We get it.
The IT department of one individual can be incredibly challenging. That lone IT director wears many hats. Often, they are the firm’s data protection officer, the systems administrator, the architect… the list goes on.
Throw in a few subject access requests from a minority of aggrieved ex-employees or clients on top of this and the workload can quickly become a headache. Getting to grips with the legislation and requirements of these requests, searching for related data, redacting relevant documents can all ‘get on top’ very quickly.
We have asked our largest clients how they manage these challenges and from their answers distilled a simple checklist to try to help the “IT dept of one” manage subject access requests, without losing their mind:
Prioritise SARs
Not all SARs are created equal. Some are malicious or weaponised, with one purpose in mind – to drain your time and resources. Start by prioritising SARs based on their urgency and the sensitivity of the data involved. This will help you allocate your precious time more efficiently.
Document Procedures
Develop a clear and efficient workflow for handling SARs. This should include the steps to follow, responsibilities, and timelines to ensure consistency and compliance, an SOP if you will that shows your organisations mechanism for management – sometimes a simple spreadsheet that keeps track of this can help.
Educate yourself
Take a brief look at the Information Commissioners Office website aimed at advising the data owners processing of Subject Access Requests here: https://tinyurl.com/yp74mfz5
Regular Audits
Conduct regular audits of your data management processes to identify areas for improvement and ensure that you are consistently compliant with data protection legislation. This may be a manual quarterly task or consider using an automated auditing platform for this purpose having a clean and tidy data estate makes searching data for SAR’s much easier!
Communication
Consider using a free or paid email automation tool to keep the requester informed, set at specific time intervals. Remember - 64% of subsequent complaints from requesters stem from simply not being informed, even if their request is being processed effectively internally.
Outsourcing
Consider outsourcing the data search process to specialised companies like Sarima.io. They have expertise in data search and can significantly ease your workload by efficiently managing SARs as a managed service on your behalf.
The simple volume of data and the complexity of SARs can be overwhelming for an IT director and other staff members with data responsibility, especially when these requests are deemed in nature as having been ‘weaponised’ against an organisation for a variance of reasons.
We hope the above helps you to streamline your processes and make life easier! Additionally, if you are spending too much time dealing with subject access requests or you are concerned about a particular request right now – do get in touch with one of our consultants using the form at www.sarima.io and we’d be happy to take a 10 minute consultation call on your particular challenge. It’s completely free, and you are under no obligation to purchase our products or services.
At Sarima Ltd, we have extensive expertise in searching data for SARs together with relevant and recent experience regarding the data owners’ requirements under GDPR and we can help make life easier to ensure that SARs are managed in a compliant and efficient manner.
*Please note however we are not a Law Firm and not authorised to provide specific legal advice on any specific case*
