Posts

Subject Access Requests Solutions

Process SARs in minutes, not days

The Exonar platform provides automated, intuitive and rapid processing of subject access requests (SARs), substantially reducing costs and decreasing disruption to your organisation.

After 25th May 2018, when the EU’s General Data Protection Regulation (GDPR) came into force, organisations can no longer charge for producing SARs. This means you should prepare for a significant increase in the number of requests your organisation handles. In our recent survey 57% of individuals said they would want to request their data as there is now no cost.

SARs can be over 800 Pages Long. Where do we start?

Subject access requests can cross many business units, departments, systems, processes and people. Often the only way to deal with them has been to email line management and request printed copies of the information requested, coralling that information then sending it to the customer via courier.

There’s an easier way. Use Technology

Connect to all of the sources of your customer data; emails, databases, word documents and spreadsheets, in your fileshares or in the cloud. Build an index of all of that information so that you can search it, instantly. Use machine learning to help guide you to all of the right and less of the wrong information. Manage your SARs online and track them as they progress.

Doctor! Doctor! I have a SAR – How Long is the Waiting List?

A First-Hand Account of the Problematic Role of SARs Processing
It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines?
Read More

The Exonar platform continuously indexes all of your organisation’s data, meaning producing a subject access request is simple, quick and efficient:

Process, redact and produce SARs directly from the Exonar platform, without needing to scan or photocopy information
SAR dashboard shows you where you are with cases, and who you’re waiting on
Create simple templates to enable untrained users to find information relating to an individual
Review documents without needing to access the originals
Use machine learning to identify and redact personal and commercial information

CCPA Solutions

Generation privacy has begun

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organisations holding data on US Citizens.

Exonar simplifies compliance with the California Consumer Privacy Act (CCPA) by getting right to the heart of the matter: Finding, Mapping and Managing your data.

How Exonar can help with CCPA

Data Mapping and Inventory

Data Subject Access Requests

Data Portability

Enforcing Compliance

Right To Be Forgotten

Meet the Personal Data Privacy dashboard

Exonar’s Privacy dashboard provides a top-down view of your organisation’s information in relation to the EU GDPR and California Consumer Privacy Act (CCPA).

It shows a comprehensive picture of all the data held which is relevant to these laws, where it is held and its characteristics.

This view will take your organisation beyond spreadsheets and interviews, and into the realm of making well-informed decisions, rapidly.

Where Do I Start

Preparing for CCPA will share many characteristics with those undertaken for GDPR:

Assemble the team: Include Executive Sponsors and stakeholders from Legal, Compliance or your data privacy team, people with oversight of you corporation’s technology and it’s security and representatives from the key personal data owners in your business (e.g. HR, Sales, Marketing, Customer Service).

Get started with a data inventory. Prioritise information stores likely to contain personal data and those with poor governance. Be practical, start with those that are easy to create an inventory form.

Don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk (your head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets). You will need technology to do this effectively (and we can help!)

Establish a culture of security and privacy and ingrain this into your day-to-day operations. Communicate a simplified overview of CCPA to the key stakeholders.

Create and practise your business processes that will be required to satisfy the rights of the individual (Access to data, erasure, breach notification).

CCPA versus GDPR

There are many similarities and some key differences between GDPR and CCPA. Here is Exonar’s take:

Basis for consent

GDPR – Opt in

CCPA – Opt out

Who it applies to

GDPR – Any organisation holding personal data on EU citizens

CCPA – For-profit entities that process personal data of California residents and either:

Do $24 million in annual revenue

Hold the personal data of 50,000 people, households, or devices

Do at least half of their revenue in the sale of personal data.

Rights for individuals

GDPR – Access to data being held, right to erasure, correction, object to automated processing. Right to notification if there is a data breach.

CCPA – Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know who data has been provided to.

