Assessing the impact of GDPR and DSARs on your organisation


Now that we’re a year-and-a-half into what has been a seismic shift in the world of data privacy, it’s a good time to ask: How has the GDPR been treating you and your organisation? Have you reached a point of compliance, or are you still working out how to get there? Are you able to handle DSARs (Data Subject Access Request) effectively?

Based on a survey launched in May of this year, it could be 50/50 for you – or worse. Security testing firm ImmuniWeb found that half of the 100 most-visited websites in 28 EU member states ended up falling short of the GDPR requirements. And those were the websites with the most traffic. In other words, they’re the companies you’d have expected to be ready by the GDPR launch date.

When Microsoft opened its self-service DSAR portal in compliance with the GDPR, it received 18 million data requests in the first year. More than 6 million of those actually came from the United States—which shows the breadth of this regulation. How many organisations really have the manpower and labour hours to devote to something like this?

Neither the risks nor the expenses are sustainable, and many businesses don’t suddenly have the budget to hire new employees to take on new regulations. That’s why it’s important to develop a solution that is efficient, comprehensive, automated, and – if possible – utilises technologies that are already in place at your organisation.

The Technology Solution to the DSAR Problem

If you have technology that is helping you with DSARs, you’re in a better spot than many other organisations are. If not, you’re probably looking for more help with your DSAR workflow to increase efficiency in processing these requests. Either way, a good technology solution has a few requirements:

  • An accurate, comprehensive data inventory. This is the foundation of the entire process: It gives you the ability to find all responsive information in your control. This means that your inventory should “not only” tell you what personally identifiable information (PII) you have access to, but where that data lives.
  • A portal for DSARs that is both easy to use, and routes as many requests as possible directly into the fulfilment workflow.
  • A way to automate (as much as possible) and manage this workflow—from authenticating the requestor’s identify to finding, reviewing, and producing their data. Depending on how many requests you expect to receive in a given month, the automation aspect becomes a more and more important factor. How many requests do you anticipate receiving, and how many more would you anticipate if you suffered a data breach? Compliance becomes more critical to your reputation and bottom line after a breach.
  • An actionable way to handle that data. This means that you’re able to examine it before you collect it, understand the retention schedules involved, reach data volumes across multiple locations, understand which third parties that have access to the data, and know where duplicate data is stored. You’ll also want a solution that allows you to delete the data, preserve it (due to an internal investigation or legal hold), and move it to where it belongs.

If your organisation has these pieces in place, you’ll have the foundations to establish an effective DSAR process and help you work towards compliance and avoid fines. If not, then it’s time to start taking a closer look at your organisations GDPR compliance and data privacy practices.

Find out how Exterro can help your organisation meet these challenges and opportunities.