Posts

Exonar has the SARlution to Subject Access Requests

Newbury, UK, November 2018: Exonar has launched a new website to showcase its Case Management Module that can dramatically decrease the time and cost involved in processing Subject Access Requests (SARs).

SARlution demonstrates an easy way to deal with SARs by using Exonar’s platform to find all the necessary personal data digitally, understand how that data is processed and stored and create simple templates to complete SAR cases. The graphical dashboard shows how many SARs have been processed and how many are waiting to be processed and tracks the time to completion.

SARs can be expensive and disruptive to an organisation. To address this Exonar’s platform maintains an up-to-date index of all information. It uses machine learning to understand customer data in emails, databases, word documents and spreadsheets. It’s automated and intuitive, enabling rapid data collation to reduce the time required for processing SARs.

As an example of the complexity involved with completing requests, when an Exonar employee submitted a SAR to their bank – with whom they have been a customer for over 10 years – they received around 800 sheets in 15 reims of paper.

Adrian Barrett, CEO and founder of Exonar, said: “SARs can contain a huge amount of information, often filling two or more courier shipping boxes. Finding, collating and redacting all of this information can hit organisations hard in terms of both cost and time to complete. But the latest technology can dramatically reduce the complexity of dealing with requests, driving down the time required to complete requests from days to minutes.”

SARs and GDPR

SARs were first introduced by the 1998 Digital Protection Act. But since the introduction of the EU General Data Protection Regulation (GDPR) in May 2018, the time that organisations have to complete requests has been cut from 40 days (as per the 1998 DPA) to one month. Organisations must also complete requests free of charge in most cases.

Failure to comply with requests or meet deadlines can expose organisations to new enforcement measures wielded by the UK’s Information Commissioner under the GDPR, including large fines.

But faced with these changes, many organisations will struggle to complete SARs due to the many systems, departments, processes, people and business units often involved when fulfilling a SAR. Exonar spoke to a previous SARs processor within the NHS about the challenges faced when dealing with Subject Access Requests in an under-resourced environment. Read the full article here: exo.nr/SARsNHS

The cost of compliance

The new guidelines present significant challenges to organisations that rely on old processes. For example, Exonar’s recent Freedom of Information research into how the public sector deals with SARs found that the average cost of processing a request is £145.46, but in some cases the cost was much higher such was the complexity of finding data and the associated administration.

The research also found that many organisations failed to meet the deadline for providing answers to its FOI requests (requests must be completed within 20 working days). The average response time was 24 days, highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

Exonar’s platform solves these issues by discovering and offering instant visibility of sensitive data so organisations can complete SARs quickly, as well as improving risk management and cyber security.

Barrett concluded: “Exonar’s case management module offers a simple dashboard with a complete overview of SAR cases including detailed reporting and insight into bottlenecks. Easy to create templates allow untrained users to instantly find information related to an individual, and documents can be easily reviewed without the need to access the originals. It makes SAR processing simple and painless allowing the business to free up valuable personnel to focus on the business.”

About Exonar

Exonar solves a problem common to all organisations and their senior information owners, “I just don’t know what I’ve got”. Exonar finds and fixes an organisations’ information, from databases to documents – swiftly and at scale. We use machine learning to understand what’s important, where it is and who has access to it.

Exonar identifies documents containing passwords, customer and confidential information enabling successful governance, risk management, document retention, cyber security and compliance with regulations such as GDPR and CCPA – with ease.

We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at sarlution.com to learn how your SAR process can made quicker, easier and much more cost effective.

Doctor! Doctor! I have a SAR – How Long is the Waiting List?

 

A First-Hand Account of the Problematic Role of SARs Processing.

It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines? Now that they’re free of charge for the public to request following the introduction of the GDPR mandate in May, it’s not just the NHS who are struggling to manage the pressure of the increased quantity of SARs. Even large organisations with chunkier department budgets are struggling to maintain their current pace of responding to SARs. However, at Exonar, we believe we have a solution that will dramatically reduce human effort in processing SARs, easing the pressure on admin staff across the globe, in any sector.