When does it come into force

GDPR – May 25, 2018

CCPA – Jan 1, 2020

Financial Penalties

GDPR – 4% of turnover or €20m (whichever is greater)

CCPA – $7,500 per violation. $750 or actual damages for each individual, whichever is greater

Time allowed to respond to a request

1 month

45 days

NB, California resident is defined as, “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.

The CCPA – The Definitive, Easily Searchable Text

Follow the link below to read the full California Consumer Privacy Act text, with each section clearly marked and searchable.

The legislature passing of the California Consumer Privacy Act 2018 (AB 375) happened on June 29th 2018, and these new rules will now govern most organisations holding data on US Citizens.

Read More

GDPR Solutions

Generation privacy has begun

Previously, personal data was owned by whoever collected it. With the introduction of the GDPR, personal data is now owned by the subject. GDPR creates a standardised set of expectations as to how your organisation must manage personal data in this new world.

GDPR has been described by some as being the most significant regulatory framework to hit companies since the Sarbanes-Oxley act. With a stated objective to “give citizens back control of their personal data and to simplify the regulatory environment for business” it will impact every single European individual who has shared their personal data with an organisation and every single organisation that holds information on any European individual.

Exonar simplifies GDPR compliance by getting right to the heart of the matter: Finding, Mapping and Managing your data.

How Exonar can help with GDPR

  • Data Mapping
  • Data Subject Access Requests
  • Data Portability
  • Enforcing Compliance
  • Right To Be Forgotten

Meet the GDPR dashboard

Exonar’s GDPR dashboard provides a top-down view of your organisation’s information in relation to the EU GDPR.

It shows a comprehensive picture of all the data held which is relevant to GDPR, where it is held and its characteristics.

This view will take your organisation beyond spreadsheets and interviews, and into the realm of making well informed decisions, rapidly.

Exonar GDPR Workshops

Personalised and conducted at your offices, this session will deliver a phased and prioritised GDPR data management plan that can be actioned and will deliver results immediately.
We’ll share how others are organising their programmes and applying the Exonar methodology to deliver a prioritised plan for discovery and analysis that can be put into action quickly.

Data – the core of GDPR

Data will be one of your primary concerns. The legal and operational requirements that GDPR places on companies are wide-ranging and impact everything from the people employed by the organisation, through to policies, processes and technology. GDPR is clear that individuals have a series of rights when it comes to how their data is collected, stored, used and disposed of by organisations. This means not only do business leaders have a lot to consider in making sure their organisation is able to fulfil their GDPR obligations, but that if they don’t understand where their data is, they won’t be able to comply.

The price is high for non-compliance

The large financial penalties of non-compliance have been frequently reported. However, the risk is far greater than one fine. With GDPR allowing individuals to take class actions against organisations that mistreat their data, any organisation that is subject to a data leak / hacking incident can expect to receive individual lawsuits which will not only increase the financial loss, but also consume vast amounts of time in settling individual litigation.
With this understanding in place, data management becomes the primary activity for any organisation under the GDPR.

Data management begins with discovery

What the GDPR forces business leaders to consider is where every single piece of personal data is across their IT estate – including the Cloud. Taken in this context, the question of the data that an organisation holds on individuals becomes a far more complex one to answer, and one that is going to require time, resource and budget. A thorough approach to data discovery, properly implemented, will lead you to data that you did not know about.

The EU GDPR – The Definitive, Easily Searchable Text

Full acknowledgement to the gdpr-info.eu project who have a neatly arranged, easily searchable PDF version of the General Data Protection Regulation (GDPR) including its recitals. The EU data protection reform was adopted by the European Parliament and the European Council on April 27th, 2016. The European Data Protection Regulation became applicable as of May 25th, 2018 and replace the Data Protection Directive.

Read More

GDPR Resources

  • GDPR Preparation
  • Personal Data Brochure
  • GDPR Whitepaper
  • GDPR Definitive Guide

 

Event Update – Join us for our Exonar meet-up in London

We’re delighted to be partnering with Brown Rudnick who will host a meet-up at their London offices on Tuesday, June 18th.

