• Skip to main content
  • Skip to footer

FRA

Forensic Risk Alliance

  • About FRA
    • What We Do
    • Who We Are
    • International Expertise
    • Corporate Social Responsibility
  • Expertise
    • Forensic Accounting
    • Investigations
    • Corporate Compliance Monitorships
    • Disputes and Arbitration
    • Data Governance & Forensics
    • Technology Solutions
    • Digital Forensics
    • Data Analytics
    • Accounting, Audit and Regulatory Advisory
    • eDiscovery Consulting
    • Disgorgement, Gain and Ability to Pay Calculations
    • Compliance and Risk Assessment
    • Restructuring & Insolvency
    • AML and Sanctions
    • Mobile Discovery Solution
    • Environmental, Social and Governance
    • Securities Litigation
  • Results
    • A History of Success
    • Case Studies
    • Sectors We Serve
  • News and Insights
  • Careers
  • Contact

Case Study

Responding to a Data Subject Access Request (DSAR)

Case Studies

Expert Witness to Quebec Superior Court Responding to a Data Subject Access Request (DSAR) UK-based Oil Service Provider Airbus International Not-for-Profit Organization European Bank Middle-East Telecommunications Company Multinational Oil and Gas Extraction Company Multinational Life Sciences Company Global Technical Consulting Firm International Event and Talent Management Company Deminor Recovery Services/Olympus Technip Rolls-Royce Bank Leumi Class-action Lawsuit challenging Solitary Confinement in US Prisons Nordic Telecommunications Company Multinational Insurance Firm Multinational Transport Engineering Company

A client received a Data Subject Access Request (DSAR) from an ex-employee with a very limited period to respond. The client requested support from FRA to collect and produce data in response to this DSAR. The client had two weeks to respond and knew there would be a lot of data to sift through and as it required the review and potential production of documents from the Human Resources team, there would be a lot of PII within the data-set.

For this request, FRA collected and loaded 11 PSTs into an AI-powered technology that resulted in over 900,000 documents. The data was globally de-duplicated. The team further culled the data by limiting the data source to only emails related to the data subject based on their name as a search term or searching via the sender/recipient/subject metadata fields, and then by identifying domains, senders, and recipients that could be excluded. This reduced the data set to 19,000 documents.

Afterward, the team further culled the data by applying the relevant date range and search terms relating to the individual and issues and identified the data relevant for the following three categories:

  1. Hiring process
  2. Performance Evaluation
  3. Termination

A sample of the resulting data set was reviewed to ensure the population included documents relevant to the above categories. Afterward, the initial round of terms were revised along with the email recipient fields. The final document count set aside for review was approximately 10,000 documents, of which around 4,000 parent emails were batched for review. The team applied filters to identify PII categories that were to be auto-redacted, including emails, phone numbers, and certain entities, while the team reviewed the documents so that they could verify the machine-identified redactions were appropriately auto-applied.

In the final set, the review team identified 966 documents for production, which were auto-redacted, bates numbered and produced. There were over 24,000 items that were redacted within this data-set falling into the below categories:

  • Organization
  • Person
  • Email
  • Location
  • URL
  • Phone number (UK and US)
  • Currency (UK, US, Euros)
  • K. Tax ID Number
  • US Passport Number
  • K. VAT Numbers
  • K. National Health Service Number (NHS)
  • K. National Insurance Number (NINO)

After the preliminary steps, the team was able to conduct the final document review, burn and export the redacted documents within 4 days. Due to the lack of manual work needed to apply the redactions and culling tactics applied, the team was able to meet the extremely tight deadline.


ON-DEMAND | FRA’s Privacy Compliance Webinar

In this 30-minute webinar, FRA’s Head of Legal, Mike Trahar, and leading data and information governance experts, Harsh Sutaria, Chief Innovation Officer at FRA, and Leigh Isaacs, Director of Information Governance at DLA Piper, share their insight and real-world examples on how to successfully navigate DSARs.

In this 30-minute session, you will learn:

  • What proactive steps you can take now to prepare for DSARs.
  • Practical tips for simplifying the DSAR response process.
  • What the regulators are really looking for. Is putting forward a “good faith effort” enough to avoid scrutiny?
Watch On-Demand

London

Audrey House
16-20 Ely Place
London EC1N 6SN
United Kingdom
+44 (0)20 7831 9110

Washington, DC

2550 M Street NW
Washington, DC 20037
United States
+1 (202) 627-6580

Providence, RI

10 Dorrance Street,
Suite 700
Providence, RI 02903
United States

Dallas, TX

One Cowboys Way
Suite 470
Frisco, Texas 75034
United States
+1 (469) 604-0925

Paris

44, avenue George V
75008 Paris
France
+33 1 74 88 05 40

Montreal

20 Place du Commerce
Nuns’ Island
Montreal, Quebec H3E 1Z6
Canada
+1 (401) 289-0866

New York City, NY

1740 Broadway
15th Floor
New York, NY 10019
United States

Philadelphia, PA

727 Norristown Road
Building 8 Spring House
Innovation Park, Suite 206, Lower Gwynedd, PA 19002
United States
+1 (267) 405-9302

Stockholm

7A Centralen
Vasagatan 7
111 20 Stockholm
Sweden
+44 (0)7747 790232

Zurich

Löwenstrasse 53
Zurich 8001
Switzerland

Dubai

405, Index Tower
DIFC
PO Box 507022 Dubai
UAE
+971 (0)42 654 249

Seoul

#905 Leema Building
42 Jongno 1-gil, Jongno-gu
Seoul
Korea
+82(2) 737-4300
  • Privacy
  • Legal
  • Cookies
  • Modern Slavery Statement
  • Sitemap
  • Contact
  • LinkedIn
  • Twitter
© 2023 The FRA Group in the UK comprises Patriot New Topco Limited (number 12395093) and its subsidiaries. Patriot New Topco is a limited company registered in England & Wales and the address of the registered office is Audrey House, 16-20 Ely Place, London EC1N 6SN. The term partner is used to denote senior employees of the limited companies. All rights reserved.