Data Subject Access Requests

And why IT should care about them

Data Subject Access Requests (DSARs) were first introduced in 1998, and digital technology has made requesting them easier over time.

So what is a DSAR and why should IT professionals care? In short, companies and organisations of all sizes need to know what they are, and what to do if you receive one. The problem is that incoming DSARs can become a hot potato and bounce around HR, legal, IT, data protection, compliance and even marketing departments without clear accountability or ownership.

The Information Commissioner’s Office (ICO) publishes a useful guide on preparing for subject access requests, with one of the requirements being that you carry out a “reasonable search for the requested information”. On top of that, the timeline to respond is one month.

So even if the Data Protection Officer (DPO) is ultimately accountable for the request, without the right processes or tools in place, finding the requested information can be a minefield. No prizes for guessing the first point of call to get that information!

Enter IT!

And that’s usually where IT teams become involved in order to locate the personal data, while ensuring that other legal obligations are not infringed in doing so.

According to Kingsley Napley, “technical support is frequently required to identify and review data, and legal input may be needed.” For example, if an ex-employee asks to see all emails and correspondence they were copied on over a two year period, this could be hundreds of thousands of emails, not to mention direct chats and team collaborations in platforms such as Microsoft Teams or Google Workspaces.

How else can IT get sucked in?

As well as the normal jobs of keeping the lights on, ensuring that everyone has working devices, the network is secure, all files are safely backed up, and everything else that goes on in a day, there’s worse news for IT teams.

That’s because these kinds of data requests may not even be limited to DSAR cases. IT are increasingly being asked to help with locating data for internal complaints or enquiries such as:

  • One employee is accused of sexually harassing another via their organisation’s Microsoft
    Teams chats.
  • Instances in which an organisation’s emails are being sent to an unusual address.
  • A director suddenly starts getting lots of unsolicited calls from recruiters.
  • A firm’s customers start being approached by its rival’s salespeople
  • An industry news outlet gets hold of sensitive proprietary information about a company’s
    new product.
  • After one company acquires another, ensure employees aren’t still using old terminology
    from the acquired business.

▶ Read more in this article from our friends at Cryoserver.

Related Articles
Managed Security Services Cyber security insurance for business
Cyber security insurance for business

Do you think you’re covered?

Managed Security Services Webcast: Cyber Resilience for SMEs: Taking Control
Webcast: Cyber Resilience for SMEs: Taking Control

Cyber preparedness insights from a serving police superintendent

Share this story

We're a community where IT security buyers can engage on their own terms.

We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.

Interested in what you see? Get in touch, and let's start a conversation Get in touch