In part one of this blog series, we discussed that subject rights requests (SRRs), including Data Subject Access Requests (DSARs) vary substantially in their requirements due to variance in the volume and variety of data involved and the number of systems in which the data is housed. Applying search-centric workflows to high-effort SRRs creates risk of failing to include all of the required data within the prescribed timelines (30 days per GDPR requirements and 45 days for the CCPA).
In addition to the cost of fines, failing to use an adaptive workflow for high-effort SRRs can also be exceptionally expensive at over $25,000 per request.1 This blog details how to build an adaptive SRR program by determining which requests to handle through which workflow: search-centric supported by manual processes, or a review-centric workflow supported by eDiscovery technology.
The following describes the steps required for routine SRRs and high-effort SRRs.
Routine SRRs: Search-centric workflow supported by manual processes
Step 1 – Validate the request as legitimate and define the requirements
Step 2 – Apply search terms within each system in which the requestor’s data resides
Step 3 – Extract and aggregate the data in a staging area or staging document
Step 4 – Verify completeness and accuracy and manually verify that no third-party data is entwined with the requestor’s data
Step 5 – Produce as a single report or as a collection of files
High-effort SRRs: Review-centric workflow supported by eDiscovery technology
Step 1 – Validate the request as legitimate and define the requirements
Step 2 – Collect data expansively across the numerous systems in which the requestor’s data resides
Step 3 – Use advanced stackable search filters to narrow the volume of data for review and leave the irrelevant data behind
Step 4 – Use “find similar” tools and / or technology-assisted review to quickly surface the data relevant to the request
Step 5 – Employ the automated tools to identify people and remediate any third-party data that may be entwined with the requestor’s data
Step 6 – Employ the automated production QC tool and production wizard to process the report
Review-centric workflows are more involved, but utilize tools essential for extracting significant volumes of relevant data from within very large volumes of irrelevant data. Further, they can be supplemented by managed review teams expert in review technology and the tools applied to detect and secure PII, including third party PII that might be in the same document as the requestor.
Which requests for which workflow?
To determine the appropriate workflow for individual requests, organizations need to track the parameters of the request against the time that it takes to fulfill them. As discussed, the key parameters include who made the request (customer, employee, ex-employee), what the request is about (e.g., general customer inquiry, customer dispute, ex-employee grievance, etc.) and the volume and variety of data and the number of systems on which the data resides.
Some organizations may find that their IT and data architectures make fulfillment of even routine requests an onerous task without supporting eDiscovery technology. For many organizations, they will find that high-effort requests share easily identified parameters and that the extra effort of aggregating all potentially relevant data within an eDiscovery platform will pay substantial dividends in reducing the time it takes to review and extract the relevant data. To validate this, organizations simply need to process one or a few high-effort requests via the eDiscovery platform they likely already have access to, and compare the time and accuracy of the results against the time it took to process the request manually.
In addition to reducing overall SRR program costs, adaptive workflows also reduce the risk of fines and the negative impact on brands and customer loyalty. These include the reduced risk of fines for:
- Not finding all of the requestor’s data;
- Inadvertently infringing the rights of third-parties in pursuit of the requestor’s rights; and, or
- Failing to meet timelines.
Learn more about eDiscovery workflows in “Efficient data privacy compliance using eDiscovery workflows,” and learn how OpenText Axcelerate and OpenText managed review teams can help you fulfill high-effort SRR requests.