You Received a Data Subject Access Request (DSAR), Now What?

DSARs are one of the most time consuming parts of the General Data Protection Regulation (GDPR) and dreaded by many organizations. One lawyer that we spoke to said that some organizations are spending upwards of $50,000 to fulfill DSARs and often end up settling monetarily with a Data Subject instead of actually fulfilling the DSAR. Additionally, DSARs are time-bound (within 30 days), so you need to be able move quickly as an organization.

The Data X-Ray can help assist you in:

  • Establishing data gathering processes to ensure that you can respond to a subject access request without undue delay and within one month of receipt.
  • Carrying out the data discovery portions of those processes in a few button clicks.
  • Understanding if a request includes information about others.

In this article we'll explain how to build Data Subject queries in two different ways so that you can vastly reduce the time it takes to fulfill a DSAR.

Note: the Data X-Ray is designed to find the relevant electronic data but does not actually build a DSAR response, which should also include human intervention to determine whether the data to be provided is adequate and accurate, anonymizing irrelevant data, and actually compiling the data in a readable format for the Data Subject. Further guidance on DSAR fulfillment is available on the ICO (UK GDPR regulator) website.

Building a DSAR Query with the Search Tool

Search is the easiest way to build a query and gives you, the end user, vastly more control over precisely which records you want to search for. Search also lets you simultaneously query all of the datasources within your organization.

The biggest problem in searching across multiple databases is false positives. With normal database and datasource queries, if you search the last name "Lee", for instance, you will most likely get thousands of results back as the word "Lee" can be not only a last name but also a first name, street name, etc. The Data X-Ray solves this by first pre-classifying your data using a machine learning algorithm and then once it is confident that any particular group of data is of a certain class (last name in this case) it will conduct the search for "Lee" only in that class.

To start, click on the "Search" tab on the navigation bar. You will be presented with a screen that looks something like the below and has an audit trail of past searches that have been conducted in this organization account. You can click on each search in the Name column to view the details and audit history of the searches. You can click on the Latest Results column to jump to the latest results for each search.

To build a new search, you need to click on the "Create New Search" button. This will take you to the page below, which provides you several options.

Name (Optional): this is optional but helps to keep track of the search subject. For instance, to carry out a data subject access request (DSAR) for "Robert Lee" you might call this "Robert Lee DSAR"

Query: There are several options: Term Search, Dictionary Class Search, and Data Entity Search. You can also combine multiple search options to refine your search.

  • Term search is a very large net that will return hits of the text string that you input. If you enter "Lee" you will get all results containing the text string "Lee", regardless if they are first names, last names, streets, or more.
  • Dictionary Class Search uses the Classes in the Rules section that are dictionaries. This is useful for using pre-configured large classes (like finding all former employees) without having the rebuild a search using Term Searches each time.
  • Data Entity Search will allow you to pre-filter text according to their class. You can use the machine learning results to only return text strings "Lee" that also match Last Name (English).
  • Query: There are several options: Term Search, Dictionary Class Search, and Data Entity Search.

Select Datasources: you can also conduct the search over multiple datasources simultaneously regardless of datasource type or the file types contained therein.

You will be taken to a screen that allows you to manage a search. This will persist so you can go back to the same search to refine and audit it over time.

After clicking "Run Search" (this may take a several minutes to an hour depending on the amount of data that you search), you will have the results available to you. You can jump to the latest with the "Go To Latest" button or scroll through an audit trail of the search history in the Search History section. In the results screen you also get some performance metrics to see how many hits you are getting over time.

Building a DSAR Query with a Custom Class

A secondary method to build a DSAR query is to build a custom Class. If you are not familiar with Classifiers and Classes or building custom classes, we recommend you check out our tutorials on Classifiers and Classes.

Let's say we want to find Jennifer Lee's information again across all of our datasources. We can do that very easily by building a customized classifier using a "Dictionary" type Class. First go to the Rules tab and click "Create New Class". You can call the name and category whatever you like. We'll call it "Jennifer Lee DSAR Request", categorize it as Personal Data, and select Dictionary as the detection rule type.

After saving the new class, we can click on the "Load Entries" button to start building the class. Now, while AI classes require a lot of data to function well, dictionaries must be precise because they will return a hit on a text element if it is listed in this entry. So we only want to enter data here that is relevant to Jennifer Lee's known personal data. Let's use the following and click "Save Entries":

Now we have a (rudimentary) class build that will return a match if any of these (complete) text elements are found in the datasources that are scanned. 

Lastly, we will want to add this new Class to a Classifier. You can also give it other Classes if you want to return other types of data for some reason, but for this tutorial we're going to make a single Class Classifier. Back in the rules tab, we'll click "Create Classifier" and call the new Classifier "Jennifer Lee DSAR Request Classifier". Finally, we'll scroll down the list of possible Classes and click our newly created Class "Jennifer Lee DSAR Request", and click the "Create Classifier" button at the bottom.

That's it! Now we can use this Classifier throughout our datasources to run a customized query across any of the datasources that we have connected. See our article on scanning datasources if you need more help.

If you have any questions or concerns, please feel free to contact us at any time at [email protected] or +44 20 8133 7236 / +1 415 800 2913 (Monday-Friday, 8:00-17:30 London time).

Did this answer your question?