Blog  •  November 18, 2021

Start the Conversation

Honeypot Field to Catch Bots
Honeypot Field to Catch Bots

As the Lockdown Begins to Ease, Organizations Must Prepare for an Influx of DSARs

Guardum is now Data Protect Solutions.

Some of the toughest decisions organizations made during the COVID-19 pandemic have been those impacting their staff. Millions of workers were furloughed and millions of more jobs were cut, particularly in hard-hit industries such as travel. These disruptions are expected to continue.  

Among the many serious impacts of the pandemic, one that few would have predicted, is a surge in Data Subject Access Requests (DSARs). We are seeing a notable spike in requests as disgruntled individuals seek data to build a case for wrongful dismissal. Furloughed, laid off, and terminated employees have submitted DSARs to prepare for potential future action or because they feel they were treated unfairly.

We anticipate this number will continue to increase, so organizations must deal with DSAR increases even as their operations are hampered by the pandemic. Research that Guardum by DFIN commissioned found that 75 percent of Data Protection Officers (DPOs) are struggling to meet data compliance obligations. Further, 60 percent of DPOs feel they do not have the resources to cope with the demand and 30 percent fear being overwhelmed by a flood of DSARs once the pandemic eases.

Lockdown challenges

The good news for organizations dealing with an influx of DSARs is that they will be able to use the General Data Protection Regulation’s (GDPR’s) built-in protections for exceptional circumstances and fulfill requests in 90 days rather than 30 – although they must still respond to requesters in the initial timeframe.

However, most organizations will continue facing significant barriers to completing requests. As with all other areas of the organization, they need to have a solid remote working contingency plan to handle DSARs when operating with limited staff and resources.

There still needs to be a high level of coordination with the DPO to ensure cases are fulfilled completely and nothing is missed. We have encountered cases where DSARs were not completed correctly and staff did not wait for reviews from the DPO.

Companies that retain a significant amount of physical assets, such as filing cabinets of personnel files, will struggle to fully comply with DSARs. Even digital assets may be hard to access if they include large files and individuals have poor Internet bandwidth at their homes.

Looking to the future

Many organizations will have been caught out, not only by the influx of DSARs caused by the pandemic but also the practical limits on coordinating and fulfilling requests. Organizations must get to work on future-proofing their operations in the event of further disruptions or more requests. 

An important first step is to move away from paper-based files, with the ultimate aim of having digital copies of all physical assets. Although digitizing everything is no small task, it will greatly improve the management of DSARs remotely, as well as data privacy and security. Remote desktops are one of the best solutions for accommodating large file sizes, as they can be located on the same server and avoid data transfer issues.

With everything digitized and accessible online, the next priority is to start implementing automation to deal with as much of the DSAR process as possible. Automated tools can take on the heavy lifting of locating files relating to a request and carrying out specific demands such as deleting information. Locating and classifying all relevant personal data on the system will make this even more efficient, as well as allow the automatic application of actions such as data anonymization or redaction.

With many organizations already likely to receive an influx of DSARs, taking steps to automate and future proof data management and governance as soon as possible will leave organizations better equipped, whatever the future holds.

Darren Wray

DFIN