In this blog we will discuss:
- Why DSARs Are Important
- Challenges of Responding to DSARs
- Merits of Using AI
- Role of Humans in Responding to DSARs
- Conclusions
Why DSARs Are Important
Data subject access requests (DSARs) play a pivotal role in the UK General Data Protection Regulation (GDPR) in empowering data subjects (individuals) to exercise one of their key rights. Article 15 of the UK GDPR grants data subjects the right to obtain confirmation of whether their personal data is being processed, how it is being processed, whether that processing complies with the Regulation and access to the data being processed.
Challenges to organisations
This requirement, however, has presented many organisations with considerable challenges. DSARs can impact any organisation, although primarily affect organisations which handle significant personal data volumes, including government (national and local) institutions, healthcare, housing associations and large corporations. Many such organisations have struggled with managing increasing numbers of DSARs, some of which are highly complex and often at a time when internal resources have been reduced. The situation has been further exacerbated by a combination of growing awareness and dissatisfaction amongst data subjects of data controllers’ responses to their DSARs, and with the UK’s data protection regulator, the Information Commissioner’s Office (ICO), taking a tough stance on any noncompliance in this area.
ICO focused on DSARs
From April 2022 to March 2023, over 15,000 DSAR-related complaints were received by the ICO which provides a clear indication of the attention that is paid to DSARs and the scale of the issue. Furthermore, in September 2022, the ICO reported that it had taken action against several organisations for failing to respond appropriately to DSARs including the Ministry of Defence (MoD), the London Borough Councils of Lewisham, Hackney, Lambeth and Croydon, along with Kent Police and Virgin Media.
With this as a backdrop, the obvious question is how should organisations best manage DSARs and is artificial intelligence (AI) the answer. Before we look at the merits of AI, let us examine what can make DSARs so challenging for organisations to respond to.
Challenges of Responding to DSARs
Here are just a few examples of the challenges facing organisations when responding to a DSAR.
Logistical
The sheer volume of DSARs can be overwhelming for many organisations, particularly when factoring in the need to respond within the tight 1 calendar month deadline. A particular challenge is the need to triage requests and be able to differentiate the more straightforward requests from the more complex.
Complexity
There are a number of complexity aspects for organisations when responding to DSARs. Firstly, there is the consideration of whether extra time could be warranted and advising the data subject of why. There can be the complexity of retrieving, collating, and reviewing vast amounts of data across different systems. There are also the challenges surrounding the assessment of whether legal exemptions exist and how to apply them. Under the UK GDPR, exemptions would apply for example, if the disclosure of certain information would adversely affect national security, law enforcement, or the rights of other data subjects. An extra layer of complexity is added when personal data is shared with, or received from, third parties and where that information has been shared in confidence. All of these ‘context’ considerations need to be factored in when responding to a DSAR, and when redacting documents.
Unfounded and vexatious requests
It is important from a legal, customer service and administrative perspective to identify if a DSAR constitutes a vexatious or unfounded request. If an individual makes a request with no intention to exercise their right of access, with malicious intent, or for an unreasonable amount of information, the organisation may refuse to comply with an access request. Organisations need to consider the context of the requests and possibly talk to the data subject to understand their needs.
Subject identification
It can sometimes be tricky to accurately verify the identity of the data subject, but this is critical in ascertaining that personal information is not disclosed to the wrong individual. It is also possible under the GDPR for a DSAR to be made on behalf of someone else. In this scenario, a careful balancing exercise should be carried out before disclosure is made.
Merits of Using AI
Some organisations have sought to make the process more efficient by using artificial intelligence (AI) solutions.
Benefits of AI
AI is a broad term for a variety of technologies and methods that often try to imitate human thinking to solve complex problems. Tasks that humans have traditionally performed by thinking and reasoning are increasingly being performed by, or with the help of, machines that can learn and adapt. The branch of AI that deals with the interaction between computers and human language is natural language processing (NLP) and can help in the initial sorting and categorisation of DSARs. A key area where AI can be used is in the automated retrieval of personal data relevant to a DSAR, be that in a structured (e.g., databases) or unstructured (e.g., documents, email) format and can also offer functionality such as eliminating duplicate entries and providing data version control. Naturally, savings in the time and effort required to locate the necessary information can be considerable. Consistency and scalability are also claimed benefits of AI, particularly where large numbers of DSARs are being received. At the same time, there is a heavy dependence on the accuracy of data being entered on systems. If data is incomplete, out of date, or contains errors, the results of the retrieval may be inaccurate or incomplete.
AI systems can also search and retrieve the requested data from various databases, reducing the time and effort required to locate the necessary information. Another key area where AI is being used is in data redaction, where sensitive or confidential information in documents being provided in response to a DSAR are automatically removed or masked. AI systems can be programmed to identify and redact names, addresses, phone numbers, dates of birth, National Insurance or NHS numbers etc. AI can also provide audit trails of any redactions, to comply with regulatory requirements and satisfy the need for transparency.
Need for caution
At the same time, however, there are a number of compelling reasons for being cautious around using AI exclusively to complete DSARs. There are significant concerns around the general lack of transparency and interpretability of AI algorithms across the area of data protection compliance, which makes it difficult for organisations to understand how decisions are being made and to explain those decisions to data subjects.
