Under the Data Protection Act 2018 and GDPR, individuals are entitled to make a Data Subject Access Request (“DSAR”) which enables them to obtain personal information a company holds about them (a step by step guide on how to respond to DSAR is here ). A simple request can be an administrative nightmare for an organisation to manage and DSARs are on the rise.
Complying with a DSAR can be broadly divided into two categories:
- Obtaining legal advice as to whether the request made is valid and how to comply with the relevant duties. Identifying personal information can be more nuanced than it seems on its face. Full consideration must be given to the ICO’s guidance and the relevant exemptions.
- Finding a method to review documents for personal information in the quickest and cheapest way possible. Whilst companies will understandably want to be aware of sensitive personal information that they have to disclose to a Data Subject, they should not have to waste valuable time and resources combing through every document they hold in order to find it.
There is a clear distinction between the category which requires legal expertise and the category that ought to be dealt with via a “production line” type solution. For category two there is an alternative route which is far more efficient than dealing with a DSAR internally; using an LPO (Legal Process Outsourcing) company. LPOs can commit to turnarounds time, are cost effective and can be brought in to handle one or several elements of a case or DSAR request.
The Production Line
The production line approach to DSARs can also be divided into two elements:
- Tech - the use of a technology platform to reduce data volumes and review documents more efficiently.
- Review - The human capital required to review the documents for personal information.
The conventional wisdom is that the more tech that can be included in the process, the less documents companies will have to review.
eDisclosure technology & analytics
Alongside the use of standard functionality such as keyword searches, date ranges and document metadata to cut down the number of documents for review to a more manageable size, text analytics, based on a mixture of natural language processing and classification can be used to determine whether a document contains personal information.
Redaction is a common element of most DSAR matters. Attempting to redact hard copy documents can be an arduous process and whilst standard document review platforms enable redactions, the process remains time consuming. Our Redaction software can be used to automatically redact terms which should not be included in a DSAR response, including personal information relating to individuals other than the Data Subject.
For the elements that cannot be automated, a workforce of experienced solicitors and paralegals can be used to review documents for personal information. Anexsys Lens is the barrister led managed review service for DSARs. Reviewing documents not only for personal information but for privilege and relevant exemptions is a task that requires a human element. Fortunately, those tasked with the review can implement sophisticated software to assist with this task and improve the speed and quality of their response.