Year One of GDPR: What’s Really Behind All the Data Subject Access Requests

May 25, 2019 marked the one-year anniversary of the EU’s General Data Protection Regulation (GDPR) coming into force. Various privacy professionals have taken to the media to share their perspectives on this first year of the regulation, and we highlight a few of those articles here. At Dataguise, we’ve been paying particular attention to the increasing number of data subject access requests (DSARs) submitted over the past year. In this post, we wanted to explore this DSAR trend and get to the bedrock issue behind it.

DSARs before and since the GDPR

When the GDPR was first being drafted and debated, some organizations voiced concerns that DSARs were being weaponized by the GDPR to be used against them. Indeed, since the GDPR took effect, we’ve seen an exponential increase in the number of requests being made due to privacy concerns, as well as an increased use of the DSAR to support other legal matters (e.g., employee preparing to sue their employer). But, the right to know what information an organization holds about you—including data collected or inferred from third-party sources—has been available to EU residents long before the passing of the GDPR. In fact, some countries, even ones that have yet to pass data privacy regulations, already include this right of access in a constitution or other law.

Rooted in the relationship between citizen and state, it was originally intended to overcome concerns about secret government dossiers and opaque practices that can lead to discrimination and unfair prosecution. Today’s privacy regulations, however, are designed not only to allow people to know what information organizations have about them, but also to improve data quality and encourage participation in how and what data is processed. While the DSAR can still help with these purported goals, the input from privacy professionals suggests a different motivation behind the recent spike in DSARs.

Payback for a loss of privacy and trust?

For the past 20 years, organizations have amassed more and more data, using carefully crafted legal mechanisms, such as notices and contracts, to maximize their ability to collect and use personal information. But at some point, we reached a tipping point as digital consumers. While we were busy enjoying the speed and convenience of newer and better digital technologies, we gave away our personal privacy to organizations we assumed we could trust—and felt there was nothing we could do, even if we wanted to do something about it.

Terms and conditions for online services are complex, lengthy, and hard to read, while privacy notices meant to clearly explain how personal information is used, are anything but clear. We scroll down, click the button, and accept them anyway, not even trying to make sense of what they say. We put up with opt-out buttons that are not easy to spot. We go online knowing everything we do is monitored and monetized. And while we may appreciate the increased relevance of the online ads served to us, those ads are a constant reminder that our activities and interests are regularly shared among companies.

But it wasn’t until data breaches became daily headlines that the loss of personal privacy turned into a loss of consumer trust in business. And it wasn’t until the GDPR—with its worldwide media attention on catchy concepts like the “right to be forgotten”—that consumers finally realized they had a way to fight back.

DSARs can do more for consumers and businesses today

The DSAR, in today’s climate of distrust, represents a newfound power that is used by consumers to, at best, regain control over one’s information and, in its less desired manifestation, keep tabs on the organizations they entrust with their personal data. It is that loss of privacy and trust that made the DSAR provisions in the GDPR seem more like a new opportunity for “privacy self-defense,” if not a way to proactively fight back on the data playing field. It doesn’t help the issue, however, when individuals receive the output of their DSAR request and the data appears incomplete or more limited than the range of interaction and duration of the business relationship would suggest. Organizations that are unable to fulfill DSARs by reporting on all personal data held across all enterprise systems are only making matters worse.

But, hey, the future still looks bright. The GDPR put organizations on a positive path for privacy management. It encourages responsible data handling, demonstrable compliance, and a greater degree of transparency over how personal information is processed. More specifically, it does a decent job at moving the privacy profession from a heavy reliance on policies to include controls, the monitoring of those controls, and the establishment of governance to oversee it.

As organizations adopt more effective solutions to protect personal information as it is collected, used, and shared, the nature of their interactions with data subjects will evolve as well. In fact, the number and nature of the DSARs that an organization receives will be great metrics for gauging the level of trust customers and employees place in them. For example, fewer DSARs overall or more DSARs focused on correcting data as opposed to erasing it would be welcome trends pointing to a brighter future for digital trust.

DSAR Article Links

Individuals have weaponized the rights created by the GDPR

Better privacy practices encourage true participation from data subjects

A surge in data subject access requests is something most companies were likely anticipating, especially given the media’s focus on individual rights

Canada to change rule to require more data subject control before their personal information leaves the country

In search of effective technological solutions for handling personal information

Gartner survey shows accelerating privacy regulation as top emerging risk in 1Q19

Solution Brief: Privacy and Security, Together for Greater Trust