Navigating the new DSAR landscape: digital necessities.

Data Privacy

Individuals have the right to request all data that a company or organisation holds on them. The body supplying the data must redact (irretrievably hide) data that not relate to the person(s) of interest, such as sensitive third-party data.

The number of Data Subject Access Requests (DSARs) rose dramatically following the introduction of GDPR in 2018. Organisations experienced another surge during the Covid pandemic at a time when collating data to fulfil DSARs was exacerbated by the fact that the majority of people were working from home for lengthy periods.

This blog presents statistics that illustrate the evolving DSAR landscape and insight into how the UK’s largest grocer deployed automated digital compliance tools to manage large numbers of complex DSARs.

Manual processes no longer an option
The scale and complexity of data held in documents means that DSARs cannot be processed reliably or fast enough by hand. Paper-based businesses face a nightmare of data collation, inefficient and resource-draining redaction, and secure dissemination. Even digitally astute organisations struggle to meet regulatory timescales.

More than half of DSARS fail the ICO’s 30-day deadline
In 2020, less than half (48%) of DSARs were completed within the statutory 30 days.
In 2021, the completion percentage dropped and only 39% of requests were completed within 30 days.

Most organisations said they did not have enough staff members and/or the systems in place to cope with fulfilling the requests they received.

Changes in subject access requester profiles increases risk to organisations
In 2020, 59% of DSARs came from customers and 41% from employees or contractors. In 2021, only 38% of requests came from customers and 62% from employees on furlough or facing redundancy.

The medical sector experienced a different shift in DSAR requester profile. For example, in 2020 74% of requests made to the NHS were made by law firms and insurance companies and 26% by patients. By the end of 2020, 81% of NHS requests came from law firms and insurance companies.

While Data Officers have always been aware of the potential of large fines for failing to comply with GDPR, the change in DSAR requester profiles introduces extended risks. The increasing number of potentially disgruntled employees and eager lawyers has not only increased the complexity of DSAR processing, but has also heightened the risk of reputational damage when DSARs are late or incomplete.

Majority of businesses struggle to find data in multiple locations
Prior to the Covid pandemic 65% organisations claimed that they had difficulty in obtaining data from other departments as one of the biggest challenges in fulfilling DSARs or Freedom of Information requests. The figure for organisations struggling to access data had risen to 81% by the end of 2021.

Organisations seek technology to cope with DSARs
When surveyed in the year ending January 2021, nearly three quarters (72%) of organisations said they would look to acquire technology solutions to facilitate DSARs fulfilment. Among their imperatives were:

  • Automation and process efficiency
  • Cost and time savings
  • Digitisation

By year ending January 2021, 83% of organisations said they would acquire processing technology, especially if a solution offered reliable automation to fulfil DSARs.

Tesco Plc: an accurate barometer for UK DSARs
Tammy Warren, CCTV Policy Manager at Tesco, is typical of Data professionals looking for fast, smart, reliable compliance tools.

Following her appointment after GDPR, she set about minimising compliance risks, reducing costs and empowering her in-house team by implementing digital tools to achieve assured video and document privacy compliance.

Tesco receive 150 DSARs each week, split between customer and staff requests for data that is contained in varying formats such as documents, video, charts and images.

Tammy initially implemented Facit Data Systems’ Identity Cloak to pixilate (redact) all but the subject(s) of interest in DSAR video footage. The implementation was a big success and is popular with the Tesco compliance team who are now able to manage the video redaction process entirely in-house at a fraction of the time and costs associated with historical outsourcing.

As among the national statistics cited previously, Tammy cites events that trigger surges in data requests, such as when company reorganisation is under discussion, and when country-wide events provoke disputes, for example the petrol shortage, which led to increased forecourt incidents.

The complexity of document redaction
While video redaction is a linear process, documents present a different challenge as they are frequently held in diverse formats in multiple locations.

Tesco faced the problem of having to fulfil DSARs for members of staff whose data, if they had been with the business for several years, is held in thousands of sources, across various document types held in email, discrete folders, and personnel files.

Tammy abandoned a trial of one document redaction solution because it was unable to discover PDFs in emails or to redact data in the columns, rows and tabs of spreadsheets.

Following the success of Identity Cloak, Tammy asked Facit Data Systems to help with document redaction. Today, Tesco’s in-house team can download documents via eDiscovery and load them into Facit’s redaction software where sensitive data is irretrievably masked very quickly according selected keywords.

Digital document redaction objectives achieved
Tammy’s key objectives for document data processing included acquiring the capability to process DSARs for GDPR compliance entirely in house, speed and accuracy of redaction and cost-effectiveness.

Following the introduction of Facit redaction software, Tesco can reliably process large volumes of data automatically. Tammy Warren says of Facit’s document redaction software, “It’s a very good product. I haven’t had any issues with either of the Facit solutions we’ve deployed.”

Further reading
The rise in employee DSARs and the implications for HR Professionals”, The HR Director, October 2021

“Are you ready for the rise in Data Subject Access Requests this year?” Automated Intelligence, February 2021

Data subject access requests are ‘weaponised’ as disgruntled customers seek to ‘tie businesses in knots’”, Collyer Bristow, February 2022

The rise and challenges of DSARs”, Technative, January 2021

The rise and challenges of DSARs on year on from GDPR

How many DSARS are organizations really dealing with?

Discover more about compliance redaction Book a demoMore about video redactionMore about document redaction, Download Tesco Case Study.