To highlight the need for more system automation, we spoke to a former NHS employee who shared their insights in regards to processing requests in a recent exclusive interview with Exonar’s Head of Marketing, Dan Welberry. The following points were discussed during the interview;

  • Why do the public need access to their data?
  • The SAR process
  • Privacy and sensitivity of data handled
  • Issues of processing SARs within the NHS
  • Size and scale of requests
  • Turnaround deadlines
  • What would make SARs handling easier?

 

Why Do the Public Need Access to their Data?

‘Within the NHS, a subject access request is usually raised for one of two main reasons;

  • A patient who requires proof of a case for funding purposes.
  • A family member trying to bring probate to conclusion on behalf of the deceased.’

The Process:

‘Before any request for information is considered, the following steps must be taken:

Image source: Black Country Partnership NHS Trust; Subject Access Request Procedure

http://www.bcpft.nhs.uk/documents/policies/i/1623-information-sharing-sop-03-subject-access-request/file

 

Since the GDPR mandate was introduced on May 25th, there are now no fees charged to the public for processing SARs.


Privacy, Confidentiality and Sensitivity of Data Handled
Whenever assessing a case, the privacy of the individual has always been the most important thing to me. If there was any information required that couldn’t be provided, the request would be declined and I would want to be sure that all the right documents were in place before any records were retrieved. There was always a need to also consider the content with discretion too. There may well be a case where the requested content could contain very private information – information that actually might not be helpful or upsetting to the family and therefore could perhaps be withheld or redacted. Where historical records were requested, there was also a case for reviewing the language used. What might have been appropriate to say a number of years ago may not now be so politically correct today – this too would have to be reviewed.’

 

Issues With Processing SARs Within the NHS

  • Lack of system automation: One of the biggest issues faced was the amount of manual work required to fulfil a request. I believe this is a huge challenge for the NHS going forward as they simply don’t have the capacity to cope now, let alone handle the anticipated increase after the introduction of the GDPR in May, 2018. Where redaction was required to hide any information, this would be done manually using a black felt tip pen which was massively time-consuming in itself.’
  • Paper to Digital: ‘Prior to 2007, all records held by the NHS were on paper and from 2007 to date it’s probably around 50/50 – paper/electronic. All paper records were therefore required to be scanned. Any Post-It Notes or other attached notes would also need to be scanned without obscuring any content underneath’.  
  • Illegible Doctors’ Handwriting: ‘Covering notes present their own set of challenges, particularly when trying to decipher a Doctor’s handwriting!’
  • Single Sided Responses: ‘Any documents sent out as part of a response couldn’t be double-sided, so single pages only added to the amount of documentation to be issued.’

 

SAR Size and Scale

‘To give you an idea of the scale of typical requests, I believe the following to be a fair assessment:

 

Turnaround Deadlines:

When considering the delivery time, you have to take into account a number of factors. Firstly, an FOI must be completed in 20 working days and a SAR will be one month to collate after GDPR is introduced on May 25th (previously 40 days). Crucially, a SAR demanding one month lead time means that all weekends and public holidays are included in the time allowance. Whilst the work is being undertaken, all cases must remain on the premises and locked away when not being reviewed. This can result in a fair amount of late nights which of course can be counterproductive when you really need to be very alert.

It’s my opinion that the ICO (Information Commissioner’s Office) provide very little support other than the information provided on their website. This in itself can be challenging as it’s written in a very ‘legal’ way, so it can often feel like taking guidance rather than knowing confidently that you are delivering what’s required. I recall when I started that very little training was given other than a quick run-through of some legislation. This worried me as I soon realised how forceful lawyers and the general public can be!’

 

What Would Make the SAR Process Easier Within the NHS?

During my time at the NHS, I often thought about how much easier the whole process would be with technology. I accept that the manual process of scanning would still be required, but the reading and redaction process could be completed in a fraction of the time. Consider these further issues once the collation process is complete – all impacting further on time and resources:

  • The office printer being out-of-use or out of ink due to the amount of pages being printed and delaying colleagues.
  • The need to use courier services to deliver vast amounts of paperwork.
  • The need to package up various parcels to be sent via recorded delivery.
  • The need to compress files where documents can be sent via email.
  • The need to send out multiple emails due to the amount of data being sent.
  • Formats and file types that can be read by the user as well as platform compatibility ie Mac v PC.
  • Secondment of staff to achieve delivery deadlines.
  • FOI requests delayed whilst SARs take priority.

