News, events, media, seminars and more
Increased usage of electronic devices has seen a significant rise in the amount of personal data generated. With the introduction of regulations such as the GDPR, individuals are now more aware of their rights and control how their data is processed and distributed.
Data subject access requests (commonly referred to a ‘DSAR’ or ‘SAR’) are made by individuals wanting to exercise the right to be provided with a copy of the information an organisation holds about them, which they are entitled to under section 7 of the Data Protection Act 1998. This information can include confirmation that their personal data is being processed; a copy of the personal data in the company’s possession; and the purposes for which it is being processed.
What should you do if your client receives a DSAR? Firstly, ensure the data subject access request is valid. A valid request is one which provides all the information required to locate the information the person wants, as well as sufficient information to verify the data subject’s identity. It is unlikely that the first contact from the data subject will provide all the relevant information, in which case you must respond to the data subject. You have a period of 30 days to provide the information requested once all necessary information has been received. Failure to comply result in a significant fine, issued by the Information Commissioner’s Office (ICO).
There may be a mix of data that qualifies as personally identifiable data relating to other people and information that is not personally identifiable whatsoever. Separate documents within an overall file must be considered on their own merits. The output of the investigation must be provided to the individual in an intelligible format. In most cases, this information must be communicated to the requester by supplying them with a physical copy of the data, such as a photocopy or print out of the relevant information.
Not all personal information may be liable for disclosure. Once you have collated the information you hold about a data subject you must assess it in order to establish whether it is disclosable. You should only disclose information relating to the person making the subject access request. Where a document contains personal data about several individuals, including the data subject, you should redact the information attributed to the third parties.
As leading digital forensics and electronic disclosure experts, CYFOR have the necessary expertise to assist with data subject access requests. Our team of specialists are experts in forensic data acquisition, and the use of advanced online review platforms. These are specifically designed to search, filter and process large volumes of data, identifying the information you require in a time and cost-effective manner.
Data Subject Access Request: The data subject makes a request to an organisation. This can be done verbally, in writing, or via email.
Validation: The organisation determines whether the request is valid, and confirms the identity of the requester. They can then provide CYFOR with all data for interrogation.
Data Collection: Data can be provided via secure file transfer, onsite acquisition by a CYFOR expert, or by collection of a physical storage device.
Data Processing: Data is processed, de-duplicated and indexed. Indexing gives you the ability to run keyword searches over the extracted data, enabling identification of personally identifiable information.
Data Hosting: Once keyword responsive documents have been identified, they are uploaded to our online review platform and are available for review and redaction.
Document Review: CYFOR provide secure access to our document review partners Global BPO who will review documents for Legal Privilege and other subject’s personally identifiable data.
Production: Once the documents have been reviewed and redacted, CYFOR will provide a production of the relevant documents that can be provided to the data subject.
London: 0207 438 2045
Manchester: 0161 797 8123