3 Strategies to Ensure Readiness for DSARs

A data subject access request (DSAR) is a common requirement in privacy regulations today. It grants individuals the right to request all the personally identifiable information (PII) an organization has gathered about them, along with how the organization is using that data and who they’ve shared it with.

Responding to DSARs can be a daunting task for any organization. In fact, Gartner reports that manually processing a single request costs organizations more than $1,400 and takes most of them more than two weeks.

DSARs are increasing in number and failure to respond in a timely fashion can result in steep fines, so it’s important to establish a streamlined process for handling them. We will walk you through 3 strategies that can enable your organization to respond to DSARs efficiently and reliably, reducing both costs and risk.

Appoint the appropriate people and develop the right processes.

If your organization is subject to data privacy regulations, it’s important to designate an individual within the organization whose ultimate responsibility is to ensure compliance, including the fulfillment of DSARs. This is typically a Data Protection Officer (DPO) or a compliance officer, but depending on your specific regulations, it may be another member of your organization.

The designated individual should be responsible for overseeing the entire process of ensuring that each DSAR is completed correctly and in a timely manner. Typically they will delegate tasks to the relevant departments using the systems and software in place. It’s essential to design a process that fits into your organization and integrates with established workflows as much as possible. For example, if your information security team uses ServiceNow to process requests and they are the right team to supply the data needed to fulfill DSARs, then considering using ServiceNow in your DSAR process.

It is important to ensure that the entire process is documented to ensure that it is repeatable; a repeatable and documented process can help you streamline DSAR fulfillment and ensure consistent, reliable results.

Use technology to automate your processes.

Regardless the size of your organization or the volume of DSARs you expect to receive, automation should be at the center of your DSAR strategy to avoid the inefficacies of manual or ad-hoc processing. Here are the key components of the DSAR process and how they will benefit from appropriate technology.

• Register and authenticate data subjects — Organizations must enable data subjects to submit data requests, so they need to have the proper tools to log each request. Moreover, they need to authenticate each DSAR to ensure they are providing information only to the individual authorized to see it. It is essential to maintain a full audit trail, from the point of entry to the point of completion.

• Discover where PII exists across your enterprise — The most difficult part of satisfying DSARs is discovering all of the PII across your entire infrastructure that pertains to the data subject. It’s not enough to know where the data lives; it’s also important to know who owns it, why it’s needed and whether there are any risks to it. This is an almost impossible task without the right tools.

• Review and approve data — Next, the DPO or other responsible party needs to review all the data and ensure the DSAR requirements are met without disclosing the PII of another data subject. This can be an extremely tedious process, since there can be thousands of files to review and thousands of potential data subjects to consider. Technology can reduce this burden by providing all relevant information to the reviewer, such as whether the file contains any PII of other data subjects.

• Provide information in a secure fashion — Once the data has been reviewed, it must be packaged and provided to the subject in a secure fashion to reduce the risk of a breach and a stiff fine for each leaked record.

While it should be clear by now how much technology can fuel this process, we didn’t even begin to get into the additional technologies that will supplement this process, including ISTM, data access governance, threat detection and response, and more. Also, while there may be vendors with functionality to support the entire process, it can be worth considering more focused products for each phase, provided they can integrate with one another as well as other technologies you are already leveraging.

Start with data discovery.

You don’t want to make the mistake of waiting until you receive your first DSAR to start the data mapping exercise to understand what kind of data exists where within your organization. Depending on the size of your organization, it can take months to discover which servers and other data repositories host PII.

To enable data privacy officers to find data related to a particular data subject, many data discovery products store the data they collect in a full text index. But a search over such an index does not guarantee that you have found all information about the data subject, but just the information you know of. Let’s go back to the example of the crumpled-up piece of paper with a name and phone number on it: You can search for the subject’s name and phone number, but what if their address is stored somewhere as well? Therefore, you also need a comprehensive index of all locations in your environment where PII subject to a given regulation exists and a smart, flexible search process that ensures comprehensive results.

It’s important to not stop at simply discovering the PII. Data privacy regulations require the appropriate security controls be in place to ensure proper handling of personal data — you need to not only understand where the PII is stored, but how long it has been stored for (whether it’s considered stale data), who has access to it, and what users are doing with that access. This is typically achieved through an iterative process that involves data discovery and classification, monitoring of changes and user activity, and risk assessment and remediation.

Conclusion

Organizations cannot afford to handle DSARs one at a time using manual processes. Moreover, they need to be agile enough to modify their workflow as regulations change and new data repositories are introduced. They need to maintain an ongoing understanding of where PII is being stored, what security controls are in place to protect that data, and how that data is moving throughout the organization. Appointing the right people, developing the right processes and choosing the right tools will help you ensure that you are prepared when you get your next DSAR.