 

Having watched a product demo, it’s my belief that the NHS and central government would benefit hugely from the Exonar software. I know that from my experience, it would have made my life in SARs delivery so much easier! The initial outlay to install the platform in Trusts across the UK would save the NHS an untold fortune, and it’s here where I believe that Exonar would provide the most value. If SARs can be produced in minutes, not days, this will significantly speed up processes, release some of the burden currently weighing heavily on the NHS and centralise patient documents, allowing for better data security. I can’t think of a single reason why the NHS shouldn’t invest in Exonar – to me, a former data handler on the front line, it’s a no-brainer!’

 

Do you work in an industry that is buckling under the pressure of SAR requests? We’d love to hear from you. Please reTweet this blog using #SARWars and tell us all about your Subject Access Request woes!

 

 

 

The Great Data Shake Up – GDPR changes at 100 days and counting

The 5 Key GDPR Changes at 100 days and counting

September 2nd marked 100 days since the General Data Protection Regulation (GDPR) came into force. The new rules marked a much-needed update to the UK’s aging 1998 Data Protection Act.

The update had been a long time coming. So what have we learned so far? Here’s five ways that GDPR has shaken up the way we gather, store and process data.

1. Effective data management starts with discovery

With the amount of data collected and stored by organisations large and small, data discovery has played a major role in achieving GDPR compliance.

What’s more, being able to react to changes in user habits and trends, like permanently deleting social media accounts or customer history and interactions, has added complications to data management that must be addressed.

Advances in technology, like Big Data and Machine Learning, have added a level of simplicity to creating a data inventory. When implemented correctly, these principles can be used as part of an eDiscovery and data mapping process with the ability to rapidly find and categorise data and to do so on an on-going basis – ensuring continual compliance for an organisation rather than just at a single point in time.

The added benefit of a digital discovery process is that unknown data is often identified and located. It’s vital that all data is accounted for to ensure compliance. After all, you don’t know what you don’t know.

2. The price of non-compliance

Failure to comply with the GDPR can lead to heavier punishments than ever before. Fines for malpractice have increased from a maximum of £500,000 up to €20 million, or 4% of annual turnover (whichever is higher).

What’s more, individuals can sue a business for compensation to recover both material damage and non-material damage, like distress.

Article 82 of the GDPR states that any person who suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered.

Therefore, it’s possible that compensation claims could reach huge numbers if a breach occurs on a large scale under the new rules, increasing financial losses as well as consuming vast amounts of time dealing with individual litigation. Just consider the recent British Airways data breach, where BA revealed that 380,000 customer transactions had been compromised. As well as potentially facing an enourmous fine under GDPR, it may be the case that every customer will be eligible for compensation.

3. Dealing with SARs

Subject Access Requests (SARs) are not a new component of the GDPR, they were first introduced under the 1998 DPA. However, GDPR has made several changes to the way that SARs (or a Right of Access as they are known under GDPR) operate which organisations must be aware of.

To begin with, organisations can no longer charge for producing SARs, and they have less time to complete them (one month, instead of 40 days).

Exonar’s own research found that many organisations struggled to meet the deadline for providing answers to FOI requests (FOI requests must be completed within 20 working days), highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

The time taken by public sector organisations to respond to an FOI varied from one day to 159 days. On average it took 24 days, with the NHS averaging 27, emergency services 21, central government 22 and local government 23 days.

In another survey Exonar carried out before GDPR came into force, 57% of individuals said they would want to request their data as there is now no cost. This means organisations need to ensure they are prepared for a significant increase in the number of requests they handle.

They also need to ensure they are giving users the data they are expecting. For example, Spotify users recently noticed that although they have access to data download tools, to get hold of all of the data held – such as telemetry or A/B testing – a SAR needed to be sent to Spotify’s privacy team.

But the latest technology can help. Platforms are available that can map and understand any information held and create an index which can then be searched in seconds, no matter how much data is held. This greatly reduces the time and cost of managing data and compliance, and in fact it can reduce the cost of processing a SAR to zero.

