GDPR: How can Data Discovery technology be used to answer SAR’s?

Tuesday 26 June 2018

After a surge of opt-in emails, website notifications regarding updated privacy policies, training on the do’s and don’ts of data processing, the GDPR is in full swing. Whilst organisations had two years in which to prepare their systems and processes, a staggering 60% of responses to the Senzing survey said that they were not ‘GDPR ready’. If organisations weren’t ‘GDPR ready’, the question is how many are prepared for life post May 25th and how will they manage subject access request’s (SAR’s)?

A notable update to the previous Data Protection Act (DPA) 1998 is around the rights data subjects have, under the DPA SAR’s were charged at £10 per request with a 40-day processing limit, the GDPR see’s the removal of the £10 fee and a reduction in processing time to 30 days which will no doubt impact on organisations.

Data subject rights now extend to

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

These new rights, removal of the processing fees and decreased time limit are bound to impact companies, but just how much?

The Senzing research determines that on average companies will receive  89 GDPR enquires per month, and with organisations having more and more systems in place to support the business, Senzing predict that they will have to search across 23 different data sources to locate the requested data. Senzing go on to suggest that each data source will take on average 5 minutes to check, which adds up to a staggering 10,300 minutes (or 172 hours) per month spent finding data in response to GDPR enquires. This equates to a staggering 8 hours of data searching per working day, or 1 dedicated employee dealing with GDPR enquires on a full time basis!

The numbers keep growing, organisations of over 250 employees should expect on average 246 GDPR enquires per month. The research suggests that these organisations will have 43 different databases which will take more than 7 minutes to be checked and verified, resulting in a staggering 75,500 minutes (or 1259 hours) per month dealing with enquires – luckily, they’ve done the maths for us and it’s a whopping 60 hours per day or in employee hours, 7.5 employees dedicated daily to processing, managing and handling GDPR enquires!

Unfortunately, with 1 in 10 organisations not confident that they fully understand the data that they have under management and where that data is located this is likely to extend the 5/7 minute timeframe, and as the mountain of data collected and created on a daily basis continues to grow, GDPR enquires could potentially cost your organisation thousands, and in some case hundreds of thousands of pounds per year to service.

How can organisations make the SAR process more efficient?

In our opinion, it is only through the use of assistive technology in the form of a data discovery solution that the process of responding to SARs can be managed efficiently. Those organisations which have relied on a more manual ‘pen and paper’ approach to achieving GDPR compliance, will need to look at how they can efficiently locate the requested data manually or they will need to turn to software to help.

The key to efficiently locating requested data will be with a solution that allows you to unify all your structured, semi structured and unstructured datasets, providing you with a single view of your data. From this single view the ability to locate data in various databases will be quick and easy, allowing you to all your systems at once with sub-second response times.

How does the Connexica solution help?

The Connexica DDAM (Data Discovery And Management) system allows you to record all data subject rights requests that are made, and helps you to manage these requests in an organised way, ensuring that they are validated and processed within the 30 day time limit.

By processing the information collected about the data subject at the time the subject rights request was logged, the proprietary data matching algorithms that are supplied with the system will perform a global search across all of the organisational data sources included within the single data view held within the system. Wherever a reference to the data subject is identified it is included for review in the results set. Additional features of the intelligent search enable you to help ensure that you are viewing data items for the correct data subject (i.e. to help distinguish between subjects with the same name), or where a result for the data subject also contains references to other data subjects.

The results set which is produced when a request is processed can be reviewed and packaged up, either for sending back to the requestor in the case of SARs, or as the basis for making amendments / deletions to data sources held within the organisation in the case of right to rectification / erasure / restrict processing requests.

With the potential of high volumes of SAR’s, the removal of the £10 fee and the reduction in processing time it’s important that organisations look to technology to help process and manage SAR’s in a way that doesn’t disrupt the organisation. The adoption of data discovery solutions to unify disparate datasets will not only speed up the time otherwise used to manually check systems but will also provide organisations with the insight required to understand and respond to SAR’s quickly and efficiency.

Get in touch to discuss your requirements further