One year on from the start of the new GDPR regime, Exonar and Brown Rudnick invite you to join us to discuss the trends, issues and lessons learnt from the last 12 months. The session will be followed by a drinks and canpé reception for networking.

Topics will include:

  • Weaponising SARS – litigation friend or foe?
  • GDPR class actions – just around the corner?
  • What data can be excluded from a SAR response?
  • The €50m Google fine

Our panel will feature:

  • Mark Lubbock – Partner (Intellectual Property and Technology), Brown Rudnick
  • Adrian Barrett – CEO & Founder, Exonar
  • Gilbert Hill – CEO, Tap My Data
  • Ben Falk – Founder, Yo-Da
  • Anya Proops, QC – Barrister, 11 Kings Bench Walk
  • (Chair) James Cole – Partner (Corporate), Brown Rudnick

Date: Tuesday 18 June 2019

Venue: Brown Rudnick LLP, 8 Clifford Street, London W1S 2LQ

Time: 18.00 – 21.00

To book your space, please visit: http://exo.nr/meet-up
We hope you can join us!

 

Free Webinar – The Perfect Privacy Programme. Register Now!

GDPR One Year On: What Does a Perfect Privacy Programme Look Like?

Free Web Conference – Brought to you by Exonar

Broadcast date: 2:00pm, April 24, 2019

One year on from the introduction of the EU General Data Protection Regulation (GDPR), join Exonar and experts from the field in discussing ‘What does a perfect privacy programme look like?’

In this web conference we will hear from our panel of experts as they discuss:

  • What are the necessary components of an enterprise-level privacy programme?
  • How do we optimally assign roles and responsibilities within a privacy programme?
  • How can we most effectively create and manage accurate personal data inventory? (Article 30 – Records of Processing Activities)
  • How do we best monitor for GDPR compliance using both manual and technical controls?
  • What is the best way to deliver privacy training to our employees?
  • What are the most effective tools available to satisfy individual rights? I.e. Subject Access Requests (SARs), Right to be Forgotten, data deletion and retention.

In addition to discussion from the field, our panel will also discuss Exonar’s recent findings based on surveys of 100+ organisations and consumers into:

“What’s Next with Personal Data Inventory?” – Exonar have profiled 100+ organisations’ attempts to create personal data inventory. One year on we ask what monitoring and compliance actions they are now planning to take as a result.

“Consumer Attitudes to Subject Access Requests (SARs): A SARvey” – Exonar have surveyed 100+ consumers to assess their sentiment towards data privacy and the ability to exercise their privacy rights.

There will be a live Q&A session in the final 15 minutes of the webinar so, to avoid missing your chance to contribute, register on the form below:

Host:
John Tsopanis, Data and Privacy Director, Exonar

Panelists:
Ralph O’Brien CIPM, Vice Chair UK Data Protection Forum, Principal Reinbo Consulting
Sophie Payne, Customer Success Lead and Data Scientist, Exonar
Ben Falk, CEO of Yo-Da, Your Data

 

Book your place now:

Your questions answered – IAPP webinar Q&A

Recently, Exonar organised a webinar hosted by the IAPP. ‘Thriving in Generation Privacy: Capitalising on DSAR Data from the Field’ was a great event with a large number of attendees and a thought-provoking programme that raised a number of questions from the floor. The webinar summary was as follows:

With the introduction of the EU GDPR, the CCPA and other global privacy laws, people have increased expectations of how their personal data will be handled and protected. This is driving up the number of inquiries for data subject access requests and requests to exercise the right to be forgotten. We commissioned our own research into how businesses are coping with the increased demand; the findings of which were remarkable.

If you missed the webinar, you can find it here: http://exo.nr/Watch-IAPP-Webinar

Due to time constraints, it was not possible to address all the questions asked during the webinar, so we’ve gone through them all and you can find a complete list of questions and our answers below:

 

Q1. Is there any clarity (under EU GDPR Guidance etc) on what personal data can be safely classed under Legal Privilege and therefore remain undisclosed to data subject?

