Since the introduction of the GDPR on May 25th , 2018, LDM Global has seen a considerable spike in the number of Data Subject Access Requests (DSARs) faced by our clients on a monthly basis.
The scope of a DSAR can be wide-ranging and is often used by either a disgruntled current or former employee, embarking on a contentious litigation process with their current or ex-employer.
If an employer collects, holds and uses personal data belonging to an existing or past employee and the employer falls under the scope of the GDPR, then a response furnishing all personal data in scope must be issued from to the employee within 30 days.
The traditional method which is usually deployed by a number of organizations entails exporting data to a web-based review platform and commencing a manual review of all documents. Reviewers would then identify personally identifiable information (PII) within a document while also manually redacting third party PII and/or commercially sensitive information that may lie within the same document.
While this traditional methodology may still be suitable in some cases, with the evolution of Artificial Intelligence (AI), the aforementioned process has become mostly obsolete for larger, and more complex DSAR responses.
The following steps are designed to assist organizations with formulating a response plan which will enable them to ‘DiSARm’ the threat posed by a DSAR and respond expeditiously.
- Information Governance: When an organization is faced with either a regulatory investigation, discovery or DSAR, they risk being on the back foot and are faced with a situation that is then reactive. However, by taking a more proactive approach with managing their data, organizations will be better placed to respond efficiently to any such data request. Undertaking data mapping exercises, implementing data retention policies and digitizing an entire workspace are all effective ways for an organization to ensure that their ‘digital house’ is in order.
- Utilizing AI: Legal technology is commonly used to cull data at the inception of a DSAR. Most readers would be familiar with the concept of deduplication, email threading, and Boolean searching. However, if utilized properly, AI can also interrogate data more thoroughly, prior to review. For example, LDM Global utilizes bespoke, customized entities, allowing us to train the system in order to identify, not only highly relevant documents but also human behavior, emotion, and other data patterns. The application of customized workflows can enable an organization to prioritize data and expedite any subsequent review. This will inevitably streamline the process and serve as a more cost-effective method of managing large volumes of DSARs.
- Redaction QC: As previously mentioned, redacting third party PII and/or commercially sensitive information has traditionally been a manual process. However, by effectively utilizing Artificial Intelligence, the system can be trained to identify PII, enabling the utilization of auto-redaction. Although this method has proven to be extremely cost-effective, come review time we would also advise that a certain amount of manual Quality Control (QC) be applied to the end-product to ensure the technology has been utilized correctly. After all, technology is only as good as the person who is directing it. Manual input will almost always be also necessary to determine whether any corrective measures are required.
- Audit Trail: Although what you produce at the end of a DSAR is important, how you get it is paramount. Organizations must ensure that, when responding to a DSAR, they employ a documented, defensible, and repeatable process along the way. It is critical companies ensure they have executed a fully comprehensive audit trail of all decisions made throughout the lifecycle of any project. Organizations should be wary of any potential challenge to their DSAR methodology, made by the data subject. Should this occur, by maintaining a comprehensive audit trail, organizations are well placed to withstand such challenges.
LDM Global, through our unique workflows and methodologies, assists clients on a daily basis with responding to the challenges posed by a DSAR. Our objective is to ensure our clients develop the necessary workflow to enable them to handle any volume of DSARs on a regular basis. Whether you are an in-house General Counsel or a Compliance Officer, the objective is the same; efficient response times while also managing internal costs. By adhering to the above four steps, organizations are best placed to achieve this goal.
If you feel your organization may require assistance with improving your own internal workflows, to be prepared or to respond to a DSAR please do not hesitate to contact us and we will help you take control and respond effectively.