GDPR: How to do subject access requests the right way

Egress | 13th Jun 2018

After reading this, why not watch our on-demand webinar to find out more about the process and how the Egress platform can make your post-GDPR life easier. Join here

As everyone surely knows by now, Article 15 of the GDPR concerns the right of access by the data subject. This means that under GDPR, EU citizens can contact organisations and businesses they have dealt with and find out what information is held on them, and how the organisation is processing that data. Afterwards, they can also request that data be rectified, restricted or erased.

GDPR also stipulates that organisations are no longer able to charge for fulfilling such requests, and there are now shorter timespans in which to comply.

It’s important to streamline this process as much as possible to make sure people receive their information in a timely fashion, and to avoid tying up internal administrative functions too much while dealing with increases in the number of requests received. There are potential roadblocks to successful, efficient data request fulfilment, however.

So what’s standing in an organisation’s way? There are three roadblocks to effective subject access request compliance:

1. Securely, efficiently accepting requests and verifying user identification

Before fulfilling a data request under Article 15, you need an effective way to receive the subject’s contact details and request, but also be able to quickly verify their identity. This is a necessary part of the process when dealing with sensitive data but without an integrated, secure way to do this the task quickly becomes intractable, with requests and proofs of ID easily going missing, especially if the only way to accept ID is via post.

2. Collecting all of the user’s data, across emails, files and encrypted content

Up to 80% of enterprise data is unstructured; it sits in emails, files and folders. As well as the difficulty in compiling the personal data reports, the requirement to provide all of the subject’s data becomes impossible if it is hidden within unstructured data, especially if that data is encrypted or stored in users’ mailboxes. Without a way to search across these locations, it’s hard to see how data can be provided in a complete fashion.

3. Secure storage and sharing of subject data

Once you have compiled the data you can find, the next roadblock is finding a way to pass this on to the subject. Post is slow, and prone to going missing, and subjects may have reservations about receiving their sensitive data with this method. Collected data can be very large in cumulative file size so email attachments are probably out of the question. The GDPR advice is to enable remote access to a secure system, but what does this mean in practice?

Accelerating compliance with modern, digital data request completion 

The Egress platform, with its set of interoperable, intelligent components, is in a unique position to solve this problem. The problem requires an integrated solution that minimises workload but maintains security at all times:

  • Secure Web Form helps organisations receive, or ‘ingest,’ content securely. In one go, data subjects can submit everything required, including digital copies of identification documents. Already, this saves massive amounts of administration time, but also, all files and fields are encrypted at rest and in transit.
  • Secure Workspace, our enterprise secure file sharing solution, can receive this encrypted content automatically after the subject submits the request. A folder can be automatically created and populated with their information, meaning compliance administrators get notified when a new request comes in and can quickly verify the user’s identity.
  • Email compliance software is the next step. By searching across all organisational email data, administrators can rapidly build a comprehensive report on the data subject’s personal information that is held, as well as information on how it is being processed. This includes unstructured data found within encrypted emails, within attached documents, and even, using character recognition technology, within scanned documents and images.
  • Once you’ve generated this report? Simply drop it into the Secure Workspace folder so the user gets notified and can access and download it easily from the secure portal. All user actions are fully audited, so administrators can ensure and prove that users have received data.

What does the GDPR text say about this process?

So the Egress platform provides an integrated process for accepting and comprehensively fulfilling subject access requests under GDPR. Following this process means reduced administrative overheads whilst upholding compliance to the letter. This sort of system, where citizens can access their data from a secure portal, is actually specifically recommended in the GDPR text:

GDPR Recital 59

Organisations should provide a mechanism “facilitating the exercise of the data subject’s rights… including mechanisms to request and, if applicable, obtain, free of charge…access to and rectification or erasure of personal data.” They should also provide “means for requests to be made electronically, especially when personal data are processed by electronic means.”

GDPR Recital 63 

Organisations should “be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”

So there you have it. 

Watch our on-demand webinar for more on this topic, or get in touch.