Answer: Where Legal Privilege protects sensitive content within confidential or privileged documents, the sensitive content is to be redacted when providing copies of the documents to the data subject if they have requested to access their personal information for legitimate reasons. Personal information within confidential and sensitive documents still belong to the individual and they have a right to request access to it. For instance, an ex employee requesting access to emails about their performance, the contents of which also contain the sensitive information of the client that their performance relates to. The organisation is to redact the sensitive information relating to the client, and satisfy the access request to access their performance related data.

 

Q2. Common challenges (Identifying the data subject) and fake SARs could be a real challenge too – how is this handled?

Answer: The steps you take to identify the individual will be particular to your organisation. In summary, ensure that you are asking for the same amount of verification as you would if that individual were to request their information for any other reason. Practically speaking, this will mean the key identifying information regarding them and potentially some form of identity verification.

 

Q3. Is unstructured data covered by GDPR?

Answer: Yes, all personal data relating to EU citizens is covered by GDPR.

 

Q4. What is the percentage of SARs for which you know, explicitly, the reason for submission, as there is no requirement for the individual to state the reason they want the data?

Answer: In practise, with the SARs we handle, it is only occasionally stated as to why the individual is requesting their data. Sometimes it becomes obvious during the review process and it may be appropriate to intervene in a different way (for example, it becomes evident that they are a customer who has a grievance).

 

Q5. Do you have any recommendations to streamline the SAR intake process?

Answer: Yes, pay close attention to what data you are providing, spread the load and invest in automation where appropriate. We often find organisations default to disclosing lots of context (i.e. contents of files and emails). In reality, the regulation requires that you disclose the personal data you hold, the purpose, where it is stored, and third parties you have provided it to. It may be appropriate to provide more information to diffuse a situation but it isn’t a requirement. Exonar can help automate this process. It needn’t take days; it can be achieved in minutes using their platform.

 

Q6. How do the regulators prioritise SARs? Aren’t they far busier with data breaches and other more “serious” incidents? In short, if they are inundated with SARs, it could take a long time for a data subject to get a response.

Answer: Satisfying the right to access through SARs is very high on the ICO’s priority list. Jonathon Bamford, the director of strategic policy at the ICO told us this at a recent Westminster eForum: “Well, actually, the biggest issue that’s raised is subject access, and it isn’t about little changes around if you can charge a fee, or how long it takes or things like that. It’s the core thing about securing somebody’s right to have access to their data, and that’s the biggest thing that we’ve got there, so when I’m talking about data protection back to basics it’s that one. I think the fact that we’ve got Subject Access Request (SAR) complaints up by 98% tells me something.Complaints have increased significantly since May and we’re on track to receive over 43,000 individual complaints by the end of the year, and certainly by the end of quarter 2 we’d received 94% more complaints than we had the year before. So that’s interesting. I think from May to October I think we got 16,000, nearly 17,000 complaints, in the previous period in 2017 that was 7,000. The biggest issue that’s raised is subject access”.

 

Q7. Are the panel aware of any significant increase in SARs as a result of equal pay (and similar) reporting requirements? For example, if the company holds an employee name and + or – average salary. Are there any exemptions to disclosure that could apply here?

Answer: We’ve asked around and we’ve not encountered this use case before, but in theory, an employee would be able to ask for their ‘relation to average salary’ data if it existed. That employee couldn’t access the details of other individual employees, and can otherwise access aggregate salary details in company reports, so the answer for the organisation is ‘don’t create politically toxic categories of personal data that employees and customers could potentially ask for’.

 

Q8. Is there any easy way to automate consent management in addition to the information itself?

Answer: There are automated consent management solutions on the market, and we’d be happy to give you our opinion on the solutions we have seen if that helps you.

 

Q9. Might we see the courts (and potentially the CJEU) eventually rule on SARs that are used abusively and contrary to the spirit, even if not letter, of the GDPR?

