DSARs may include internal communication

Are you ready to respond to DSARs asking for internal communications?

When you respond to data subject access requests, as per Article 15 of the GDPR, you no doubt review databases of information- so called “Structured Data” - on your systems and in the cloud, compile all the personal data you have on the data subject (probably a customer record) and send it to the requestor along with additional information about processing activities being carried on the data.

But a recent ruling by the German Federal Court of Justice (Bundersgerichtshof) has potentially extended that to include all information known about the data subject, including any previous correspondence, internal communications and notes.

This ruling makes clear that data collected and shared via internal processes is covered under the right to access as per Article 15 of the GDPR, potentially expanding the breadth of information many people thought was covered in a data subject access request.

To help operationalize this, imagine a customer serially calls your customer support team for help. The customer is identified in every instance and the call is recorded for quality assurance purposes by your organization. If that customer is protected under the GDPR and makes an access request under Article 15 - it won’t be enough to just provide him access to his file, you also need to attach all those recorded calls!

This ruling also states that internal communications about the data subject should be released as part of a DSAR, we have to think whether it would be embarrassing, or worse, if all internal communications were released. In that regard, we make two recommendations that flow from this ruling:

1. Explain and train your staff not to write anything about a customer / prospect or fellow employee that they don’t want to be seen now or in the future by the data subject.
2. Have a system that can discover and collect data on data subjects across all systems, including unstructured systems such as email, Slack, standard office documents and all other internal communication systems.

It is also important to note that the ruling did recognize that any documentation or internal communication which contains legal analysis can be excluded from an access request as it does not constitute personal data since it is information about the assessment and application of the law to the data subject’s situation. A summary of the personal data information which was considered for the legal analysis can be provided but the analysis and the results of the analysis are exempt.

Security can help you enable swift and accurate DSR fulfillment from our sensitive data intelligence models.

We can give you data discovery across more than 200 apps to find data assets, and discover personal data in structured and unstructured data systems, across on-premises and multi-cloud and automatically discover and build a relationship map between personal data and its owner.

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Here’s a short video explaining sensitive data intelligence