You Received a Data Subject Access Request (DSAR), Now What?
DSARs are one of the most time consuming parts of the General Data Protection Regulation (GDPR) and dreaded by many organizations. One lawyer that we spoke to said that some organizations are spending upwards of $50,000 to fulfill DSARs and often end up settling monetarily with a Data Subject instead of actually fulfilling the DSAR. Additionally, DSARs are time-bound (within 30 days), so you need to be able move quickly as an organization.
The Data X-Ray can help assist you in:
- Establishing data gathering processes to ensure that you can respond to a subject access request without undue delay and within one month of receipt.
- Carrying out the data discovery portions of those processes in a few button clicks.
- Understanding if a request includes information about others.
In this article we'll explain how to build Data Subject queries in two different ways so that you can vastly reduce the time it takes to fulfill a DSAR.
(Note: the Data X-Ray is designed to find the relevant electronic data but does not actually build a DSAR response, which should also include human intervention to determine whether the data to be provided is adequate and accurate, anonymizing irrelevant data, and actually compiling the data in a readable format for the Data Subject. Further guidance on DSAR fulfillment is available on the ICO (UK GDPR regulator) website.)
Building a DSAR Query with the Search Tool
The Search tool is currently only available on our on premise/private cloud version but will be rolled out to cloud users as well by the end of Q4 2018. Search is the easiest way to build a query and gives you, the end user, vastly more control over precisely which records you want to search for. Search also lets you simultaneously query all of the datasources within your organization.
The biggest problem in searching across multiple databases is false positives. With normal database and datasource queries, if you search the last name "Lee", for instance, you will most likely get thousands of results back as the word "Lee" can be not only a last name but also a first name, street name, etc. The Data X-Ray solves this by first pre-classifying your data using a machine learning algorithm and then once it is confident that any particular group of data is of a certain class (last name in this case) it will conduct the search for "Lee" only in that class.
To build a query, click on the Search tab in the navigation bar and enter in your query using the
- buttons. You can select which Class of data you want to search in and only conduct your query within that class of data. You can also select multiple databases to search across simultaneously.
The results are output below including a historical record of what you searched. Based on the results you can either narrow or widen your search query until you are satisfied with the results.
Building a DSAR Query with a Custom Class
A secondary method to build a DSAR query is to build a custom Class. If you are not familiar with Classifiers and Classes or building custom classes, we recommend you check out our tutorials on Classifiers and Classes.
Let's say we want to find Jennifer Lee's information again across all of our datasources. We can do that very easily by building a customized classifier using a "Dictionary" type Class. First go to the Rules tab and click "Create New Class". You can call the name and category whatever you like. We'll call it "Jennifer Lee DSAR Request", categorize it as Personal Data, and select Dictionary as the detection rule type.
After saving the new class, we can click on the "Load Entries" button to start building the class. Now, while AI classes require a lot of data to function well, dictionaries must be precise because they will return a hit on a text element if it is listed in this entry. So we only want to enter data here that is relevant to Jennifer Lee's known personal data. Let's use the following and click "Save Entries":
123 Main Street, Somewhere, 12345 USA
Now we have a (rudimentary) class build that will return a match if any of these (complete) text elements are found in the datasources that are scanned.
Lastly, we will want to add this new Class to a Classifier. You can also give it other Classes if you want to return other types of data for some reason, but for this tutorial we're going to make a single Class Classifier. Back in the rules tab, we'll click "Create Classifier" and call the new Classifier "Jennifer Lee DSAR Request Classifier". Finally, we'll scroll down the list of possible Classes and click our newly created Class "Jennifer Lee DSAR Request", and click the "Create Classifier" button at the bottom.
That's it! Now we can use this Classifier throughout our datasources to run a customized query across any of the datasources that we have connected. See our article on scanning datasources if you need more help.
If you have any questions or concerns, please feel free to contact us at any time at [email protected] or +44 20 8133 7236 / +1 415 800 2913 (Monday-Friday, 8:00-17:30 London time).