Answer: The GDPR already gives organisations the right to challenge the scope and legitimacy of a data subject access request to counter the types of trolling or excessive requesting that some might have expected. There has yet to be a high-profile instance of such an abuse of the SAR rules and I imagine that privacy regulators will respond if that threat does indeed materialise. To this point I don’t think the courts have been given any meaningful incentive to tighten those rules.

 

Q10. As a non-European/non-American, how do I know if I’m subject to GDPR or CCPA?

Answer: You are subject to GDPR if you hold any data regarding EU citizens.

 

Q11. How do you collect enough information to verify the data subject without creating another record by receiving that information?

Answer: Under GDPR there are six lawful bases for processing personal data. One of these is legal obligation. As it is your legal obligation to comply with a SAR, this is the basis for processing this information.

 

Q12. How do you verify the identity of the person requesting the SAR? A qualifier for my question; I’m referring of course to complaints to the regulator concerning unfulfilled SARs.

Answer: See Q2.

 

Q13. Can a SAR ask for details of technical and organisational measures taken to protect their data?

Answer: The right of access does not include disclosure as the methods used to protect information. However, taking appropriate measures is a legal obligation in itself.

 

Q14. Don’t SARs also apply to paper records?

Answer: Yes, GDPR is technologically neutral. The regulation applies in two situations; firstly, where processing of personal data is conducted by “automated means,” and/or where processing of personal data is not conducted by automated means, but it forms part of a filing system or is intended to form part of a filing system. This second condition clearly applies to paper filing systems.

 

Q15. From the average cost of SARs being £525, did any of the organisations who were involved with those SARs who took part in  the survey ask the data subject for a reasonable fee? £525 seems very costly to small organisations.

Answer: It is illegal under the GDPR to request a fee for fulfilling a SAR. It is for this reason that organisations must quickly move from a highly costly manual process into embedding an automated SAR solution that can reduce this financial burden long term.

 

Q16. There are some data breaches caused by a mishandling of SARs, such as the Amazon/Alexa case in Germany. Could you please talk a bit about this? Are there any other similar cases you might share with us, please?

Answer: Your response to a SAR is likely to contain a highly concentrated profile of personal information about the data subject. Using your data privacy impact assessment process, you should classify your SAR response communications as high risk, and apply the high risk security controls your organisation uses to protect other high risk communications and data transfer e.g. using secure file shares, encrypting the file, sending keys separately etc. Our advice is, therefore, to apply the high-risk security controls used for other high risk personal information transfers.

 

Q17. Given the pending final guidelines on the territorial scope of the GDPR (Article 3), how should entities outside of the EU who are unsure of their nexus respond to a SAR? With regards to Article 3(2).

Answer: GDPR applies to any organisation holding personal data relating to EU citizens. If this is you, you will need to respond to the SAR or you will be in breach of the regulation.

 

Q18. Is there a danger that some organisations are asking for too much information to confirm proof of identity? Some insist on copy of passport – something I might not be happy to share with a company I might already be unhappy with?

Answer: The IAPP has a great article on this. https://iapp.org/news/a/how-to-verify-identity-of-data-subjects-for-SARs-under-the-gdpr/

 

Free IAPP Web Conference – Registration Now Open

Thriving in Generation Privacy: Capitalising on DSAR Data from the Field

Free IAPP Web Conference – Brought to you by Exonar

Broadcast date: Thursday, February 7, 2019
Time: 8:00–9:00 a.m. PT, 11:00 a.m.–noon ET, 4:00 – 5:00 p.m. GMT

With the introduction of the EU General Data Protection Regulation, the California Consumer Privacy Act and other global privacy laws, people have increased expectations of how their personal data will be handled and protected. This is driving up the number of inquiries for data subject access requests and requests to exercise the right to be forgotten. Exonar recently surveyed a number of organizations to understand how they have been coping with these new and increased privacy control operations, and the results were remarkable.

