In July 2023, just after Nigel Farage’s ‘bust-up’ with the banking world came to a head, it was announced that Peter Flavel would be stepping down as the CEO of Coutts, (Coutts is a high profile, bank owned by NatWest which specialises and caters for high net worth individuals).
What may have started as a reaction to the loss of Farage’s banking facilities, followed by an apparent breach of client confidentiality, has quickly been turned into a larger conversation about the accessibility of personal information in regulated organisations.
Interestingly, what the most outraged of folk have missed – is that Farage did not need to rely on any exceptional investigative journalism to expose Coutts. In fact, the evidence that transformed this story into front-page news was a legal tool available to anyone, and which has its roots in EU legislation.
Understanding how he did so, and what that means going forward, may yet prove to be much more significant for business operations than any fallout from the Coutts case.
The DSAR Challenge
If you are reading this, then it should come as no surprise that The General Data Protection Regulation (GDPR) provides individuals with the ability to request all the information that an organisation holds on them through a data subject access request or ‘DSAR’.
This mechanism provides individuals with a greater control over their data, which in the year of 2024 and during an increasingly uncertain business landscape, is essential. However, such requests – as well as similar US-based legislation, such as the California Consumer Privacy Act demand extensive legal resource for the organisations involved.
Today, for a business seeking to respond to a DSAR, it generally won’t be sufficient to simply consult a CRM (or similar database) and extract the personal data formally held about the requester. The request can also extend to a variety of typical working documents like spreadsheets, Slack messages or, as in the Farage case, email threads.
Even for a relatively modestly sized organisation, a DSAR may involve checking hundreds of thousands of sources across multiple systems to verify whether they contain relevant information.
To exasperate this challenge, DSARs must be turned around within thirty days of receipt, or the business may risk a non-compliance fine of up to 4% of its global annual turnover (as of March 2024). This is an enormous task for any business, never mind smaller businesses with say one unfortunate employee wearing many hats, such as the designated Data Protection Officer (DPO), which is also the IT Administrator, and often presents an additional strain to already overburdened legal teams and HR (if they do so exist).
The role of advanced AI
Since Sarima.io was founded in 2022, we have seen businesses begin to adapt to the reality of DSARs. Some clients have noticed that managing data protection has become easier as they’ve become more familiar with the process and the tools available to the Data Protection Officer (DPO) to handle or control requests. For instance, there are exemption clauses that can be invoked, and being willing to use them can significantly reduce the workload for these organisations.
However, even this response often involves significant resource, and exemptions are by no means a given. Across the board, organisations simply need a more efficient, more effective way of complying with DSARs.
Artificial intelligence albeit still emerging, has hinted that it can deliver in this space. In essence, responding to a DSAR is about scanning large datasets for the requester’s personal information, compiling the relevant data with an appropriate amount of context, and redacting any personal information which does not belong to the requester for disclosure.
That precise, and often nuanced mechanism (which is also highly repetitive where organisations have multiple DSAR’s p/month) makes AI enablement in this space an excellent use case for the technology.
DSARs are only certainly going to grow in volume over the coming years. Each high-profile case puts the SAR at centre-stage, more individuals become aware of the power they hold to gain insight into personal data usage. At Sarima.io we have already seen a significant growth in demand from businesses that have been subject of SAR’s by former employees seeking to challenge their ex-employer’s redundancy actions by exposing the business’s decision-making processes.
In 2024 and beyond, many organisations’ cultures and working practices stand to be affected by DSARs. The first job for IT, HR and legal teams, is to arm themselves with the tools to manage the coming wave of requests.
