David Jones explains how content services platforms can help organisations manage Subject Access Requests
The General Data Protection Regulation (GDPR), which came into force on May 25, completely overhauls how organisations manage the personal data of EU citizens, as well as their access rights to that data. This much we all know.
But GDPR isn’t just about safeguarding personal and sensitive data. It also addresses the overlooked issue of Subject Access Requests, or SARs, which give individuals the right to find out what personal data of theirs an organisation holds, why the organisation is holding it and who that information is disclosed to.
Changes to SARs
SARs are not a new concept – they existed in the previous 1998 Data Protection Act (DPA). However, GDPR makes a number of changes:
organisations must now respond to a SAR within 30 days, not 40 as specified by the DPA;
individuals can request that an organisation provides the data digitally, not just as a printout; and
SARs are now free, unless the request is judged ‘manifestly unfounded or excessive’, whereas before an organisation could levy a charge for providing the information.
These changes make it even more important that personal information is easily accessible and shareable with the individual concerned and that SARs are generated properly and in the right format.
If they haven’t already done so, it is imperative that CIOs put policies and procedures in place to process SARs efficiently, taking into account the new timescales that will need to be adhered to.
A good motivator here is the risk of negative publicity. According to ICO statistics, mishandling of SARs is the number one source of data protection complaints. In 2016, 42% of the 18,000+ data protection related complaints logged with the UK’s official privacy watchdog related to the access of personal data held by third parties.
GDPR’s tighter timescale, the extra cost involved and the ability for individuals to request digital delivery mean that handling SARs after May 25th could be even trickier for the unprepared.
In this context, Content Services Platforms (CSPs) that use powerful audit and analytical capabilities to unify data based on its content, rather than where it’s stored, could provide a solution.
CSPs’ repository-neutral approach enables firms managing Subject Access Requests to identify data residing in different information silos within their business so that as SARs are made they can quickly serve up the required data in an appropriate format.
Moreover, while GDPR solutions tend to look for personal information in the file system and network drives, in Word documents and Excel spreadsheets and in other repositories that store unstructured content, they tend not to look for it in core enterprise systems, which typically store large quantities of personal information.
A Content Services Platform can look at file systems for unstructured content alongside the enterprise systems it connects to, such as database applications containing structured data.
When the CSP serves as a centralised hub that connects structured data systems with unstructured content repositories, organisations benefit from a 360-degree view of GDPR-related data, from which SAR-specific information can easily be pulled, compiled and delivered.
We can’t know how many SARs organisations will receive now that GDPR has come into force, but CIOs need to be prepared by making personal data secure and straightforward to locate. Relying on manual processes and inadequate technology is high risk when it comes to SARs – and unnecessary given the Content Services Platforms available.