How to Handle a DSAR Request: MineOS’s balanced approach
The core of the EU’s groundbreaking General Data Protection Regulation (GDPR) was the idea of every individual having a set of data rights. The GDPR lists eight conclusive data rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to object to processing
- The rights in relation to automated decision making & profiling
- The right to be forgotten
- The right to data portability
- The right to restrict processing
Out of these rights, data subject access requests (DSARs) sprang up. DSARs come from the right of access, but since this right touches on nearly all the other data rights, it has a wide ranging overall effect (which is why the term is often used interchangeably with DSR–data subject request–typically the more general term).
When someone reaches out to a company with a DSAR request, the company has to provide them with the following information:
- Why their data is being processed
- The types of personal data the company processes
- Who the organization shares data with (third parties or international organizations)
- How long the organization keeps the data on record (aka the data retention period)
- A notice explaining the individual’s GDPR rights
- Whether the organization operates any automated decision-making, including profiling
- The source of the collected data (if it hasn’t been collected directly from the individual)
As the GDPR has been a model for many other data privacy regulations around the world, DSAR requests and data rights have spread well beyond Europe, and are a crucial component of data regulations like Brazil’s LGPD and virtually every comprehensive state-level law in the United States.
Because of this, in today’s business world handling a DSAR request is vital for daily operations and data compliance if a company processes any data.
Manually handling a DSR request
Traditionally, handling a DSAR request would require a data protection officer or staff member trained in privacy requirements to work with staff on the technical side to locate the data within the corresponding systems and then go about following up with the individual to proceed.
As DSARs have not yet been around for a terribly long time, many organizations–and the public itself–are still getting used to them. Companies without a constant flow of DSAR requests might opt to complete them manually in a bid to save money and keep their tech stack slim, but if you’re handling any amount of DSARs, that is not the way to go.
A 2022 Gartner report put the average cost of a DSAR request for a typical organization at $1400, with multiple reports putting the time total at around 1.5 hours per data system per DSAR request.
Compounding that, most DSARs are not as simple as deleting data from a single system. In fact, the average DSAR requires an organization to delete data from around 9 systems, meaning completing just one DSAR manually would take an average of 13.5 hours of manpower.
No organization, no matter how big, can spare that time or survive on that efficiency.
With the amount of DSAR requests both in the United States and abroad growing significantly year over year, handling a DSAR request manually will soon be essentially unworkable. This will be a major change for companies with nascent privacy programs, as a 2023 DSAR survey conducted by EY found that 58% of respondents did not use technology to respond to DSAR requests.
How can so many organizations even go about handling a DSAR request manually? In many cases it involves, as mentioned before, multiple teams. The EY survey found that 13% of respondents needed their Legal, HR, Compliance, AND IT departments all working together to handle a DSAR request, and the vast majority of respondents stated multiple departments were involved in the process.
With so many people around and no tools to drill down into the data, many of these organizations ended up having trouble even locating an individual’s data to delete it. 51% said scoping the search and combing through data systems was the hardest part of fulfilling DSARs.
It’s no wonder completing one takes so long.
Using Automation to handle a DSAR request
Using automated privacy software to handle a DSAR request solves most of these issues, even if it isn’t an incredibly practical catch-all.
Automated DSAR request solutions usually work through integrations with data privacy software solutions, bringing the 1.5 hour average down to minutes via API connection and cutting through the guesswork of scoping out where the data is within data systems.
Integrations also make it so a single person–usually a DPO or compliance team member–can handle the many steps involved in DSRs on their own, further compounding the time savings across an organization and making any investment in tools a worthwhile investment.
But automations do have their limitations, mainly because integrations cost money. For critical systems that hold lots of PII and are involved in numerous DSRs weekly, integration is a no-brainer, but most organizations are running over 100 data systems.
When factoring in the IT opportunity cost of integrating any system as well as the general manpower and time investments and the price of the DSAR handling solution itself, fully automating the DSAR process throughout an organization’s entire stack is expensive and slow-going.
What works best is a case-by-case basis that supplements automation in key data systems with targeted manual handling in other systems. This setup keeps a company’s DSAR bill down without demanding endless hours to hunt down data.
MineOS’s approach to DSAR Requests: Smart Sampling=Balance
One of the main things that sets MineOS apart from other privacy platforms and DSAR handling solutions is our smart data sampling. MineOS AI can accurately predict the type of data within data systems given only a tiny sample size to scan, giving organizations clarity in terms of data classification but also a clearer scope of which systems are critical for DSR handling and which are not.
That means that businesses know exactly which systems need integration, saving them time and money on an expensive blanket approach to automating everything.
In fact, the average organization using MineOS finds roughly 280 systems in the initial data source discovery phase. Why is that number so high? Our email discovery methods detect up to 95% of an organization’s data systems, compared to the roughly 50% that traditional methods like cloud and SSO scanning detect, which really opens up eyes in regards to how much data most companies process.
Integrating all those systems would be a significant resource drain, which is why the average MineOS organization only adds 90 systems to its data inventory. This means MineOS works to help minimize nearly 70% of a business’s systems from its privacy program, avoiding unnecessary privacy bloat.
For systems without a high expected volume of DSAR requests, we offer manual handling with features that still help streamline that process, such as assigning individuals to certain systems and offering a clear communication channel so everyone stays on the same page as to where any DSAR request stands.
By striking a balanced approach to DSAR handling, organizations avoid the inefficiencies of both manual and automated DSR processing by embracing only the most logical aspects of each. That leads to sharper privacy programs running on fewer resources with clearly outlined roles and responsibilities, so both companies and individuals can embrace the utility and importance of data rights.