If your personal information is being collected, held or processed by a company, you are a “data subject.” As a data subject, you automatically have certain rights and protections. These include the right to obtain a copy of the personal information companies hold about you by making a data subject access request (“DSAR”). Generally speaking, giving individuals rights in relation to their data should be seen as a positive, but DSARs are being increasingly used as a weapon by ex-employees to put their former companies through a painstaking process of reviewing thousands of documents to produce the data requested.
Once you receive a DSAR, you have one month to provide the personal information requested and failure to comply can result in hefty fines. For companies that do not have well-oiled procedures in place, the prospect of complying with a DSAR can be daunting. Fortunately, using eDisclosure technology can significantly reduce the time and cost of compliance.
I have received a DSAR from a (former) employee, what do I need to do?
A DSAR does not need to be in a prescribed form and it can be made verbally or in writing. Once you have established that the DSAR you have received is valid you can seek an extension of time of up to two months to respond as well as clarification of the personal information being requested. Nevertheless, you would be wise to kick start the following five stage procedure as soon as possible:
1. Identify sources (electronic or otherwise) where documents containing an individual’s personal information may be recorded or stored
You may want to start with the individual’s HR file, or personal folders allocated to the individual. The individual’s email inbox will almost certainly contain their personal information, and you should also consider which other individuals are likely to have exchanged the individual’s personal information.
2. Reduce the number of documents that need to be reviewed for personal information to a manageable size
Using the following eDisclosure techniques will help you identify where the personal information is stored and will reduce the number of documents for review to a more manageable volume:
Filtering: Use keywords and date range filtering to restrict the documents for review to a limited number.
Email Threading: Identify all emails within the same ‘conversation’ and present only the final emails in each conversation for review. This reduces the amount of repeated content for reviewers.
Near Deduplication: Group together documents during your review so that the same reviewer sees similar documents in sequence, improving the efficiency of your review.
3. Locate the individual’s personal information in the documents found in those data sources
Using specialist tools such as Ayfie’s Supervisor to identify personal information in your documents, reduces the burden of manually searching each document. Supervisor applies next-generation natural language processing and machine learning technology to locate the personal information within the documents you have and indicates where it is stored.
Further time can be saved by outsourcing the review of the documents to a team of document review specialists. Completing the review inside the one-month time limit can be challenging. Using seasoned reviewers will ensure the DSAR is complied with inside the deadline.
4. Ensure no personal information relating to another individual or legally privileged material is inadvertently provided to the individual
Using bespoke redaction software simplifies the process of locating repeat instances of personal or privileged information requiring redaction, ensuring the individual only receives their personal information and no one else’s.
RTK.Redact allows you to apply redactions made to a standalone document to duplicate copies, ensuring consistency in your redactions.
5. Provide the individual with copies of the personal information
Rather than spending time compiling copies of documents or personal information, copies can be exported from your eDisclosure review platform with ease.
If you are interested in hearing more about how Anexsys can assist with your DSAR, please email firstname.lastname@example.org for further information.