Once implemented, a DSAR (data subject access request) system can take several forms. Let’s look at the four most common: fully manual, workflow-driven manual, hybrid workflow, and fully automated.
The first data request implementation option we’ll look at excludes automation altogether. Every step of the process, from the initial form submission to the final provision of data, is conducted by a human.
In a fully manual DSAR, customers might fill out a pre-built form to request their information, or they may call and make their data request over the phone. Once completed, the form is then emailed to the individual or team responsible for processing customer data. The team verifies the requester’s identity, gathers the appropriate data, and sends it off in an easily accessible format. Every step is handled by at least one person. From the outside, however, this data request process can be made to look professional and fully automated since the customer never directly interacts with the privacy team.
The most obvious advantage of a fully manual DSAR setup is its relative simplicity. There’s no need to write code, program certain actions, or deal with software much beyond the request form and emails. It also doesn’t inherently require a huge team of privacy managers, instead of centralizing on a single person or small group of people. A small business with a low number of DSARs may be able to get by with a manual system.
Centralizing tasks on one person or small group has a downside, however. People often get sick, miss work, conduct their jobs carelessly, or quit. Customers don’t care though. DSARs will continue coming in regardless of whether your privacy team is out of commission or not. With new data requests arriving, deadlines for old ones looming, and a team that may not be as reliable as you’d hoped, mistakes are far more likely to happen. Worse, since a fully manual process is hard to track properly, you might not even be able to see where a mistake occurred. All these problems will increase exponentially as the company grows. Clearly, even a rudimentary DSAR automation system is the better choice.
A second approach to handling DSARs uses automation to build on a fully manual system with some additional capabilities. A company that can’t immediately spare the time or resources to build a fully integrated program might start here.
As with any type of data request, the first step is a customer submitting a request form. The form submission then triggers the system to notify a human privacy officer (the human in the loop, or HITL) about the request. From there, the privacy officer completes the request, either by themselves or by delegating tasks to others—gathering and returning the data—and notifying the system that the task is complete.
A partially automated DSAR approach helps the whole process move faster so that a customer will only have to wait between a few days and a few weeks for their data. From the company’s perspective, the inclusion of an automated data request system means that every step is fully tracked and, more importantly, fully auditable. Any complaint or challenge can be quickly addressed with a secure record of the process.
Companies also have the option to integrate slightly more automation into the DSAR process. While the overall structure doesn’t change, company managers can choose which steps of the data request process are handled automatically and which are handled by humans. This could be a company’s long-term solution for DSAR concerns. Alternatively, it could be another step in the process toward what is arguably the best DSAR setup: complete automation.
This system is the ideal that many companies hope to achieve. A fully automated DSAR setup receives the initial data request, verifies the user’s identity, collects their data, and provides secure access to the data, all without any intervention from a human. Every step is conducted and recorded automatically. The only human intervention required is the initial request, saving a significant amount of time and money for nearly everyone involved.
Our signature privacy compliance software, 4Comply, is designed to be easily integrated with any system your company may already be using to store personal information. It can also be configured to support workflow-focused manual processing by humans, a hybrid solution of system integration and manual processing, or a fully integrated system. The degree of integration depends entirely on your company’s schedule and resources to build your ideal solution.
This is an excerpt from our newest white paper, “DSARs: Costs & Solutions”. Download and read the full white paper here.