Data Subject Access Requests

And why IT should care about them

Data Subject Access Requests (DSARs) were first introduced in 1998, and digital technology has made requesting them easier over time.

So what is a DSAR and why should IT professionals care? In short, companies and organisations of all sizes need to know what they are, and what to do if you receive one. The problem is that incoming DSARs can become a hot potato and bounce around HR, legal, IT, data protection, compliance and even marketing departments without clear accountability or ownership.

The Information Commissioner’s Office (ICO) publishes a useful guide on preparing for subject access requests, with one of the requirements being that you carry out a “reasonable search for the requested information”. On top of that, the timeline to respond is one month.

So even if the Data Protection Officer (DPO) is ultimately accountable for the request, without the right processes or tools in place, finding the requested information can be a minefield. No prizes for guessing the first point of call to get that information!

Enter IT!

And that’s usually where IT teams become involved in order to locate the personal data, while ensuring that other legal obligations are not infringed in doing so.

According to Kingsley Napley, “technical support is frequently required to identify and review data, and legal input may be needed.” For example, if an ex-employee asks to see all emails and correspondence they were copied on over a two year period, this could be hundreds of thousands of emails, not to mention direct chats and team collaborations in platforms such as Microsoft Teams or Google Workspaces.

How else can IT get sucked in?

As well as the normal jobs of keeping the lights on, ensuring that everyone has working devices, the network is secure, all files are safely backed up, and everything else that goes on in a day, there’s worse news for IT teams.

That’s because these kinds of data requests may not even be limited to DSAR cases. IT are increasingly being asked to help with locating data for internal complaints or enquiries such as:

  • One employee is accused of sexually harassing another via their organisation’s Microsoft
    Teams chats.
  • Instances in which an organisation’s emails are being sent to an unusual address.
  • A director suddenly starts getting lots of unsolicited calls from recruiters.
  • A firm’s customers start being approached by its rival’s salespeople
  • An industry news outlet gets hold of sensitive proprietary information about a company’s
    new product.
  • After one company acquires another, ensure employees aren’t still using old terminology
    from the acquired business.

▶ Read more in this article from our friends at Cryoserver.

Related Articles
Modern Workplace Strengthening operational and digital resilience under DORA
Strengthening operational and digital resilience under DORA

How financial institutions can proactively address the challenges of the new regulations.

Modern Workplace DORA compliance for financial services: What you need to know
DORA compliance for financial services: What you need to know

How to ensure your business is ready for mandatory DORA compliance.

Modern Workplace How CSRD impacts every business
How CSRD impacts every business

Practical steps to protect your future viability.

Unified Communications Managing complex UC environments
Managing complex UC environments

The changing dynamics of UC and the impact on IT.

Devices Sustainable IT
Sustainable IT

Read this eBook on how the digital revolution is going green

Devices Go green with your IT
Go green with your IT

5 ways to achieve sustainable IT

Managed Security Services Cyber security insurance for business
Cyber security insurance for business

Do you think you’re covered?

Managed Security Services Webcast: Cyber Resilience for SMEs: Taking Control
Webcast: Cyber Resilience for SMEs: Taking Control

Cyber preparedness insights from a serving police superintendent

Share this story

We're a community where IT security buyers can engage on their own terms.

We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.

Interested in what you see? Get in touch, and let's start a conversation Get in touch