How To Control Costs And Risks As Data Subject Access Requests Increase

1639 0

More organizations now store and process personal data, which automatically makes them subject to GDPR and CCPA. Gartner estimates that “by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% today.”*  Moreover, individuals are becoming more aware of their rights. Therefore, we can expect a steep increase in data subject access requests (DSARs) across the globe. In fact, only 21% of CISOs said that they didn’t see any rise in DSARs in 2019, as stated by a recent Netwrix survey.

If DSARs aren’t already putting significant pressure on your organization, they probably will be soon, for three key reasons:

  • IT departments are overloaded. Addressing a DSAR involves multiple steps, from verifying whether the DSAR is legitimate, compiling the necessary information and responding to the data subject. Since these tasks often require special permissions and expertise, responsibility for completing them usually falls on the shoulders of the IT department, which is already overloaded with critical tasks like cybersecurity and IT operations. Therefore, your IT team might find it hard to address DSARs while keeping up with their other responsibilities.
  • The stakes are high. If your organization fails to satisfy DSARs according to the requirements of privacy standards, you may be subject to stiff penalties. For example, Article 12(3) of the GDPR specifies a one-month period to respond “without undue delay” to data access requests; the penalty for failing to do so can be up to 4% of your company’s global revenue — and that’s per DSAR. In addition to fines, failing to satisfy DSARs can lead to loss of customer loyalty and legal actions.
  • The costs of DSAR management are growing. According to Wirewheel, the average cost for managing one DSAR is $200, and some companies spend as much as $2,350. As the number of requests grows, the cost of handling them will become untenable if you don’t have tools and processes to process them quickly and efficiently.

In ordinary times, you can ill afford damage to your reputation, prolonged litigation, and compliance fines. In today’s economic crisis, avoiding these outcomes is even more essential, so you need to adopt measures that will enable you to cope with the growing number of DSARs without sacrificing other business-critical tasks. I recommend implementing these three measures to streamline your DSAR management processes:

Don’t gather more data than you need.

The more data you have, the more data you need to review, process, modify and provide to satisfy each DSAR. Moreover, GDPR Article 5(1)(e) mandates that organizations shouldn’t collect and store more data than they need. Therefore, it is essential to have clear policies dictating which data you gather, the purposes behind the data’s collection, and how long you will store it. Moreover, you need to be open with your customers: When asking for their consent, clearly explain what data you collect and why, and don’t gather more data than you stated or you risk violating both their trust and strict regulations. 

Make sure you keep regulated data only in secure locations.

Identifying all sensitive data and storing it only in designated locations is essential to proving that customer information is not overexposed, and you can protect it against cyber threats, as required by Article 5(1) of the GDPR. Plus, this practice also helps you handle DSARs faster and more easily, since you reduce the scope of systems that you have to look through for each request. 

Speed DSAR management by automating data search.

Responding to a DSAR requires you to extract data held in various formats and locations: email, Word documents, messages in collaboration tools, etc. Doing this manually can take a great deal of time, driving up costs and increasing your risk of compliance penalties. Indeed, the 2019 IAPP-EY Governance Report found that those who used manual processes, rather than automated processes, were more likely to experience difficulties with DSARs.  According to a recent Gartner survey, “manual processing of a single subject rights request (SSR) for access costs organizations more than $1,400, and a majority of organizations take more than two weeks to provide a response.”*

By automating DSAR searches, you can fulfill requests much faster, and reduce both compliance risks and costs. Some solutions even enable you to delegate some tasks related to DSAR management to non-IT employees, minimizing the impact of the increasing flow of DSARs on your IT pros. The best way to enable quick and accurate searches is to classify your data. In fact, a recent Netwrix survey found that organizations that classify their data spend an average of three hours on each request, while those who don’t classify their data need 11 times more.

Since many organizations are struggling to deal with DSARs properly, I expect that supervisory authorities will introduce strict guidelines for DSAR management. To be prepared, I recommend you classify your data immediately and then create and document a process for handling DSARs in your company. This will enable you to be clear about the steps that you will take and the channels of communication that you will need. I also suggest you stay in contact with your peers from other companies, who are probably facing the same challenges as you. Sharing best practices for how to make the process smoother will help you minimize both financial and legal risks.

*Gartner “Market Guide for Subject Rights Request Automation,” Nader Henein, et al, 21 February 2020 (Gartner subscription required)

Ilia Sotnikov
Ilia Sotnikov is an accomplished expert in cybersecurity and IT management. He is Vice President of Product Management at Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, Calif.

Ilia Sotnikov Web Site

In this article