New research conducted by BSI, the business improvement company, has revealed that over half of European organisations have no fixed method in place for responding to Data Subject Access Requests (DSARs). The research, carried out by the Cyber Security and Information Resilience division of BSI in preparation for the EU’s General Data Protection Regulation (GDPR), also highlights that a third of European businesses rate themselves as highly likely to receive a DSAR.
In essence, a DSAR is the legal mechanism which allows European citizens to obtain a full account of all personal data a given organisation holds on them, an explanation as to why this information is being held and also copies of this data should they so wish.
Coming into effect tomorrow, the GDPR has greatly increased the awareness levels of citizens to their rights as data subjects. Organisations processing or collecting personal data for EU citizens will no longer have the inhibiting factor of a charging fee (currently, UK organisations may charge a fee of up to £10 or £2 if it’s a request to a credit reference agency for information about financial standing only) for responding to a DSAR.
All companies will need to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU under the GDPR. Failure to comply could result in fines of up to €20 million or 4% of an organisation’s annual global turnover.
DSAR and the impact on resources
While the submission of data requests from private citizens isn’t a new phenomenon, the process is about to become significantly easier with the advent of the GDPR. The way in which organisations can receive a DSAR has expanded outside of the traditional postal option or e-mail channels. They can be received verbally in person, through a live chat portal, verbally over the phone or even via social media channels.
The research also asked respondents what cost they would be allocating post 25 May for handling DSARs in organisations. One-in-five organisations estimated a cost of up to €28,000.
Under the GDPR, organisations will now be expected to complete DSARs within one month rather than the existing 40-day timeframe. Sources of data within an organisation can include CCTV data, phone call data, web chat log data, CRM records and order history.
Where a DSAR relates to an employee, it can also include all e-mails, any meeting minutes where the employee’s name is mentioned or documents or correspondence relating to any work they may have done.
Implications could be onerous
Commenting on the research, Stephen O’Boyle (head of professional services at BSI), stressed that the implications of DSARs could be onerous. “The resources required to undertake a DSAR can be considerable, and shouldn’t be underestimated. Organisations will be expected to wade through huge volumes of data within the reduced one month window stipulated by the GDPR.”
There’s also a concern that organisations may face disruptive DSARs from disgruntled customers or ex-employees, those with a personal gripe or someone with enough knowledge to cripple an organisation with an extensive DSAR.
Addressing UK organisations directly, O’Boyle continued: “The motive behind DSARs isn’t always clear, but the end result may include significant costs in responding in terms of resources and the risk of a complaint being made to the Information Commissioner’s Office if the handling of a request falls short of the required standards. Preparation is key. Organisations who have a structured plan in place and who consider additional supports to aid it, such as additional technology and staff awareness training, will reduce the risk of non-compliance in responding to a DSAR.”
*The Cyber Security and Information Resilience division of BSI provides a range of solutions designed to help organisations become GDPR compliant including consulting, training, research, technical solutions and outsourced Data Protection Officer (DPO) services. For more details visit https://www.bsigroup.com/en-GB/our-services/Cybersecurity-Information-Resilience/