Join us for this upcoming web conference to hear from the field about these survey results and more, including:

  • The cost of handling data subject access requests. (U.K. public sector organizations example).
  • What the results of a SAR request to a U.K.-based, High Street Bank resulted in.
  • How the world’s leading tech companies dealt with recent requests for personal data.
  • How organizations are profiting from their privacy programs.
  • The toxic data you’re storing and what to do about it.
  • How companies have prepared for Generation Privacy and what you can do now.

Host:
Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP

Panelists:
Adrian Barrett, CEO, Exonar
Phil Lee, CIPP/E, CIPM, Partner, Privacy, Security and Data Protection Practice, FieldFisher, London, U.K.
Steve Wright, GDPR Advisor at Bank of England, CEO, Data Privacy Architect, Privacy Culture, London, U.K.

Book your place now: exo.nr/IAPP-webinar

Exonar has the SARlution to Subject Access Requests

Newbury, UK, November 2018: Exonar has launched a new website to showcase its Case Management Module that can dramatically decrease the time and cost involved in processing Subject Access Requests (SARs).

SARlution demonstrates an easy way to deal with SARs by using Exonar’s platform to find all the necessary personal data digitally, understand how that data is processed and stored and create simple templates to complete SAR cases. The graphical dashboard shows how many SARs have been processed and how many are waiting to be processed and tracks the time to completion.

SARs can be expensive and disruptive to an organisation. To address this Exonar’s platform maintains an up-to-date index of all information. It uses machine learning to understand customer data in emails, databases, word documents and spreadsheets. It’s automated and intuitive, enabling rapid data collation to reduce the time required for processing SARs.

As an example of the complexity involved with completing requests, when an Exonar employee submitted a SAR to their bank – with whom they have been a customer for over 10 years – they received around 800 sheets in 15 reims of paper.

Adrian Barrett, CEO and founder of Exonar, said: “SARs can contain a huge amount of information, often filling two or more courier shipping boxes. Finding, collating and redacting all of this information can hit organisations hard in terms of both cost and time to complete. But the latest technology can dramatically reduce the complexity of dealing with requests, driving down the time required to complete requests from days to minutes.”

SARs and GDPR

SARs were first introduced by the 1998 Digital Protection Act. But since the introduction of the EU General Data Protection Regulation (GDPR) in May 2018, the time that organisations have to complete requests has been cut from 40 days (as per the 1998 DPA) to one month. Organisations must also complete requests free of charge in most cases.

Failure to comply with requests or meet deadlines can expose organisations to new enforcement measures wielded by the UK’s Information Commissioner under the GDPR, including large fines.

But faced with these changes, many organisations will struggle to complete SARs due to the many systems, departments, processes, people and business units often involved when fulfilling a SAR. Exonar spoke to a previous SARs processor within the NHS about the challenges faced when dealing with Subject Access Requests in an under-resourced environment. Read the full article here: exo.nr/SARsNHS

The cost of compliance

The new guidelines present significant challenges to organisations that rely on old processes. For example, Exonar’s recent Freedom of Information research into how the public sector deals with SARs found that the average cost of processing a request is £145.46, but in some cases the cost was much higher such was the complexity of finding data and the associated administration.

The research also found that many organisations failed to meet the deadline for providing answers to its FOI requests (requests must be completed within 20 working days). The average response time was 24 days, highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

Exonar’s platform solves these issues by discovering and offering instant visibility of sensitive data so organisations can complete SARs quickly, as well as improving risk management and cyber security.

Barrett concluded: “Exonar’s case management module offers a simple dashboard with a complete overview of SAR cases including detailed reporting and insight into bottlenecks. Easy to create templates allow untrained users to instantly find information related to an individual, and documents can be easily reviewed without the need to access the originals. It makes SAR processing simple and painless allowing the business to free up valuable personnel to focus on the business.”

About Exonar

Exonar solves a problem common to all organisations and their senior information owners, “I just don’t know what I’ve got”. Exonar finds and fixes an organisations’ information, from databases to documents – swiftly and at scale. We use machine learning to understand what’s important, where it is and who has access to it.

