When the European Union’s General Data Protection Regulation went into effect in May 2018, it posed a challenge for many organizations. But with more than a year of experience under their belts, most have been able to work through the growing pains of compliance and settle into new operational routines. Now that most of us have handled the details of achieving initial compliance, we have a great opportunity to improve the efficiency and effectiveness of the processes that we put in place during the early days of GDPR.
One of the areas where I see the greatest room for improvement is the handling of data subject access requests (DSARs). GDPR Article 15 provides the subjects of data records with the right to inspect and request the correction of their personal information. For large financial firms with data spread across many systems, this can be a challenging undertaking. Let’s take a look at four DSAR requirements and how organizations can optimize their efforts.
1. Authenticating Requests
GDPR requires that organizations authenticate any requests for personal information to ensure that they are delivering that information only to the individual named in the records. In some cases, the user has an existing authenticated relationship, such as a customer account, making this process simple. However, many times data subjects do not have this type of pre-existing relationship and must prove their identity through other means.
The most common way that organizations approach this authentication requirement is to ask subjects to send in a scanned copy of their government-issued identification. This approach, however, is fraught with peril because of the ease of forging a scanned or photocopied document.
Organizations seeking to better authenticate data subjects can turn to the information about those subjects stored in their records and ask the data subject to answer a series of questions that only the individual named in the records would know. For example, a bank might ask the data subject to correctly identify credit card transactions or account balance information.
2. Identifying Relevant Data
After authenticating the data subject, organizations must next locate all relevant records. In large organizations with many systems, this can be a complex undertaking, crossing many systems that contain different types of customer data.
Leaders hoping to improve their ability to identify relevant records should build two important inventories that support GDPR operations. The data inventory identifies all locations where personal information is stored in the organization’s systems. The data processing inventory identifies all of the systems and activities that use this data. Combined, these two inventories provide a roadmap for retrieving customer information in response to DSARs.
3. Compiling Responsive Data
Privacy teams can quickly become overwhelmed by the massive amount of work associated with pulling records in response to access requests. Filing a DSAR may take an individual only a few minutes, but the work of retrieving records manually from many different systems may take hours of time from privacy analysts.
Automation is the key to improving these processes and creating a scalable DSAR workflow. If the firm is able to create automated processes that reach into the most commonly used systems, most requests may be fully automated, requiring manual intervention by an analyst only for exceptional circumstances.
4. Delivering Data to Subjects
Records retrieved in response to DSAR requests may contain sensitive personal information, particularly when the data custodian is a financial institution. The teams responding to GDPR requests must have a secure means of transmitting this information to the data subject to reduce the risk of eavesdropping.
The most effective way to meet this requirement is to use a secure, encrypted portal for data subjects. Requestors access the portal via a one-time-use link that expires after they retrieve the data for the first time. If the requestor wishes to retrieve the data again, he or she must reauthenticate following the same process originally used.
DSARs impose a time-consuming burden on financial institutions around the world. Leaders seeking to improve their organization’s efficiency can apply these techniques to reduce response time and decrease the labor associated with fulfilling a request.
Want to learn more about how CDW solutions and services can help you with compliance and other security-related issues? Visit CDW.com/security.
This blog post brought to you by: