Big Data

Are Subject Access Requests factored into your GDPR initiatives?

By David Jones, Director of Product Marketing, Nuxeo
Big Data
Published: 1 May 2018

Some organisations see the General Data Protection Regulation (GDPR) as simply another data compliance challenge and have not considered the impact that Subject Access Requests (SARs) will have on their business

When the new General Data Protection Regulation (GDPR) comes into force on 25 May this year, it will completely overhaul how organisations manage the personal data of EU citizens. Those that do not comply will find the heavy hand of the law on their shoulders, and potentially a hefty fine hitting their bank balance.

Organisations have been busy working overtime to make sure they can identify all of the personal data stored within their systems and repositories, and to ensure this information is safe and secure. But GDPR isn’t just about safeguarding personal and sensitive data, it’s also about their ability to deliver this information to any EU citizen who asks for it –otherwise known as a Subject Access Request (SAR). A SAR is a request for personal information that an organisation may hold on an individual. In order to comply with GDPR, it’s vital that organisations have a strategy in place for facilitating these requests in an accurate and expeditious manner.

Changes to SARs under GDPR
Under GDPR, SARs are treated similarly to the existing Data Protection Act (DPA) procedure, but with a few modifications. Currently a UK organisation can charge for a SAR, but once GDPR goes into effect, organisations will no longer be able to charge unless the request is deemed ‘manifestly unfounded or excessive’. This change is likely to increase the volume of these requests made to organisations, and could have a substantial administrative impact on if a large number of SAR requests begin arriving at the end of May, and from that point on going forward.

Under the DPA, organisations must respond to a SAR within 40 days of receiving a written request. Under GDPR this timeframe is reduced to one month. It can be extended if the request is complex, but the individual must be notified within the one month period that the SAR is being processed. Thus, having an effective procedure in place for ensuring all personal data can be identified and quickly provided when SARs are made is paramount in order to avoid the hefty fines and financial penalties for failing to adhere to GDPR requirements.

It is imperative that CIOs put policies and procedures in place to efficiently process SARs and escalate where necessary, taking into account the new time scales that will need to be adhered to. The last thing an organisation wants is negative publicity around SARs compliance.

Also, organisations often rely on manual processes, or on accessing information from multiple, disparate systems built on aging and dysfunctional technology. In such an environment, organisations are challenged to come up with a single version of the truth.

Organisations should therefore consider putting a Content Service Platform (CSP) in place for dealing with the SAR.

Content Services Platforms – a modern solution to a modern problem
A modern CSP is ‘repository neutral,’ which not only enables organisations to gain a more holistic view of all of the data residing within their systems and repositories, but it also delivers this data based on context (in this case, personal data is the context) from one central platform.

A CSP allows organisations managing SARs to easily identify personal data residing within their various systems, and enable them to quickly compile and deliver this data on request. At the same time, a CSP is continually tracking and securing that data, so organisations know exactly what information is stored and where, as well as who is authorized to access it.

A CSP can help organisations comply with GDPR by providing a consistent and accessible view of all of the information within the business, even from aging legacy business applications. In addition, it can manage the facilitation of SARs – processing requests and delivering the results to individuals.

It is impossible to predict how many SARs organisations will receive when GDPR arrives. But organisations need to be prepared, and that means ensuring personal data is secure and can be quickly located and delivered upon request according to GDPR requirements. Relying on manual processes and outdated technology is risky when it comes to SARs – and one that could cost you the reputation of your company.

About the author
David Jones is Director of Product Marketing at content services company Nuxeo