A fundamental weakness of AI is that when it comes to interpreting and applying data protection laws such as the UK GDPR, there can be no replacement for human judgement. AI, while powerful, may not be as adept as humans in keeping up with evolving legal requirements and ensuring that DSAR responses are compliant. Context is a key factor when redacting a DSAR and leaving in information such as ‘the neighbour at no 10’ or ‘the line manager’ results in information which identifies other data subjects being disclosed and clearly needs to be removed. With AI there is also a risk that it may incorrectly redact information, either redacting too much (undermining the rights of the requester) or too little (potentially exposing sensitive data). Human oversight is often required to verify the redaction accuracy. There can also be a practical issue with AI struggling with complex document formats and handwritten content for example, thereby making redaction less effective.
Using AI may also lead to ethical dilemmas if the system inadvertently discloses information that should be protected, such as medical records or confidential employee data. All these factors can lead to non-compliance, fines, and reputational damage. In URM’s experience, automated solutions struggle with complex or nuanced DSARs that require a human touch.
Role of Humans in Responding to DSARs
As DSARs inherently involve sensitive personal information, relying solely on AI for data retrieval and processing can introduce privacy and security risks. Data breaches and mishandling of personal data can have serious legal and reputational consequences. It is crucial for an experienced practitioner to oversee requests to ensure that sensitive data is handled with the utmost care and that the principles of regulations such as the UK GDPR are fully complied with, e.g., transparency, data minimisation and accuracy, along with adherence to privacy regulations.
DSARs are often the first point of contact between individuals and organisations regarding their personal data. Relying solely on AI can result in a lack of human touch and personalisation, negatively impacting the customer experience. Humans can provide a more personalised and empathetic response to data subjects, potentially enhancing trust and satisfaction levels. This can help, for example, if a ‘large’ access request is made and the requester can be encouraged to narrow down the search, which will make it easier for the disclosure officer to manage the situation and ensure the requester receives relevant, timely information.
By involving skilled human resources in the management of DSARs, organisations and data subjects can benefit in various ways. Not only can human intervention help to reduce the risk and ensure compliance with the UK GDPR, e.g., identifying areas where AI may have missed personal data being stored in decentralised or legacy systems, experienced data protection (DP) practitioners can also help in the initial triaging by identifying and flagging some of the trickier and more challenging requests.
In URM’s experience, where DSAR specialists really come into their own is understanding the context of complex or ambiguous DSARs and making nuanced decisions. This is particularly the case in the identification and application of legal exemptions.
Some of the scenarios where URM has found human involvement to be invaluable are in determining whether:
- The rights of other data subjects would be adversely affected. Often, a requester’s personal data is linked to the personal data of another individual or individuals. If those other individuals do not provide consent for their information to be included in a disclosure bundle, you will often have to balance the privacy rights of one individual (requester) against another (third party). When redacting information, great care needs to be taken not just to redact names but to consider the context and determine whether any indirect information can be used identify another data subject.
- Some other legal exemption applies when responding to a DSAR. There are wide variety of other factors which can lead to exemptions being applied and these include crime and taxation, legal professional privilege, regulatory functions, journalism, health, social and education, management information and confidential references etc.
- A DSAR is manifestly unfounded or vexatious. A vexatious request is often connected with an ulterior motive, e.g., to create a nuisance or possibly as part of some form of negotiation
- A DSAR is manifestly excessive. This can be a tricky assessment where you are basing your decision on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request.
- The identity of the requester has been sufficiently validated.
Conclusions
In summary, AI has made remarkable strides in various fields, and is already providing significant benefits in terms of saving time and effort in the areas of automated data retrievals and in the redaction of personal data. It must be remembered, however, AI is still a developing technology and using it exclusively to complete DSARs can present a number of risks. The lack of context, privacy and security concerns, legal and compliance issues, ethical dilemmas, and the potential impact on customer experience and trust, all highlight the importance of maintaining human involvement and overseeing the DSAR process.
In answer to the question we posed at the start of this blog, URM believes a hybrid approach, combining automation and human resources, may be the most effective solution for organisations managing DSARs. Automation can be used for initial data identification and collection, while DSAR specialists are brought in for reviewing complex requests, checking for context, carrying out the redaction, and packaging the DSAR together for disclosure. This approach leverages the efficiency of AI with human judgment to provide reliable and contextually accurate DSAR responses.
If you need expert support with complex DSARs, URM is ready….
DSAR redaction services
URM’s Data Redaction Team is highly proficient and experienced at dealing with the most challenging, complex and sensitive DSARs, where it is able to apply the appropriate redactions to the relevant documents. It is important to note that URM provides a human, rather than an automated solution, which is widely acknowledged as being far more effective and appropriate for complex DSARs. As guided by the ICO, it’s essential to understand the context of a DSAR and this can only really be achieved where the raw material is read by a human. Following the redaction service, URM is able to package the DSAR together for disclosure. Furthermore, if required, URM is able to act as your representative with the UK regulator where a DSAR is contested.
If you’re looking for support in managing DSARs - get a quote now.
Training services
URM delivers a 1 day ‘How to Manage DSARs’ training course where delegates will learn, amongst other things, how to:
- Recognise a DSAR and determine whether its valid or not
- Liaise with an individual when seeking to clarify a DSAR
- Verify the identity of a data subject
- Deal with exemptions
- Deal with unfounded or excessive requests
- Respond to a data subject and complete a DSAR
- Deal with a data subject complaint to the ICO.
Find out more about the upcoming DSAR Training Course.
Looking for more information on DSARs?
Read our blog Everything You Need to Know about DSARs.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM’s blog explores the first provisional monetary penalty imposed by the ICO exclusively on a data processor & the lessons that can be learned from the case.
URM’s blog explores the data protection considerations for data analytics tools, and how to reap their many benefits while still maintaining GDPR compliance.
We look at the requirement within both the DPA and the GDPR to verify the identity of an individual making a request before acting or releasing information