Interviews

DSAR study

by Mark Rowe

New research by BSI (British Standards) suggests that over half of European organisations have no fixed method in place for responding to Data Subject Access Requests (DSARs). The research, by the Cybersecurity and Information Resilience division of BSI before the GDPR comes into effect tomorrow, also highlighted that a third of European businesses rate themselves as highly likely to receive a DSAR.

A DSAR is the legal mechanism which allows European citizens to obtain a full account of all personal data an organization holds on them, an explanation as to why this information is being held, and copies of this data should they wish. The GDPR, BSI says, has greatly increased the awareness levels of citizens to their rights as data subjects, and also organisations processing or collecting personal data for EU citizens will no longer have the inhibiting factor of a charging fee (currently UK organizations may charge a fee of up to £10, or £2 if it is a request to a credit reference agency for information about financial standing only) for responding to a DSAR. All companies will need to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU under the GDPR. Failure to comply could result in fines of up to €20 million or 4 per cent of an organization’s annual global turnover.

While the submission of data requests from private citizens is not new, the process is about to get significantly easier with the GDPR, BSI adds. The way in which organizations can receive a DSAR has expanded outside of the traditional postal option, or email channels, and can be received verbally in person, through a live chat portal, verbally over the phone, or even via social media channels. The research also asked respondents what cost they would be allocating after May 25 for handling DSARs in organisations and it revealed that one in five organizations estimated a cost of up to 28,000 euros.

Under the GDPR, organisations will now be expected to complete DSARs within one month, rather than the existing 40 day timeframe. Sources of data within an organization can include CCTV data, phone call data, web chat log data, CRM records and order history. Where a DSAR relates to an employee, it can also include all emails, any meeting minutes where the employees name is mentioned or documents or correspondence relating to any work they have done.

Comment

Stephen O’Boyle, Head of Professional Services at BSI, said: “The resources required to undertake a DSAR can be considerable, and shouldn’t be underestimated. Organizations will be expected to wade through huge volumes of data within the reduced one month window stipulated by the GDPR.”

There is also a concern that organisations may face disruptive DSARs from disgruntled customers or ex-employees, those with a personal gripe, or someone with enough knowledge to cripple an organization with an extensive DSAR. As for the UK, Stephen added: “The motive behind DSARs is not always clear but the end result may include significant costs in responding in terms of resources, and the risk of a complaint to the Information Commissioner’s Office if your handling of a request falls short. Preparation is key and organizations who have a structured plan in place and who consider additional supports to aid it, such as additional technology and staff awareness training, will reduce the risk of non-compliance in responding to a DSAR.”

For more on the Cybersecurity and Information Resilience division of BSI visit https://www.bsigroup.com/en-GB/our-services/Cybersecurity-Information-Resilience/.

Related News

  • Interviews

    Safe on assignments abroad

    by Mark Rowe

    Ways to stay safe on assignments in dangerous countries; by Declan Mulkeen, of Communicaid, pictured. Most employees who have been offered an…

  • Interviews

    AET warning

    by Mark Rowe

    Stonesoft, with the University of Glamorgan, launched a research paper which shows the effectiveness of a number of Intrusion Prevention Systems against…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing