As it will be discussed, Subject Rights Requests (SRRs) are not a single thing but fall on a continuum of effort. For most organizations, the substantial majority of requests are relatively low effort. But high-effort requests, while less frequent, can be an order of magnitude more effort than routine requests. A holistic SRR response program should include good information governance to operationalize strong case management from SRR intake to fulfillment. Investments in privacy management solutions can go a long way to operationalizing mainstream requests within a holistic program that includes routing high-effort requests to a separate process where eDiscovery platforms are used because of their advanced analysis, review and production capabilities.
But you probably don’t need to invest much to reduce the cost of fulfilling high-effort subject rights requests. Most organizations have access to an eDiscovery platform, so the prescription for high-effort SRRs is about getting more value from existing investments. There may be a modest incremental cost associated with additional data hosted in your cloud-based eDiscovery solution but these costs should be a fraction of what would be spent on manual effort if eDiscovery platforms are not used when they are required.
Hiring Managed Review experts to handle high-effort SRRs is also a valid option. The costs should be marginal or even a net gain given the efficiency that Managed Review experts deliver and the avoided expense on internal resources.
Start with a solid information governance foundation
The root of good data privacy and eDiscovery is to utilize an information governance framework to address privacy risk and data management strategies. Forward-thinking organizations are tackling data sprawl and the proliferation of sensitive data outside of protected zones by knowing what types of sensitive data are stored where and controlling that data by classifying it and applying safe storage policies (access credentials, encryption, etc.). To minimize their sensitive data footprint, organizations also are assessing and remediating sensitive data wherever it conflicts with policy or does not support a business purpose.
Innovation is also a cornerstone of good information governance. Automation is increasingly being employed to reduce reliance on manual processes and reduce the effort of data privacy activities and workflows. Similarly, tools for discovering, classifying, and detecting sensitive or personal data are increasingly being integrated with security hardened repositories and processes to meet regulatory obligations with less friction and greater assurance of meeting timelines. Information governance itself is also evolving to provide greater transparency, link processes to critical content and apply effective case management to track and prioritize program activities. The application of case management to track performance across SRR activities from intake to fulfillment is a good example of this evolution.
Information governance (IG) implications for optimizing SRRs
SRRs without IG | SRRs with IG |
No use of automation to limit data sprawl – same number of needles, much bigger haystack | Archiving and deduplication to control data sprawl makes SRR data easier to find |
Personal data is scattered with numerous systems to search | Personal data footprint is minimized which leads to fewer systems to search |
Files are not classified and there are no indicators whether they contain personal data | Files are classified by personal data flags within metadata which improves the efficacy of search |
Accommodate the variance in complexity of different SRRs
Subject Rights Request, including DSARs, vary substantially in their complexity and time to process. This is because they are initiated by people with different motivations and requirements, including customers, employees and ex-employees. SRRs from current and former employees often have large volumes of data that is dispersed across a wider variety of systems, along with greater variance in data formats.
There are also multiple types of requests that can be submitted to the organization, these include:
- Right to know – involves providing a report of all personal data held
- Right to be deleted – the permanent eradication of data which is not required for an ongoing valid right to process
- Right to have the data transferred to the individual – included in the majority of data privacy regulations; GDPR adds the requirement to transfer the requestor’s data to a third party.
All requests, regardless of who submits it, involve similar processes and reporting that is sent to the requestor. The bulk of the effort is in discovering and isolating data associated with specific individuals. The level of effort varies substantially depending on who has filed the request and the length and intricacy of the relationship with them. Instead of seeing SRRs as a single thing, they are better viewed on a continuum from low-effort to high-effort requests. High-effort requests can take the same amount of time as a hundred or more low-effort requests and require enhanced review management processes and tools to efficiently discover relevant data from within large and diverse volumes of irrelevant data.
The Two Types of SRR Process
Criteria | Manual processes | Automated process with eDiscovery tools |
Number of systems | High variance between SRRs in number of systems, volume of data and variety of formats – same process for low and high-effort requests but varies from minutes to days | Built to handle high numbers and dispersion of systems, substantial volumes of data and significant variety of formats |
Data extraction / data collection | Search-centric process to find and extract specific data, one system at a time – easy to overlook systems and miss relevant data | Data is collected expansively by search-enabled connectors – making it easier to include broad sets of systems and collect targeted data across all systems |
Data staging / data porting | Relevant data is posted to an unstructured staging area – high data volumes require significant effort to review, organize and prepare data for production | Data is ingested into the eDiscovery platform where it is automatically deduplicated |
Data identification | Manual process to verify extracted data as relevant, accurate and complete | Easy-to-use stackable search filters and analytics to home in on relevant dataPredictive search to use highly relevant documents to quickly find other relevant data |
Detecting third parties and their data | Finding the data of third parties that may be intertwined with the requestor’s data can require significant manual review because there is no list of who to search forRedacting third-party data is typically manual | Automated detection of third-partiesPre-configured personal data detection libraries for common patterns and Regular Expressions (RegEx) for custom patternsAutomated redaction to remediate the personal data of third parties |
Producing the relevant data | The production process is typically manual | Production is automated, including auto-triggered quality control and redaction accuracy checks |
Manual processes are typically applied to high-volume but lower effort requests. For these, a holistic SRR program founded on good information governance with strong case management from SRR intake to fulfillment is the best prescription. Holistic programs will also include the ability to identify high-effort SRRs to route them to a distinct process where the benefits of eDiscovery platforms can be applied.
In the next blog we will look at how to determine which SRRs warrant the use of eDiscovery platforms and how to build an adaptive SRR workflow program.
Stay tuned for part 2 of this blog series, which will provide a how-to guide for building a cost-optimized SRR response program tailored to the particular requirements of your organization.