace any laborious and costly manual processing you have in place with more intuitive, user-focused DSAR automation. And to achieve this, we’ve developed and added a whole host of new features to our Aiimi Insight Engine, each carefully crafted to support all your employees.

At the end of play, adopting a collaborative and consistent end-to-end user experience will enable you to carry out more timely and compliant data subject responses.

In our next three blogs in this DSAR series, we’ll look at how:

  1. Data subject access request software enables you to create collections, set up checklists, and share knowledge across teams for fast and dependable DSAR automation.
  2. DSAR tools to automate third-party redaction, second-stage reviews, and disclosure for a compliant subject access request response.
  3. Package-up supporting documentation using DSAR software for a comprehensive and secure response for every subject access request that comes your way.

Whichever way you cut it, DSAR automation is the name of the game. By putting in place your DSAR software now, you'll streamline your entire DSAR-processing user journey later.

    Ready for a DSAR Solution that automates your discovery, redaction, and disclosure processes? Book your 30-min demo to see the Aiimi Insight Engine in action.

    Automate your DSARs end-to-end with the Aiimi Insight Engine. Book your 30-min demo.