4. Understand your data

Achieving compliance with the principles of GDPR is an ongoing task, but it becomes a simple one with added benefits once you understand the data you hold and how it’s processed. A completed audit shouldn’t mean you then stand still. Data should be continually reviewed to better organise and refine management processes.

Removing risk, especially if it’s data that has no value, is vital. When you understand your data, it makes it much easier to identify and act on duplicate, obsolete or redundant data and therefore minimise storing and processing costs.

The latest tools are able to search your sensitive information and index files in any format, no matter where the data is held, such as mail servers or the cloud. This means locating and understanding information like passwords, credit card details and confidential records is simple.

5. Beyond GDPR

Although it applies mainly to data processing, the effects of GDPR are far reaching and a successful programme of compliance often brings additional benefits, such as improvements in efficiency and productivity, tighter cyber security and increased customer loyalty and trust.

Of course, in a perfect world, data would already be stored securely and processes would be in place to ensure continued compliance.

But the good news for any businesses concerned about GDPR compliance and surviving the next 100 days is that the tools mentioned above are all available today. And not only will they help you become compliant, but they will ensure you remain compliant and in control of your data.

Adrian Barrett, CEO and founder, Exonar

To find out more about the tools that can help you to discover and understand your data, visit exonar.com. For specific help with SARs, see sarlution.com.

Exonar joins forces with MyLife Digital – for the good of trees

Newbury based Exonar has joined forces with MyLife Digital to provide an end to end solution to organisations who need to solve their General Data Protection Regulation (GDPR) problems, especially when it comes to Subject Access Requests (SARs).

GDPR has been around for two years, the enforcement date is set as 25th May 2018 – from this date the Information Commissioners Office (ICO) will be holding UK organisations accountable to the principles of this legislation rather than the Data Protection Act. As information about the GDPR has been available since 2015, there will be no further grace period – basically, we are already in it.

So, has your organisation used the last two years to prepare for the changes? Do you know where all the data is? Who has access to it? When was it collected and which Privacy Policy was in place at that point in time? How do you retrieve all the information required if a customer requests to see it? – Possibly not, but you are not alone.

Exonar’s GDPR Dashboard supplements the Consentric Permissions offering as a connected software service for end-to-end management of personal data and compliance. When the two technologies are used together your organisation is much better placed to be proactive when it comes to many GDPR requirements.

The GDPR Dashboard can help with data mapping, SARs, data portability and the right to be forgotten. It shows an overall picture of all the data held by an organisation, which is subject to GDPR, where it is held and its characteristics.
In response to research carried out by Exonar, which found that 57% of Britons will submit a SAR – which would result in over 2.2 million trees being felled for paper for printing – a campaign was started. “Plant a Tree for Privacy” requests that for every SAR submitted to an organisation they plant a tree to compensate for the amount of paper required to fulfil the request by donating to the Woodland Trust.

Adrian Barrett, CEO and Founder of Exonar says “I have been involved in technology implementation and organisational change for over 20 years, and have seen many developments, but GDPR is quite the game changer, as significant as anything since Sarbanes-Oxley. Many organisations don’t really know where to start when it comes to the vast quantity of data they hold on customers, employees, suppliers and prospects. And that’s where we come in. Right at the beginning, or step 2 of the ICO’s 12 steps to be precise, we can help our customers to understand what they need and how we can help deliver a solution. Working with MyLife Digital being able to add Consentric Permissions into the mix presents a great opportunity to systematically solve a number of challenging GDPR problems for our customers.”

Consentric Permissions rebalances trust and control of personal data between the organisation and the member. It demonstrates that an organisation complies with data protection legislation by providing digital management for data consent and all the lawful processing justifications defined by the GDPR and the UK Data Protection Bill.

Permissions integrates across the organisation with existing CRM’s Campaign Management Tools, ESP’s and other systems. It has both a self-service portal for members and a contact centre portal for staff, using organisation branding to ensure a consistent user experience.

