The rise and challenges of DSARs: What companies need to be doing to meet employee requests and filter out maliciously motivated third-party threats

Every employee has the right to obtain confirmation as to whether their personal data is being processed, as well as obtaining access to that personal data and further information as set out in Article 15 of GDPR legislation.

According to The Rise and Challenge of Data Subject Access Requests (DSARs), One Year on From the GDPR and the DPA 2018 report, 71%of surveyed firms experienced an increase in the number of employee DSARs since GDPR, with employee access requests surging during lockdown, making it harder than ever for companies to meet all the requirements under GDPR. The initial process of identifying all the data held on an employee can take weeks out the mandatory 30-day response period and 27% have acquired new staff to deal with this growing trend.

The report also states that 67% also experienced an increase in costs associated with the process of responding to DSARs, which is not surprising considering the increase in manpower needed. 20% of businesses all adopted new software or technology to deal with DSARs requests.

Each DSAR request involves a lengthy process requiring authentication of employee identity, informing the appropriate personnel regarding the request, locating the personal information, extracting and reviewing the appropriate information and delivering the requested information to the employee. This whole process must take place within one month of receipt. 

However, the challenges faced by data controllers to complete a DSAR request are complex and include: difficulty in locating data across disparate systems, legitimacy of data subject access request, unable to complete adequate searches, time pressures, failure to recognise a DSAR, the rise of Insider Threat, inundated with too many data subject access requests and financial and human cost implications.

As well as this there has also been a significant rise in malicious DSAR requests. According to Blackhat USA 2019 Whitepaper approximately a quarter of reviewed organisations provided sensitive information without verifying the identity of the requester, with some initial responses from companies also revealing that they did not believe GDPR applied to them due to jurisdictional constraints.

Malicious DSAR requests can come from disgruntled former employees or maliciously motivated insider threat requests. Issues can range from redundancy, personal grievance, harassment of the organisation, looking to fraudulently obtain information or to target a specific employee. In fact, according to The Rise and Challenge of DSARs, One Year on From the GDPR and the DPA 2018 report92% of companies confirmed they had dealt with DSARs connected to a workplace problem.

Therefore, in order to deal with these issues quickly and effectively it is vital that companies know where their sensitive data is located. A company’s inability to locate their critical data assets does not only encumbers responses to DSARs – but also poses a major problem to security.

The ability to locate, extract and report on sensitive information across disparate systems is the first critical step to appropriately responding to a DSAR request. Automated Sensitive Data Discovery and Extraction tools such can make the process for responding to DSARs fast, accurate and efficient.

Highly automated, sensitive data discovery can help to locate and filter valuable, usable and exportable data to help with DSAR compliance. Real-time protection allows users to manage the movement of their sensitive data in transit, alerting the end user and system administrator in real time which can also be used for forensics. 

We are clearly in extraordinary times and companies will need to take this into account of this in order to comply and to be able to justify their position in the face malicious DSAR requests.

DSARs are increasingly being used by employees who are more aware of their rights in the workplace and this trend is likely to grow, especially now. Consequently, businesses need clear policies and procedures to enable them to deal with them in accordance with the GDPR to avoid breaching ICO regulations and any subsequent action. The is clearly with companies to process a DSAR request in an efficient and timely fashion and most importantly, in line with current regulations.


About the Author

AJ Thompson is CCO at Northdoor plc. Northdoor plc is an IT Consultancy specialising in Data Solutions. With a focus on 3 areas, Store IT, Protect IT and Use IT, we provide solutions to improve operational performance, infrastructure optimisation (on-premise, cloud or hybrid), IT security, GDPR and business analytics.

Featured image: ©The_Lightwriter