Exonar identifies documents containing passwords, customer and confidential information enabling successful governance, risk management, document retention, cyber security and compliance with regulations such as GDPR and CCPA – with ease.

We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at sarlution.com to learn how your SAR process can made quicker, easier and much more cost effective.

Doctor! Doctor! I have a SAR – How Long is the Waiting List?

 

A First-Hand Account of the Problematic Role of SARs Processing.

It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines? Now that they’re free of charge for the public to request following the introduction of the GDPR mandate in May, it’s not just the NHS who are struggling to manage the pressure of the increased quantity of SARs. Even large organisations with chunkier department budgets are struggling to maintain their current pace of responding to SARs. However, at Exonar, we believe we have a solution that will dramatically reduce human effort in processing SARs, easing the pressure on admin staff across the globe, in any sector.


To highlight the need for more system automation, we spoke to a former NHS employee who shared their insights in regards to processing requests in a recent exclusive interview with Exonar’s Head of Marketing, Dan Welberry. The following points were discussed during the interview;

  • Why do the public need access to their data?
  • The SAR process
  • Privacy and sensitivity of data handled
  • Issues of processing SARs within the NHS
  • Size and scale of requests
  • Turnaround deadlines
  • What would make SARs handling easier?

 

Why Do the Public Need Access to their Data?

‘Within the NHS, a subject access request is usually raised for one of two main reasons;

  • A patient who requires proof of a case for funding purposes.
  • A family member trying to bring probate to conclusion on behalf of the deceased.’

The Process:

‘Before any request for information is considered, the following steps must be taken:

Image source: Black Country Partnership NHS Trust; Subject Access Request Procedure

http://www.bcpft.nhs.uk/documents/policies/i/1623-information-sharing-sop-03-subject-access-request/file

 

Since the GDPR mandate was introduced on May 25th, there are now no fees charged to the public for processing SARs.


Privacy, Confidentiality and Sensitivity of Data Handled
Whenever assessing a case, the privacy of the individual has always been the most important thing to me. If there was any information required that couldn’t be provided, the request would be declined and I would want to be sure that all the right documents were in place before any records were retrieved. There was always a need to also consider the content with discretion too. There may well be a case where the requested content could contain very private information – information that actually might not be helpful or upsetting to the family and therefore could perhaps be withheld or redacted. Where historical records were requested, there was also a case for reviewing the language used. What might have been appropriate to say a number of years ago may not now be so politically correct today – this too would have to be reviewed.’

 

Issues With Processing SARs Within the NHS

  • Lack of system automation: One of the biggest issues faced was the amount of manual work required to fulfil a request. I believe this is a huge challenge for the NHS going forward as they simply don’t have the capacity to cope now, let alone handle the anticipated increase after the introduction of the GDPR in May, 2018. Where redaction was required to hide any information, this would be done manually using a black felt tip pen which was massively time-consuming in itself.’
  • Paper to Digital: ‘Prior to 2007, all records held by the NHS were on paper and from 2007 to date it’s probably around 50/50 – paper/electronic. All paper records were therefore required to be scanned. Any Post-It Notes or other attached notes would also need to be scanned without obscuring any content underneath’.  
  • Illegible Doctors’ Handwriting: ‘Covering notes present their own set of challenges, particularly when trying to decipher a Doctor’s handwriting!’
  • Single Sided Responses: ‘Any documents sent out as part of a response couldn’t be double-sided, so single pages only added to the amount of documentation to be issued.’

 

SAR Size and Scale

‘To give you an idea of the scale of typical requests, I believe the following to be a fair assessment:

 

Turnaround Deadlines:

When considering the delivery time, you have to take into account a number of factors. Firstly, an FOI must be completed in 20 working days and a SAR will be one month to collate after GDPR is introduced on May 25th (previously 40 days). Crucially, a SAR demanding one month lead time means that all weekends and public holidays are included in the time allowance. Whilst the work is being undertaken, all cases must remain on the premises and locked away when not being reviewed. This can result in a fair amount of late nights which of course can be counterproductive when you really need to be very alert.

