DSAR Background

Due to an increasing awareness for privacy, regulators have been led to introduce new Data Privacy and Data Protection requirements in order to protect consumer, health, financial and other sensitive information.

In recent years as data has become digitized, more prevalent, and more accessible, these laws and regulations are stricter and are being passed more frequently. These laws are passed with the objective of giving control back to individuals over their personal data. However, the Privacy Regulation landscape is becoming more and more complex and compliance is becoming more and more of a challenge.

Recent regulations require organizations to identify and detect personal identifiable information (PII) such as Name, Aliases, Addresses / Locations, SSNs, IDs, email addresses, account numbers, etc. Organizations need be able to respond and disclose all occurrence of a person’s PII data upon request.

These requests, often referred to as the Right-of-Access and the Right-to-be-Forgotten, are handled by processes called Data Subject Access Requests (DSARs). Also known as a “subject rights request” or a “privacy rights request,” a DSAR is a submission by an individual (or data subject) to a business asking to know what personal information of theirs has been collected and stored, as well as how it’s being used.

Individuals can also use a DSAR to ask organizations to take certain actions with their data, such as deleting it, correcting incorrect data, or opting out of future data collection. Enterprises worldwide are faced with the task of responding to these and thousands of similar privacy requests annually – all of which must be completed within strict time frames. Yet, the current processes to do so are both time-consuming and complicated.

There are several clear and distinct steps that most DSARs go through. The biggest hurdle for organizations is the data discovery process – locating individual identity information within huge volumes of unstructured data. Another key challenge is coordinating within the organization between the different stakeholders that need to be involved in correlating, validating and remediating the detected information. Verifying that the remediation was successful and orchestrating and managing compliant responses to requesters and auditors are other tasks that need to be completed. This is especially difficult, as current processes used to identify, correlate, and remediate the data, as well as manage compliance responses, are prone to errors, and aren’t scalable.

File Access Manager Privacy Engine includes the DSAR Campaign Workflows capability. Automated DSAR campaign workflows leverage AI-Driven NLP-based data discovery and orchestrates data validation, remediation and verification reviews, to address complex compliance requirements, enable quick collaboration, and considerably cut processing time – enabling organizations to scan, identify, report on and collaborate over the remediation of Personally Identifiable Information.

DSAR Workflow

Processing DSARs include several stages.

  • Submitting the request – an individual submits a request for information to be disclosed, removed, or edited

  • Validating the identity – the organization receiving the request must validate the requester identity. This is done to ensure the request is valid and that the information is disclosed only to that particular individual or an authorized proxy.

  • Discovering the data – typically the longest stage. All PII information associated with the individual across all of the organization data sources is identified.

  • Validating the data – once all PII information is discovered, the data that was found will need to be validated to ensure that it does in fact relate to the data subject.

  • Remediating the data – if the requester asked for data to be redacted, updated or removed, this stage will address those requests.

  • Verifying – once remediation is complete, ensure the data detected was modified or removed.

  • Responding – as part of the DSAR response, all data about the individual and the processing it went through are reported, packaged and securely delivered to the requester.

File Access Manager DSAR campaign workflows address the Data Discovery, Validation, Remediation and Verification stages. Once data is discovered by the privacy engine, each campaign workflow is comprised of these steps:

Phase One – Data Validation

In this phase, the reviewer is presented with the results found based on the campaign DSAR query and scope. The reviewer must review the identified files. Reviewers must decide whether the files found should be included in the DSAR processing, or should be excluded from further processing. A reason a file could be excluded might be due to a file being detected by mistake.

All decisions made should be committed in order to complete the review level.

The review process can involve multiple reviewers at each stage. However, a decision on each file can only be made by a single reviewer.

When all the results have been excluded or confirmed and committed, the campaign will transition to the data remediation phase. Campaigns transitioning to the Data Remediation phase will see their status change to "Data Remediation in Progress." The status of the campaign may take a few moments to be updated.

Note: Information Disclosure DSAR Campaigns do not include a Data Remediation phase. See the DSAR Campaign Purposes section for more information.

Phase Two – Data Remediation

The data remediation phase will include all files confirmed for further processing. In this stage, reviewers will collaborate by reporting the completion of the remediation task, such as redacting or removing the PII data, or exclude the files from remediation (due to contesting compliance requirement, e.g.).

After files have been reviewed and acted on, the reviewer must either mark the files that have been acted on as Done or mark data that cannot be acted on as Excluded.

When all files are marked as Excluded / Done and everything has been committed, the workflow service will change the DSAR campaign's status to Data Remediation – Completed.

Note: The status of the campaign may take a few moments to be updated.

Phase Three – Data Verification

The purpose of the Data Verification phase is to verify that the remediation actions have been performed correctly and that all detected information has been addressed (whether it's removed, redacted or changed).

Once verification has been initiated:

  1. A task will be created. Wait until it is finished (this can take awhile)

  2. The campaign status will change to Verification in Progress

When the task is finished, the campaign status will change to Verification is Done.

Note: If the verification task failed, the campaign status will change to Verification Failed.

To view the campaign verification results, navigate to Compliance > DSAR Management > DSAR Campaign Details.

  1. If the requested campaign query yields results on a file, it will be marked as Failed.

  2. If the requested campaign does not yield results on file, it will be marked as Verified.

  3. If the requested campaign yields results but with exceptions, it will be marked as Verified with Exceptions.

  4. If the file is not accessible or if the file does not exist, it will be marked as Unable to Verify.

In this phase, the administrator or compliance manager can decide to override a failed campaign, reassign it to another reviewer, or force it back into the remediation phase.

Campaign Details

DSAR Campaign Purposes

Each DSAR Campaign has a Purpose field, indicating the purpose for which the requester submitted the request. The different type of request purposes determine the workflow stages involved and its final outcome.

  • Information Disclosure – designed to find the relevant personal information regarding the individual based on the search criteria set in the DSAR campaign definition. Information Disclosure DSARs include a single phase review process (a Data Validation Phase), unlike all other DSAR types that include a two-phased review process. Once the Validation phase is completed, the Campaign will transition to a Completed status.

  • Data Redaction (Editing) – designed to find the relevant personal information that needs to be redacted based on the search criteria set in the DSAR campaign definition. Data Redaction includes a two phase process (Data Validation [phase one] and Data Remediation [phase two]). Once committed, the DSAR goes to Verification Phase.

  • Data Deletion – designed to find the relevant personal information that needs to be deleted based on the search criteria set in the DSAR campaign definition. Data Deletion includes a two phase process (Data Validation [phase one] and Data Remediation [phase two]). Once committed, the DSAR goes to Verification Phase.

Campaign Due Date

Each DSAR Campaign has a deadline or a date in which a response is due. When setting up a campaign, the due date can either be a set date, or a period of time after the campaign is started.

DSAR Query

This defines the DSAR search criteria to identify the data on which to perform the actions. This includes PII information data points such as Identifiers, Names and Aliases, Addresses, Emails, and more. Each field can be mandatory or optional in your search.