Are you really set up to tackle SARs?
Luis Parra is the Director of Legal & Compliance - Europe.
The following content is applicable to any organisation with employees or locations in Europe who need to comply with GDPR.
It’s now four months since a new Subject Access Request (SAR) regime came into force. As a legal and compliance professional, you’ll be familiar with the provisions of the General Data Protection Regulation (GDPR). And you’ll know all about the fines and penalties that the Information Commissioner’s Office (ICO), the organisation responsible for overseeing GDPR, can levy on businesses.
The upshot – you now have 25% less time to process a SAR. And the fines have increased. But here are three things that you might not know about SARs:
1) They can be a massive drain on resources
We were recently contacted by a £5bn annual turnover multi-national firm that had been presented with a SAR. The applicant in this case had asked the company to retrieve documents on email, mobile phones, USB sticks, and other devices.
Five days had flown by and the company had made little progress in compiling and condensing the information.
Using our Viewpoint platform, we cut the total number of documents by 92% to 20,000. We also brought our team of qualified reviewers to sift the remainder and redact any sensitive information. Thanks to both, we were able to meet the client’s deadline and deliver the information on time.
Now – ask yourself honestly – could you have compiled a similar volume of data? Would you have known what to include and exclude? And would you have had the skills to redact sensitive information? All in one month?
You might have transferred employees to the case and hired outside support. But it would have cost you a lot. Both in time and money. And even then, you would have found it difficult to meet your deadline. In early 2018, independent research firm Vanson Bourne conducted a survey of 400 business, IT, and security decision makers. Three quarters of respondents said that they found searching for data challenging and time consuming.
2) They have the potential to damage your brand
You might not think that a SAR could generate negative PR. But consider this scenario. A former employee decides to send a SAR to your company. For whatever reason, you can’t complete the request on time. Before you know it, the news has filtered down to your customers and suppliers. Then you get a phone call from a worried client. They’ve heard about the SAR default and want to know if you can be trusted to manage their data.
Unlikely? Outlandish? Not really. It would only take a quick word from a well-placed source to set in motion a chain of events like this. And if you think that a SAR couldn’t become public knowledge, think again. According to the ICO, the mishandling of SARs is the number one data protection issue complaint. In 2016, 42% of the 18,000 data protection-related complaints handled by the ICO related to SARs. This is an issue that is just waiting to burst into the public consciousness in which case…
3) They could cause your costs to spiral
You may not know this, but SARs can cost a small fortune.
Take two recent cases. In 2015, an appellant made a request to the University of Oxford. It required the university to wade through half a million emails at a cost of £116,116. In another case, the individual made a freedom of information request to the Nursing and Midwifery Council. The cost to the institution for this single request was £239,871.85. Now imagine if you got eight SARs of the same scale in quick succession – you’d be looking at a cost close to a million pounds!
4) Technology, people, and processes
This is where Conduent can help. We can give you guidance on how to collect data and limit the scope of searches. After all, you don’t want to be wading through masses of data if you can avoid it.
We have the technology to cull data and remove non-relevant information, and we’re constantly working to improve it.
Lastly, we have the resources to take on SAR projects at short notice. We have a managed review team of 200 and can bring in legal specialists as and when required.
Take charge of your data
Much has been said about GDPR. It is an important topic that has brought about major changes to the SAR regime. However, you can take steps to protect your business. You can standardise your data management processes and make them repeatable. And you can store all your data in a single, easily searchable repository.
Take these actions and then reach out to us – we’ll help you with the rest.