It’s my opinion that the ICO (Information Commissioner’s Office) provide very little support other than the information provided on their website. This in itself can be challenging as it’s written in a very ‘legal’ way, so it can often feel like taking guidance rather than knowing confidently that you are delivering what’s required. I recall when I started that very little training was given other than a quick run-through of some legislation. This worried me as I soon realised how forceful lawyers and the general public can be!’

 

What Would Make the SAR Process Easier Within the NHS?

During my time at the NHS, I often thought about how much easier the whole process would be with technology. I accept that the manual process of scanning would still be required, but the reading and redaction process could be completed in a fraction of the time. Consider these further issues once the collation process is complete – all impacting further on time and resources:

  • The office printer being out-of-use or out of ink due to the amount of pages being printed and delaying colleagues.
  • The need to use courier services to deliver vast amounts of paperwork.
  • The need to package up various parcels to be sent via recorded delivery.
  • The need to compress files where documents can be sent via email.
  • The need to send out multiple emails due to the amount of data being sent.
  • Formats and file types that can be read by the user as well as platform compatibility ie Mac v PC.
  • Secondment of staff to achieve delivery deadlines.
  • FOI requests delayed whilst SARs take priority.

 

Having watched a product demo, it’s my belief that the NHS and central government would benefit hugely from the Exonar software. I know that from my experience, it would have made my life in SARs delivery so much easier! The initial outlay to install the platform in Trusts across the UK would save the NHS an untold fortune, and it’s here where I believe that Exonar would provide the most value. If SARs can be produced in minutes, not days, this will significantly speed up processes, release some of the burden currently weighing heavily on the NHS and centralise patient documents, allowing for better data security. I can’t think of a single reason why the NHS shouldn’t invest in Exonar – to me, a former data handler on the front line, it’s a no-brainer!’

 

Do you work in an industry that is buckling under the pressure of SAR requests? We’d love to hear from you. Please reTweet this blog using #SARWars and tell us all about your Subject Access Request woes!

 

 

 

Solve the ICO’s Step 2 ‘Document What Personal Data You Hold’

Solve the ICO’s Step 2
‘Document What Personal Data You Hold’

What We’ve Been Reading And Writing This Month

GDPR Data Discovery
Plus – Become a GDPR Millionaire!
PwC and Exonar bring new data discovery and remediation services to market
PwC and Exonar form alliance to bring new data discovery and remediation services to market Partnership will bring together PwC’s world-leading data discovery knowledge with Exonar’s ground…
Preparing for GDPR has completely changed Lloyds` digital marketing strategy
Two years into preparing for the May 2018 GDPR deadline, Lloyds Banking Group has overhauled its CRM strategy across its major brands to focus on ‘how to’ content rather than product…
How the GDPR will disrupt Google and Facebook
We all know about the Data Protection Act – the rules that govern who gains, keeps and distributes your all-important personal data and how. As headlines of massive data breaches have…
Subject access requests: revised guidance from the ICO -...
The first draft of the Data Protection Bill (DPB) was released on 13 September 2017, following its second reading in the House of Lords. This bill is designed to bring the UK’s data…
Get our free GDPR report
Everything you need to know about the upcoming EU ePrivacy Regulation on the Respect for private life and the protection of personal data in electronic communications and repealing…
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Millions of UK consumers may submit subject access requests (SARs) to find out what personal information businesses hold on them after the GDPR goes live in May next year, with financial…
We Are Hiring - Marketing Executive - Exonar
Unless you’ve been living under a rock, you’ll have noticed that there are lots of people talking about GDPR – which is a good thing. However, there is lots of nonsense being talked about…
Heineken Pet
The Somewhat Related Section: Become A GDPR Millionaire
Read the original blog by Rowenna here: http://missinfogeek.net/gdprubbish/ If PCI DSS paid off the mortgage, then GDPR looks well on its way to buy the yacht. But how does one go about…