Emma Corbett, Business Development Manager for MyLife Digital adds “It’s a very powerful story especially when it comes to the right to be forgotten and SARs. Giving an organisation the ability to find where personal data is stored and reducing the amount of human intervention between the request submissions and conclusion really speeds up the process and provides the customer with a better experience. Added to the ability to manage their own permissions in a company branded self-serve portal or via a contact centre portal, organisations can really align to the principles of the new regulation. They can be accountable, transparent and empower customers when it comes to the use of their personal data. This will help strengthen trust between both parties, increasing loyalty and protecting the organisations brand reputation.”

 

For more information about Consentric Permissions visit: https://consentric.io/solutions/permissions/

www.consentric.io
www.mylifedigital.co.uk
exonar.com
For interview or photograph opportunities contact:
Debbie Betteridge | Email: dbetteridge@mylifedigital.co.uk | Tel: +44 (0) 1225 636 280 (ext. 322)
Mobile: +44 (0)7771 564998

 

Notes to Editors
About MyLife Digital Limited
The MyLife Digital Group operates in the Personal Information Management Services (PIMS) sector, one of the fastest growing and most dynamic sectors in the UK (and global) economy. Existing MyLife Digital Group companies, Wood for Trees and PGIR already have an established, and growing, base of analytics services clients and considerable data science and sector expertise.
MyLife Digital Ltd, Citizen House, Crescent Office Park, Clarks Way, Rush Hill, Bath, BA2 2AF

About Exonar
Exonar enables organisations to better organise their information, removing risk and making it more productive and secure.
To accomplish this, they have assembled a leadership team who understand the regulatory and data challenges organisations face, and as a result, are able to rapidly innovate; adapting to and exceeding client requirements. It is why FTSE 100, Big four consulting firms and household brand names choose to work with the small, fast-growing team at Exonar to deliver their critical projects.
Exonar, 14 West Mills, Newbury, Berkshire, RG14 5HG

Exonar joins forces with MyLife Digital – for the good of trees

Newbury based Exonar has joined forces with MyLife Digital to provide an end to end solution to organisations who need to solve their General Data Protection Regulation (GDPR) problems, especially when it comes to Subject Access Requests (SARs).

GDPR has been around for two years, the enforcement date is set as 25th May 2018 – from this date the Information Commissioners Office (ICO) will be holding UK organisations accountable to the principles of this legislation rather than the Data Protection Act. As information about the GDPR has been available since 2015, there will be no further grace period – basically, we are already in it.

So, has your organisation used the last two years to prepare for the changes? Do you know where all the data is? Who has access to it? When was it collected and which Privacy Policy was in place at that point in time? How do you retrieve all the information required if a customer requests to see it? – Possibly not, but you are not alone.

Exonar’s GDPR Dashboard supplements the Consentric Permissions offering as a connected software service for end-to-end management of personal data and compliance. When the two technologies are used together your organisation is much better placed to be proactive when it comes to many GDPR requirements.

The GDPR Dashboard can help with data mapping, SARs, data portability and the right to be forgotten. It shows an overall picture of all the data held by an organisation, which is subject to GDPR, where it is held and its characteristics.
In response to research carried out by Exonar, which found that 57% of Britons will submit a SAR – which would result in over 2.2 million trees being felled for paper for printing – a campaign was started. “Plant a Tree for Privacy” requests that for every SAR submitted to an organisation they plant a tree to compensate for the amount of paper required to fulfil the request by donating to the Woodland Trust.

Adrian Barrett, CEO and Founder of Exonar says “I have been involved in technology implementation and organisational change for over 20 years, and have seen many developments, but GDPR is quite the game changer, as significant as anything since Sarbanes-Oxley. Many organisations don’t really know where to start when it comes to the vast quantity of data they hold on customers, employees, suppliers and prospects. And that’s where we come in. Right at the beginning, or step 2 of the ICO’s 12 steps to be precise, we can help our customers to understand what they need and how we can help deliver a solution. Working with MyLife Digital being able to add Consentric Permissions into the mix presents a great opportunity to systematically solve a number of challenging GDPR problems for our customers.”

Consentric Permissions rebalances trust and control of personal data between the organisation and the member. It demonstrates that an organisation complies with data protection legislation by providing digital management for data consent and all the lawful processing justifications defined by the GDPR and the UK Data Protection Bill.

