Subject Access Requests, or SARs, may not be new - they came in under the Data Protection Act in 1998 - but the recently enforced GDPR goes some distance further, cutting the time given to respond to requests, doing away with application fees and famously, hiking fines up to 4% of turnover or €20 million, whichever is higher.
How could my business be affected?
Let’s take a doomsday scenario example of a leading low-cost European airline, who have been in the middle of protracted negotiations with its pilots for some time in a dispute over union recognition, pay and conditions. As part of an escalation of tension between sides, the union might recommend to its pilots that they each file a personal Subject Access Request. Under tighter GDPR rules, this would be totally legitimate, and would extend to any data held by the airline, in almost any form, as well as contractors providing services to the company - for instance, records of any medical examinations carried out by a third party, or employee benefits services. Whilst it might be part of a tactical negotiation on another matter, non-compliance would lead to huge fines. As you can see, subject access requests have the potential to tie up whole departments for weeks.
3 best-practice models for easy SARs administration under GDPR
Just like a physical asset register, an information asset register is in place that states where and how personal data is stored. This helps speed up the process of locating the information required to respond to SARs. Information asset owners are put in place and the register should be regularly reviewed to ensure it is kept up to date. Consider current electronic systems and manual filing systems as well as archived backup data and any third party data processors (e.g. payroll and benefit providers) who may also hold relevant personal data.
Retention and deletion policies
Make sure you have documented retention and deletion policies relating to the personal information your business holds. You’ll want to set different retention periods depending on each class of information and the purpose for which it’s being held.
If your organisation receives a significant volume of Subject Access Requests, it’s helpful to put in proper governance structures in place to ensure they are processed and responded to effectively. For example, you could set weekly meetings for the team responsible for dealing with SARs to discuss SARs’ progress and to investigate any cases that appear to be facing delay.
Does it all have to be done manually?
Actually, no. If you’ve been reading this thinking “How the heck is my business going to face complying with this?” - don’t worry. There are ways and means of automating a lot of the work required to respond to a subject access request.
At Dot Group, we're big fans of an "in-place" data management policy. We replace "moving and storing” as the overarching governing philosophy with “indexing and managing in place” by leveraging smart discovery tools together with key best-practices - like those outlined above - in order to give you confidence in your data and ensure compliance with GDPR.
Our approach is fast, scalable and reliable, and streamlines the process of collecting, discovering, analysing and acting on large amounts of unstructured and structured data. This means that what may have taken dedicated information management teams weeks or months to sort through manually might be done automatically in a matter of hours.
Want to know more?
If you’re interested in how an intelligent approach to data management might speed up your response times and help ensure regulatory compliance, get in touch with our friendly team today by clicking below.
We can look at doing a fast-start audit for you, automating as much of the delivery as possible with intelligent software tools and structuring the project over a number of months to give flexibility in accounting. Let us know and we’d love to talk about how best to get a handle on your data management.