advertisement

In many organizations, the cost of IT and legal services on the path to compliance with the General Data Protection Regulation (GDPR) of the European Union has increased.

It is estimated that the additional expenditure and running costs for consulting and technological services were over £ 100,000 for medium-sized companies a year and a half after the introduction of the GDPR – while this was the case for many larger multinational organizations, according to an analysis by DataGrail, was £ 1 million Sterling exceeded.

advertisement

An important provision within the new baselines is the ability to respond quickly to subject access requests (SARs). These are approaches by an individual to get details about how and for what purpose their personal information is used in an organization. The two groups most likely to make such requests to an organization are their employees and customers.

The enormity and the challenge of these requests are considerable – as are the costs. Research in 2019 showed that almost three quarters (71 percent) of companies in the United Kingdom had had their employees experience SARs since May 2018 and more than two thirds (67 percent) had to increase their spending in the UK to process these requests , And these are numbers and operating costs that point in one direction only as our society and our jobs are becoming increasingly digital.

SARs as a topic are not new. However, the provisions of the GDPR and the British Data Protection Act of 2018 have given them additional weight and tightened their breakthrough for test subjects and processors.

The changes that came into effect with the revised 2018 provisions are as follows:

In accordance with pre-2018 laws – the Data Protection Act of 1998 – individuals were charged a fee of £ 10 when they opened a Special Administrative Zone. With the introduction of the GDPR, however, this indictment was largely eliminated, except in cases where an application is “obviously unfounded or exaggerated” or “repetitive”. In such a scenario, organizations may charge a “reasonable fee” that takes into account the administrative costs of providing the information or refuse to act collectively. This could scare off very stressful SARs, but there is no guidance yet on what is “obviously unfounded” or “exaggerated” in the UK Information Commissioner’s Office (ICO) documentation. It is therefore up to the organization or employer to demonstrate that the request is “manifestly unfounded” or “exaggerated”, and this is the case in such a dispute due to lack of precedent or written definition.

The GDPR changes things

Previously, an organization that issued a SAR had up to 40 days to respond. However, according to the GDPR, organizations must respond immediately and in any case within one month or after receipt of the request. There is the possibility of an extension of another two months if the application is particularly complex or if there are numerous applications, but most of the companies have to adhere to the one-month time frame. The deadline for sending the data back begins when the organization receives a request, along with all the information it needs to verify the identity of the person who made the request.

The procedure for creating a SAR has changed fundamentally. According to the provisions of the GDPR, applications no longer have to be made in writing. This means that an inquiry can be made verbally, over the phone, or through social media to anyone in an organization. It is also not necessary to quote the words “request for access to the topic” in this process – it only needs to be clear that the person is seeking access to their own personal information.

Many companies are unaware of these changes and the potential headaches and costs that await getting an SAR. For smaller companies, the special administration declarations are particularly effective after 2018 and can be potentially fatal if the operating budget is low and the workforce is small. For example, it can be assumed that the majority of British SMEs do not have an internal IT department or team of specialists capable of accessing the data requested by a special administrative authority and will therefore be forced to either outsource the process at high cost or violate the one month compliance window.

However, a few steps can be taken to prepare teams of all sizes for an SAR.

Assign data first

The first is to ensure that all data is mapped within an organization and a network. This means that an index is created for both structured and unstructured data, so that data protection officers or IT teams can easily retrieve files with the data subject’s identifiers. This information can be saved in any file type, including Word documents, spreadsheets, notepad files, XML files, and even ZIP files. Regarding the data subject’s identifiers, the search must be able to identify patterns and regular expressions that apply to GDPR data in the 27 Member States, such as: B. National identification, passport, identity card and VAT identification number.

The second basis is access. Companies must be able to fully recognize who has access to data and system authorizations. It is therefore crucial to determine at an early stage how information can be retrieved immediately – especially from cloud-based email operators and other service providers. In this way, you can prevent a “permission creep” from occurring over time if the access rights are too broad, which poses further challenges in data management.

Organizations should also take into account that internal data protection officers (DPOs) are always responsible for respecting the privacy rights of others and ensuring that they are not compromised. This means that a significant amount of corrections may be required before the SAR data is released. This should be considered in the email label – although this may be a topic for another article.

To avoid the prospect of a high ICO fine, which currently amounts to a maximum of 10 million euros (or the equivalent in sterling) or 2 percent of total annual sales, companies should familiarize themselves with SARs. Understand what they will mean and make preparations to ensure that they know what data they have, where and how to find them. This way, they can beat the clock before it even starts ticking and find the requested records quickly and in full compliance with the GDPR and the 2018 Data Protection Act.

Barry Cook, Group Data Protection Officer, VFS Global

advertisement