Permissions integrates across the organisation with existing CRM’s Campaign Management Tools, ESP’s and other systems. It has both a self-service portal for members and a contact centre portal for staff, using organisation branding to ensure a consistent user experience.

Emma Corbett, Business Development Manager for MyLife Digital adds “It’s a very powerful story especially when it comes to the right to be forgotten and SARs. Giving an organisation the ability to find where personal data is stored and reducing the amount of human intervention between the request submissions and conclusion really speeds up the process and provides the customer with a better experience. Added to the ability to manage their own permissions in a company branded self-serve portal or via a contact centre portal, organisations can really align to the principles of the new regulation. They can be accountable, transparent and empower customers when it comes to the use of their personal data. This will help strengthen trust between both parties, increasing loyalty and protecting the organisations brand reputation.”

 

For more information about Consentric Permissions visit: https://consentric.io/solutions/permissions/

www.consentric.io
www.mylifedigital.co.uk
exonar.com
For interview or photograph opportunities contact:
Debbie Betteridge | Email: dbetteridge@mylifedigital.co.uk | Tel: +44 (0) 1225 636 280 (ext. 322)
Mobile: +44 (0)7771 564998

 

Notes to Editors
About MyLife Digital Limited
The MyLife Digital Group operates in the Personal Information Management Services (PIMS) sector, one of the fastest growing and most dynamic sectors in the UK (and global) economy. Existing MyLife Digital Group companies, Wood for Trees and PGIR already have an established, and growing, base of analytics services clients and considerable data science and sector expertise.
MyLife Digital Ltd, Citizen House, Crescent Office Park, Clarks Way, Rush Hill, Bath, BA2 2AF

About Exonar
Exonar enables organisations to better organise their information, removing risk and making it more productive and secure.
To accomplish this, they have assembled a leadership team who understand the regulatory and data challenges organisations face, and as a result, are able to rapidly innovate; adapting to and exceeding client requirements. It is why FTSE 100, Big four consulting firms and household brand names choose to work with the small, fast-growing team at Exonar to deliver their critical projects.
Exonar, 14 West Mills, Newbury, Berkshire, RG14 5HG

A Headlining Week for Privacy, SARs and Err, Trees

Privacy Has Been Hitting the Headlines

What We’ve Been Reading And Writing This Month

Personal Information and Subject Access Requests
Plus – Saving Trees for Privacy?
IDC Insight - Exonar Probes Depths Where No GDPR Solution Has...
When GDPR goes live, people will be able to submit subject access requests to current and former employers
Apple actively promoting Privacy as a selling point but...
Apple actively promoting Privacy as a selling point but…
At Apple, we build privacy into every product we make, so you can enjoy great experiences that keep your personal information safe and secure.
How the GDPR will disrupt Google and Facebook
…seen in an Apple store in Chicago – Exactly what GDPR should stop
Normally one of the bastions of privacy data, below is a sign that was spotted in an Apple retail outlet in Chicago recently. In essence, it assumes full consent is given for Apple and it’s…
Subject access requests: revised guidance from the ICO -...
At 9.24pm (and one second) on the night of Wednesday 18 December 2013, from the second arrondissement of Paris, I wrote “Hello!” to my first ever Tinder match. Since that day I’ve fired up…
Get our free GDPR report
You have the right to get a copy of the information that is held about you. This is known as a subject access request.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Download our report: the impact of GDPR when privacy regulations change
In May next year, the UK’s Data Protection Act will be superseded by the GDPR. The GDPR is designed to give citizens more control of the information organisations hold on them and how that…
We Are Hiring - Marketing Executive - Exonar
SARs can be over 800 Pages long.Where do we start?
I did my own SAR on my own bank. This is it (actually, it’s less than half of the information they hold on me but they filtered the request). Arrived via DHL in 2 huge boxes…
Heineken Pet
The Somewhat Related Section – Planting trees for privacy. Really?
Yes, odd, we know but this 90 second video explains all – we felt bad after the SAR experiment on the left, not just for trees but for the employees that have to generate SARs…