Data Subject Access Requests (DSARs)
CYFOR’s DSAR Compliance Service significantly reduces the time it takes to prepare a DSAR response, improves the accuracy of disclosable content, and retains valuable team resource. We operate customised eDiscovery technology with machine learning which allows us to easily locate, extract, organise, filter and review data across any operating system. Combined with this technology, we apply a forensically sound methodology to ensure the correctness of exposed information is in line with GDPR regulations.
Dealing with Data Subject Access Requests (DSARs) can be a complex and time-consuming task. This is compounded if the volume of personal data held by an organisation is extensive and if it is held in various formats across a range of systems that may not be corresponding with each other.
As leading digital forensic and eDiscovery specialists, we have invested in advanced online review technology specifically designed to search, filter and process large volumes of electronic data. Incorporating advanced keyword filtration technology, data analytics and machine learning, these platforms can search across any of your chosen systems to recover the information you require. We can also digitally redact any relevant documents that contain legally privileged information which is not disclosable to the data subject.
CYFOR’s workflow outlines the processes undertaken to validate, collect, process, host and review all data in relation to a DSAR.
We can also provide a data flow map, which is designed to help you understand the general flow of personal data through your business, allowing you to improve efficiency in DSAR and GDPR compliance.
The data subject makes a request to an organisation. This can be done verbally, in writing, or via email.
The organisation determines whether the request is valid, and confirms the identity of the requester. They can then provide CYFOR with all data for interrogation.
Data can be provided via secure file transfer, onsite acquisition by a CYFOR expert, or by the collection of a physical storage device.
Data is processed, de-duplicated and indexed. Indexing gives you the ability to run keyword searches over the extracted data, enabling identification of personally identifiable information.
Once keyword responsive documents have been identified, they are uploaded to our online review platform and are available for review and redaction.
CYFOR will review documents for Legal Privilege and other subject’s personally identifiable data.
Once the documents have been reviewed and redacted, CYFOR will provide production of the relevant documents that can be provided to the data subject.
The use of electronic devices is constantly increasing and therefore, so is the amount of data being generated. Under regulations such as the Global Data Protection Act (GDPR), individuals are becoming increasingly aware of their personal data protection and privacy rights. Furthermore, the appetite for understanding how personal data is controlled, processed and distributed is also on the rise.
Data Subject Access Requests (DSARs) are formally written requests (via email, letter, fax or social media) for personal information. They are often used by individuals who want to be provided with any personal information an organisation holds about them. For example, an employee may send a DSAR to an employer as part of a grievance, disciplinary or employment tribunal process. The personal information that an individual can request usually includes:
The European Commission defines personal data as any information that relates to an identified or identifiable living individual. Multiple pieces of information when collected together can lead to the identification of a particular person, so would also constitute personal data.
Data controllers are the organisations being issued with a DSAR as they hold the personal data. They are required to comply with the request promptly and within 30 days of the request. As individuals become more and more aware of this right, clients are coming under increasing pressure to deal with these requests in accordance with the GDPR.