The European Union’s (EU) General Data Protection Regulation (GDPR) represents a significant and widespread adjustment to how businesses, consumers and employees can legally interact and share data with one another. For General Counsels (GCs), this requires becoming familiar with the obligations relevant to the collection, use, and storage of employee and consumer data, and subsequently, developing processes to facilitate compliance.
In this article, we focus on Article 15 ‘The Right to Access’ of the GDPR, Data Subject Access Requests (DSARs) and discuss how process mapping and optimisation can help GCs navigate the new DSAR landscape moving forward.
What is the GDPR?
The European Union’s (EU) General Data Protection Regulation (GDPR) is the regulation that governs all matters relating to the personal data of EU residents. As such, it imposes upon all organisations that operate in the EU, legal obligations pertaining to the collection, use, and storage of this data. A key difference between the GDPR and other data privacy laws is that the GDPR legislates explicit and specific rights for EU residents which all organisations that do business in the EU are legally obliged to provide through processes in their operating model. An example of one such legislated right is Article 15 ‘The Right to Access’, which mandates that organisations have processes whereby EU residents can submit requests to access copies of their personal data stored by the organisation. This particular process is referred to as a Data Subject Access Request (DSAR), and has wide reaching implications on the privacy, corporate governance and compliance procedures of organisations.
What is a DSAR?
A Data Subject Access Request (DSAR) is a legally enforceable process that provides ‘The Right to Access’ to EU and UK residents. It is the result of a request from an individual (data subject) for copies of their personal data from an organisation (data controller) and imposes a legal obligation on the organisation to provide a copy of all the personal data held about the data subject within 30 days. Failure to acknowledge receipt of a request or provide the data within the given time frame, thus breaching Article 15 (1), can result in legal consequences such as fines (up to EUR 20 million or 4% of total annual revenue, whichever is higher), sanctions, and damages paid to the data subject, as well as business consequences such as reputational damage, and a loss of trust from the market.
Key challenges
Since the GDPR came into effect, organisations in the UK have experienced a significant increase in DSAR requests from current and former employees. A 2018 study by global law firm Squire Patton Boggs ‘The Rise and Challenge of DSARs’ showed that 71% of organisations had experienced an increase in the number of employee DSARs within one year, and 67% had experienced an increase in the costs associated with processing DSARs. In effect, DSARs have caused significant time and financial pressures on organisations who have had to implement new procedures, hire new staff and allocate additional resources both internally and externally to remain compliant and avoid reputational damage.
Roadblocks to success
With the primary responsibility of processing and responding to DSARs falling under the remit of the legal and compliance functions, General Counsels (GCs) routinely express concerns and frustrations over the complex processes, and increasing costs associated with DSAR compliance. In particular, some of the roadblocks GCs have discovered and faced whilst trying to comply with the DSAR obligations include:
- Unstructured process for receiving, tracking, and responding to requests
- Poor record-keeping practices and data policies
- Insufficient risk management procedures
- Inefficient data extracting and analysis processes
- High costs associated with outsourcing aspects of the response
As a result, there is a heightened risk of missing deadlines which has left GCs apprehensive about the potential legal ramifications, in addition to complaints and resulting reputational damage.
Process optimisation and systems
With that said, a strategic combination of technological support, process mapping and optimisation is a sustainable solution that can provide GCs with a high degree of confidence to respond to DSAR requests, whilst managing and mitigating any potential risks that may arise. LEx360 alongside Lawcadia have developed such a solution that captures the required policies, processes and checklists into an intelligent workflow and matter management tool that allows GCs to comprehensively manage DSAR requests every time. The LEX360 DSAR Workflow incorporates process mapping and optimisation with workflow automation and matter management to simplify and streamline DSAR management processes. As a result, GCs and their legal teams are able to:
- Receive, manage and track DSAR requests in a structured and controlled manner
- Seamlessly and securely send and share workflows with external providers
- Proactively manage their risk profile
- Make data-driven decisions for responding and resourcing incoming DSARS
Importantly, this significantly reduces the risk of any legal or reputational consequences for non-compliance by bringing transparency and accountability to the DSAR management process.
Conclusion
Whilst the GDPR, and specifically in this case DSARs are a key point of frustration for GCs and legal departments, a strategic combination of technology, process mapping and optimisation can empower GCs to comprehensively and assuredly manage DSARs every time. The Lawcadia powered DSAR Workflow is a great example of a solution, which not only simplifies and streamlines DSAR management processes, but also brings transparency and accountability to the process, resulting in a more robust, holistic, and sustainable solution.