58% of businesses have “no defined process” for responding to Data Subject Access Requests

New research conducted by BSI, the business improvement company, has revealed that over half of European organisations have no fixed method in place for responding to Data Subject Access Requests (DSARs). The research, carried out by the Cyber Security and Information Resilience division of BSI in preparation for the EU’s General Data Protection Regulation (GDPR), also highlights that a third of European businesses rate themselves as highly likely to receive a DSAR. 

In essence, a DSAR is the legal mechanism which allows European citizens to obtain a full account of all personal data a given organisation holds on them, an explanation as to why this information is being held and also copies of this data should they so wish.

Coming into effect tomorrow, the GDPR has greatly increased the awareness levels of citizens to their rights as data subjects. Organisations processing or collecting personal data for EU citizens will no longer have the inhibiting factor of a charging fee (currently, UK organisations may charge a fee of up to £10 or £2 if it’s a request to a credit reference agency for information about financial standing only) for responding to a DSAR.

All companies will need to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU under the GDPR. Failure to comply could result in fines of up to €20 million or 4% of an organisation’s annual global turnover.

DSAR and the impact on resources

While the submission of data requests from private citizens isn’t a new phenomenon, the process is about to become significantly easier with the advent of the GDPR. The way in which organisations can receive a DSAR has expanded outside of the traditional postal option or e-mail channels. They can be received verbally in person, through a live chat portal, verbally over the phone or even via social media channels.

The research also asked respondents what cost they would be allocating post 25 May for handling DSARs in organisations. One-in-five organisations estimated a cost of up to €28,000.

Under the GDPR, organisations will now be expected to complete DSARs within one month rather than the existing 40-day timeframe. Sources of data within an organisation can include CCTV data, phone call data, web chat log data, CRM records and order history.

Where a DSAR relates to an employee, it can also include all e-mails, any meeting minutes where the employee’s name is mentioned or documents or correspondence relating to any work they may have done.

Implications could be onerous

Commenting on the research, Stephen O’Boyle (head of professional services at BSI), stressed that the implications of DSARs could be onerous. “The resources required to undertake a DSAR can be considerable, and shouldn’t be underestimated. Organisations will be expected to wade through huge volumes of data within the reduced one month window stipulated by the GDPR.”

There’s also a concern that organisations may face disruptive DSARs from disgruntled customers or ex-employees, those with a personal gripe or someone with enough knowledge to cripple an organisation with an extensive DSAR.

Addressing UK organisations directly, O’Boyle continued: “The motive behind DSARs isn’t always clear, but the end result may include significant costs in responding in terms of resources and the risk of a complaint being made to the Information Commissioner’s Office if the handling of a request falls short of the required standards. Preparation is key. Organisations who have a structured plan in place and who consider additional supports to aid it, such as additional technology and staff awareness training, will reduce the risk of non-compliance in responding to a DSAR.”

*The Cyber Security and Information Resilience division of BSI provides a range of solutions designed to help organisations become GDPR compliant including consulting, training, research, technical solutions and outsourced Data Protection Officer (DPO) services. For more details visit https://www.bsigroup.com/en-GB/our-services/Cybersecurity-Information-Resilience/

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts