So what is a DSAR and why should IT professionals care? In short, companies and organisations of all sizes need to know what they are, and what to do if you receive one. The problem is that incoming DSARs can become a hot potato and bounce around HR, legal, IT, data protection, compliance and even marketing departments without clear accountability or ownership.
The Information Commissioner’s Office (ICO) publishes a useful guide on preparing for subject access requests, with one of the requirements being that you carry out a “reasonable search for the requested information”. On top of that, the timeline to respond is one month.
So even if the Data Protection Officer (DPO) is ultimately accountable for the request, without the right processes or tools in place, finding the requested information can be a minefield. No prizes for guessing the first point of call to get that information!
And that’s usually where IT teams become involved in order to locate the personal data, while ensuring that other legal obligations are not infringed in doing so.
According to Kingsley Napley, “technical support is frequently required to identify and review data, and legal input may be needed.” For example, if an ex-employee asks to see all emails and correspondence they were copied on over a two year period, this could be hundreds of thousands of emails, not to mention direct chats and team collaborations in platforms such as Microsoft Teams or Google Workspaces.
As well as the normal jobs of keeping the lights on, ensuring that everyone has working devices, the network is secure, all files are safely backed up, and everything else that goes on in a day, there’s worse news for IT teams.
That’s because these kinds of data requests may not even be limited to DSAR cases. IT are increasingly being asked to help with locating data for internal complaints or enquiries such as:
▶ Read more in this article from our friends at Cryoserver.
Do you think you’re covered?
Cyber preparedness insights from a serving police superintendent
Share this story
We're a community where IT security buyers can engage on their own terms.
We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.