Joe Pirrotta is a Senior Director at Conduent's Legal Product Portfolio business unit.
When the General Data Protection Regulation (GDPR) went into effect in May across 28 countries in Europe, new Subject Access Requests (SAR) requirements went into effect along with it. As legal and compliance professional you’re undoubtedly familiar with its general provisions, as well as the fines and penalties that the CIO can impose for non-compliance.
Organizations impacted by GDPR span the globe and with its implementation, they now have 25% less time to process SARs — while facing higher fines if they fail to meet SAR requirements.
Meanwhile, the California Consumer Privacy Act (CCPA) will go into effect January 1, 2020, impacting a huge number of companies that sell goods or services to California residents. Those residents will be able to make subject access requests of the companies required to meet CCPA provisions.
Without a mechanism to identify, consolidate and quickly access personal data, companies that conduct business in jurisdictions affected by GDPR and CPPA expose themselves to substantial risk. This is compounded when data is shared across borders and different languages.
Here are three important considerations regarding SARs:
1) Without the right technology, searching to find the right data can waste valuable time and resources.
We were recently contacted by a $6B multinational company who had been presented with a SAR. The applicant was asking the company to retrieve documents on email, mobile phones, USB sticks, and other devices.
Five days flew by and the company had made little progress in compiling and condensing the information. Recent surveys, such as one conducted by independent research firm Vanson Bourne in early 2018, confirm that the majority of organizations find searching for data challenging and time consuming.
Applying Conduent Viewpoint technology, our teams were able to cut the total number of documents by 92% — to 20,000. Our reviewers then sifted the remaining document volume and redacted any sensitive information. Leveraging specialized expertise and technology, we met the client’s deadline and delivered the requested information on time. Check out the case study here.
2) If not handled well, they can have spiralling consequences.
Consider this scenario… A former employee decides to send a SAR to your company. For whatever reason, you can’t complete the request on time. Before you know it, the news has filtered down to your customers and suppliers. Then you get a phone call from a worried client. They’ve heard about the SAR default and want to know if you can be trusted to manage their data.
This a very real potential scenario. A quick statement from a well-placed source can set in motion a chain of events like this. And if you think a SAR can’t become public knowledge, think again. According to the ICO, mishandling of SARs is the number one data protection issue complaint. In 2016, 42% of the 18,000 data protection-related complaints handled by the ICO were SAR-related. It’s an issue poised to burst into the public consciousness.
3) Your costs can explode.
The reality is: SARs can cost a small fortune. Take two recent cases in the UK. In 2015, an appellant made a request to the University of Oxford. It required the university to wade through half a million emails at a cost of nearly $150K US.
In another case, someone made a freedom of information request to the UK’s Nursing and Midwifery Council. The cost to the institution for this single request was over $300K US.4
It’s not hard to imagine how quickly costs can escalate if an organization receives several SARs of the same scale in quick succession.
Take charge of your data
GDPR has brought major changes to SAR protocols and CCPA is bringing similar requirements, but you can take proactive steps to protect your business.
Work with a partner who is equipped with both the expertise and technology to ensure your SARs are handled swiftly and accurately. Attempting to manage these requests internally requires extensive financial, staff and technology resources.
Aligning with a data privacy and digital interactions expert will enable you to proactively prepare and position your organization to not only meet these requests, but sustain and strengthen a strong reputation around data privacy in the market.
Connect with Conduent Legal and Compliance for more information on Conduent’s Data Privacy Solutions.