Case studies

Responding to a Data Subject Access Request (DSAR)

FRA supported a client's response to an ex-employee's Data Subject Access Request (DSAR) with a limited time period to respond. FRA applied a DSAR solution to gain a holistic view of more than 900,000 documents, eliminate redundancies; redact confidential information, and deliver a complete and structured response.

A client received a Data Subject Access Request (DSAR) from an ex-employee with a very limited period to respond. The client requested support from FRA to collect and produce data in response to this DSAR. The client had two weeks to respond and knew there would be a lot of data to sift through and as it required the review and potential production of documents from the Human Resources team, there would be a lot of PII within the data-set.

For this request, FRA collected and loaded 11 PSTs into an AI-powered technology that resulted in over 900,000 documents. The data was globally de-duplicated. The team further culled the data by limiting the data source to only emails related to the data subject based on their name as a search term or searching via the sender/recipient/subject metadata fields, and then by identifying domains, senders, and recipients that could be excluded. This reduced the data set to 19,000 documents.

Afterward, the team further culled the data by applying the relevant date range and search terms relating to the individual and issues and identified the data relevant for the following three categories:

  1. Hiring process
  2. Performance Evaluation
  3. Termination

A sample of the resulting data set was reviewed to ensure the population included documents relevant to the above categories. Afterward, the initial round of terms were revised along with the email recipient fields. The final document count set aside for review was approximately 10,000 documents, of which around 4,000 parent emails were batched for review. The team applied filters to identify PII categories that were to be auto-redacted, including emails, phone numbers, and certain entities, while the team reviewed the documents so that they could verify the machine-identified redactions were appropriately auto-applied.

In the final set, the review team identified 966 documents for production, which were auto-redacted, bates numbered and produced. There were over 24,000 items that were redacted within this data-set falling into the below categories:

  • Organization
  • Person
  • Email
  • Location
  • URL
  • Phone number (UK and US)
  • Currency (UK, US, Euros)
  • K. Tax ID Number
  • US Passport Number
  • K. VAT Numbers
  • K. National Health Service Number (NHS)
  • K. National Insurance Number (NINO)

After the preliminary steps, the team was able to conduct the final document review, burn and export the redacted documents within 4 days. Due to the lack of manual work needed to apply the redactions and culling tactics applied, the team was able to meet the extremely tight deadline.

FRA's Privacy Compliance Webinar

In this 30-minute webinar, FRA’s Head of Legal, Mike Trahar, and leading data and information governance experts, Harsh Sutaria, Chief Innovation Officer at FRA, and Leigh Isaacs, Director of Information Governance at DLA Piper, share their insight and real-world examples on how to successfully navigate DSARs.

In this 30-minute session, you will learn:

  • What proactive steps you can take now to prepare for DSARs.
  • Practical tips for simplifying the DSAR response process.
  • What the regulators are really looking for. Is putting forward a “good faith effort” enough to avoid scrutiny?