GDPR-EU General Data Protection Regulation

Health monitoring of returning workforces, widespread unemployment and job market disruption during 2020 are expected to trigger a surge in DSAR requests as the pandemic subsides.

The data subject access request, or DSAR, is the most widely exercised and arguably most notorious individual right afforded by the EU General Data Protection Regulation. As the world returns to some degree of normalcy following the COVID-19 pandemic, organizations with employees in the EU and UK should prepare for a likely rise in the frequency of DSARs from current and former employees.

DSARs from current and former employees tend to be some of the most expensive from both a time and resources perspective. The scope of these requests may include information collected to provide oversight of workplace safety and employee health, as well as discussions about the health of individual employees and even workforce and resource decisions in the wake of the pandemic.

Predating the GDPR, the "right of access" affords data subjects the presumptive right to request access to, or copies of, personal information about themselves held by a data controller. The amount of data falling within the scope of requests can stretch far across the breadth of electronically stored information, from myriad file types and records to unstructured data sources, emails and more. Pinpointing the information and delivering it to a data subject in 30 days (or 90 days with potential extension) will pose a significant challenge for employers across the EU and UK.

|

Employee DSARs a Top Data Privacy Complaint

In 2019, the first full year of implementation of the GDPR, data protection complaints related to DSARs were the single highest complaint category received by both the Irish and UK data protection authorities (29% and 38%, respectively). Further, in its 2019 annual report, the Irish data protection authority identified HR/employment disputes as a specific driver of complaints, with concerns about workplace surveillance and adequate response to employee DSARs among the topics, saying, "Disputes between employees and employers or former employers remain a significant theme of the complaints lodged with the DPC, with the battle often staged around a disputed access request."

Across the UK, businesses spend an average of £1.64 million ($2.1 million) on DSAR responses, with current and former employee DSARs taking up the most resources. Searching across the sheer volume of data in email, shared files and even collaborative working applications can be a daunting task, and several DSARs in quick succession can overwhelm even the most diligent and prepared privacy and DSAR response teams.

|

Streamlining with an E-Discovery Approach

In recent years, many data protection officers (DPOs) and privacy teams have turned to eDiscovery providers to assist in DSAR response. The data collection, analytics, search optimization and redaction tools so frequently handled by discovery teams can be hugely beneficial in streamlining DSAR collection as well. Further, discovery processes can lend a tried-and-tested solution to DSARs that is well-suited for even the widest-reaching data requests.

That said, DSAR response can differ significantly from traditional discovery, and providers will be wise to consider the following in tailoring their approaches for client teams tasked with DSAR response:

Look for synergies with the existing DSAR process: As noted, DSARs predate the GDPR, and therefore most teams will have an existing process. In seeking to bring discovery solutions to bear on DSAR response, be mindful of existing processes and look for synergies and adaptations to make the transition to using discovery tools as seamless as possible.

Consider "search-hits-only" review: Data collections for DSAR response may be wide-reaching, but response windows are fixed and time is generally of the essence. In most cases, a "search-hits-only" review will be preferable, concentrating the team's review of documentation only on search term and keyword hits themselves, ignoring any attachments, or "document families," that do not contain those hits. Bringing in full families may be necessary for context, but generally won't be needed for the review itself.

Document and agree on terminology: It's crucial to note, though, that terms such as "search-hits-only review" and "document families" will be unfamiliar and potentially confusing to teams that have not been exposed to discovery processes in the past. Explaining e-discovery terminology or using alternative, "layperson" language may be necessary, as will detailing the relative pros and cons of various approaches, discovery procedures and review processes.

Explore continuous active learning for complex requests: Depending on the scope of the universe of documents for review and size of the review team in place, a continuous active learning review model may be preferable. CAL will not only afford the team an opportunity to begin reviewing immediately, but will also give early insights into the range of documents potentially containing the data subject's information and condense the amount of time necessary for review. In every case, explaining the relative advantages of CAL versus a more traditional or linear review is a must.

Determine form of production: Finally, productions are the aspect of applying discovery processes to DSAR response that diverge most from established practices, and teams must carefully consider how to handle this process effectively. Unlike in discovery, where disclosing original records to opposing parties is required, in a DSAR, data subjects only have a right to obtain their own personal information. There is no obligation to provide complete original documents, and most teams will not wish to do so. Accordingly, implementing a process for providing document excerpts, extractions and/or specific rows, columns or pages will be necessary and advantageous for the DSAR teams charged with response. Doing so will require revising traditional discovery methods and considering novel approaches.

A surge in DSAR requests is likely post-pandemic, and discovery processes offer many advantages for internal response teams in unprecedented times. However, discovery providers seeking to assist clients in their DSAR response need to craft collaborative, innovative approaches that are directly suited for each team's DSAR response challenges. We're in uncharted territory on both sides, but the advantages of building new solutions for new problems offer exciting opportunities for all teams involved.

Ryan Costello, Esq., CIPP/E/US, is head of data privacy engagement services at ProSearch, a leading provider of comprehensive discovery solutions to corporate legal departments and law firms. A U.S.-licensed attorney and expatriate based in Europe for more than 10 years, Costello has cultivated an expertise in data protection and data privacy compliance. He assists organizations in remediating cross-border discovery risks, utilizing data management solutions and innovative technologies.