DSAR – Help I can’t cope!!! Our Subject Access Request volumes have gone through the roof!!!!
I had an online interaction with a vendor who sells Data Subject Access Request (DSAR) automation software recently. During the ‘pitch’ they highlighted that organisations across London, UK have seen a staggering increase in DSARs since GDPR went live. An article in the Yorkshire Evening Post confirms this is not just a London-centric issue.
“In Wakefield, there’s been a 35 per cent increase in subject access requests since GDPR came in, and staff now have to look through 1,000 more documents for every request.”
It’s not really a surprising revelation. The removal of the £10 admin fee (in most cases) and the ability to request the information via electronic means has clearly made the process a lot easier. What many organisations are failing to appreciate though is that high volumes of DSARs are a proxy metric for other issues in their organisation. A lot of your customers really don’t want a big binder full of their correspondence or screenshots of databases. They’re more likely frustrated with some aspect of the company’s business practices. In short, if you or the Data Protection team in your organisation are struggling to cope with high volumes of DSARs you don’t have a DSAR resource problem, have either a:
- Service Delivery Problem
- Customer Service Problem
- Data Minimisation Problem
If you fix the above issues, I believe it’s highly likely the volume of, and time to process, DSARs will go down on their own – significantly! Here’s why:
Service Delivery affects DSAR Volumes
How is your service delivered? Have you ensured your processing is lawful? Are you delivering a service your customers expect? If your service delivery is good, you are less likely to get complaints. If there are problems with service delivery, then complaints are going to start rolling in. At this stage, the DSAR problem is simmering under the surface. If, however, service delivery is poor, it’s possible a well-handled complaint could nip the issue in the bud until the delivery issue is fixed. On the flip-side, a poorly-handled complaint will cause the issue to escalate into a DSAR pretty quickly…
…Which leads on to how companies deal with complaints…
Customer Service affects DSAR Volumes
A good question a DPO can ask of their organisation is what is the training programme for first-line customer service management? Are all customer-facing (and back-office) staff given customer service training? I’m not talking about handling Data Protection issues here. I’m talking about how customer-facing employees deal with complaints. For example, when responding to complaints do you give stock answers with little-to-no substance such as:
“We take al customer complaints seriously. We are really sorry that you were inconvenienced today however we are unable to help you any further”
Customers hate platitudes like this. I don’t know why companies think this will assuage. All this does it wind a customer up. It’s not the only example. I have countless anecdotes from family, friends, colleagues and clients about how they made a fairly simple request of a company employee only to be told:
“I’m really sorry, it’s our policy not to provide that information”
It’s usually NOT the company policy at all. In some cases, it CAN’T be the policy as the same information must be provided within a DSAR. It’s usually because the employee can’t be bothered to go that little bit extra to improve customer satisfaction, or possibly they don’t know how to get the information and/or can’t be bothered to go ask someone. So, what does the customer do in this case…yup…they say:
“well if you won’t give me this tiny bit of information, I will have ALL the information you hold on me.”
You now have a situation in which a small, easily administered task becomes onerous. The DSAR problem is exacerbated when poor service delivery is also causing an increased volume of complaints. By failing to resolve complaints or small requests at the time, organisations now have to deal with the subsequent DSAR…
…and dealing with a DSAR leads on to how your organisation stores personal data…
As service delivery and complaint management processes have ultimately failed to resolve the customer’s issue, the Data Protection Officer’s team now have to process all these DSARs. If the organisation has unnecessary complexity in the way it processes customer data then processing a DSAR is also going to be affected by that complexity. If Data Controllers and Data Processors keep personal data in multiple locations. If employees use their mailboxes like their own personal filing system. If your employees download data and manipulate it in Excel instead of the primary source. If organisations are keeping records for years longer than needed. Well, the organisation has made a rod for its own back. The vendor I mentioned said it took one organisation 21 days to just discover the information needed to service a DSAR. That doesn’t leave much time (9 days total so probably 5 workdays) to review and redact that data before passing it back to the Data Subject using a secure method. If an organisation takes 21 days to discover data there are clear records management issues that need addressing!
DSAR Volumes – What can we do?
There are quite a few things that can be done but we shall focus on the actions that will give the most ‘bang-for-the-buck’. Naturally, the first and most obvious things to do are deliver great service and a customer-centric approach to complaints management. If however, you don’t have these things in place, the next best thing to do is monitor and fix issues at the root cause (don’t paper over). Ensure your organisation has the means to monitor the problem. Establish appropriate Key Performance Indicators (KPIs) to measure why customers are making DSARs and ensure this information is fed back to the appropriate management teams who can effect change.
Keep data to a minimum. The less data you have, the less you need to search through and review. Re-engineer databases if needs be. You may find by rationalising your processes for data protection, you not only reduce the cost of dealing with DSARs but also reduce other operating costs too. Lower storage, fewer databases to manage, fewer servers to patch, less maintenance. It all adds up.
Whatever you do. Don’t let customer-facing employees blag customers that the “computer says no“. Treat customers with the respect they deserve…after all, their custom pays for your salary. If you need help on this or any other GDPR issue. Get in contact, Fox Red Risk can help.
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 accountability article 25 article 28 article 35 awareness bcms breach ciso contracts controller cybersecurity data breach data privacy Data Protection data protection officer data protection service Data Subject Access Request DPIA DPO DSAR encryption GDPR incident management information security leadership management Pentest Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso