Don’t Forget A Potential GDPR Blindspot – Subject Access Requests

Some financial firms see GDPR as simply another data security challenge and are neglecting to adequately plan for the influx of Subject Access Requests (SARs), warns Nuxeo’s David Jones

 It’s now less than a month to go until the EU’s General Data Protection Regulation (GDPR) comes into force in the UK, legislation that alters the way all companies store and manage the personal data they hold on EU citizens.

Financial services firms that do not comply with GDPR requirements risk facing a hefty fine, and indeed that has motivated a lot of last-minute GDPR backfill work. Banks and financial service firms have been working hard to make sure they can identify all of the personal data stored within their systems and repositories, and to ensure this information is safe and secure.

But GDPR isn’t just about safeguarding personal and sensitive data, and just seeing the issue through that lens can be a real blind spot. That’s because it’s also about the ability to deliver this information to any EU citizen who asks for it. As with the old Data Protection Act (DPA) it replaces, any EU citizen can issue what is known as a Subject Access Request (SAR) to see what information firms hold about them.

However, there are significant changes your firm should be aware of. Under the DPA, organisations had to respond to a SAR within 40 days of receiving a written request. Under GDPR, this timeframe shrinks to 30 days. Plus, the previous nominal fee for this service is also being removed for all reasonable requests, making SARs free – which many commentators believe will result in an uptake in requests.

In order to comply with all aspects of GDPR, including the ability to manage the expected increase in volume of SARs in a shorter time frame than before, it’s vital that organisations have a strategy in place. And since the typical SAR demands a copy of all personal information, details of how it has been used, all the third parties which whom it has been shared, how long it has been stored, and details of any data breach — they are actually the perfect GDPR preparedness test. If you can respond thoroughly and within the deadline, congratulations – you’re compliant with the SAR component of GDPR!

If not, prepare for trouble. And not just from the regulator, but from the public. Possible PR ramifications are huge. According to the Information Commissioner’s Office (ICO), the largest number of data protection cases the ICO currently sees are complaints about mishandling SARs (46% in 2015/16 and 42% in 2016/17).

If one considers how quickly social media can inflame situations as well, financial services firms really will need to ensure they succeed in their SAR requirement.

It’s a delicate situation – and banks and insurance firms, who hold a huge volume of highly sensitive data on individuals and are in a highly regulated environment, will likely be in the firing line.

CSP: A Modern Solution to a Modern Problem Set

A Content Services Platform (CSP) approach could well be your new best friend when it comes to GDPR and SARs. That’s because a CSP means that firms managing Subject Access Requests can easily identify data residing within multiple/different information silos within their business, and are able to rapidly serve up this data as SAR requests are made, in an appropriate format and in a timely manner.

A Content Services Platform can also look at file systems for unstructured content alongside the enterprise systems it connects with, such as databases applications containing structured data. And when you consider how many data records could be involved here:

• Complaints or customer service notes
• Bank and insurance statements or related static data (e.g. the content of application forms)
• Medical history (e.g. for life or medical insurance applications)
• Car details and driving history
• Work experience history and educational qualifications (e.g. to support a lending application)
• Employee salary details, plus notes of employee disciplinary/grievance hearings
• Telephone call recordings, CCTV footage – and more?

It’s clear that a centralised hub that connects structured data systems with unstructured content repositories, organisations benefit from a 360-degree view of GDPR related data, from which SAR specific information can easily be pulled, compiled, and delivered, could be extremely useful – both to improve the customer experience and deliver a better service to your customers a well as digitally transform, especially in a highly competitive environment with the fintech arrival.

It is impossible to predict how many SARs banks, building societies, insurance firms and others will receive when GDPR comes on stream. But given the way the Facebook and Cambridge Analytics scandals have raised the overall data privacy temperature, it’s sensible to be prepared.

Doing so means ensuring personal data is secure and can be quickly located and delivered upon request according to GDPR requirements. Make sure you have the right tools in place to manage SARs– else it could cost you a lot of blood, sweat and tears if you don’t act in good time.

The author is Director of Product Marketing at Content Services leader Nuxeo (www.nuxeo.com)

Some financial firms see GDPR as simply another data security challenge and are neglecting to adequately plan for the influx of Subject Access Requests (SARs), warns Nuxeo’s David Jones

 It’s now less than a month to go until the EU’s General Data Protection Regulation (GDPR) comes into force in the UK, legislation that alters the way all companies store and manage the personal data they hold on EU citizens.

Financial services firms that do not comply with GDPR requirements risk facing a hefty fine, and indeed that has motivated a lot of last-minute GDPR backfill work. Banks and financial service firms have been working hard to make sure they can identify all of the personal data stored within their systems and repositories, and to ensure this information is safe and secure.

But GDPR isn’t just about safeguarding personal and sensitive data, and just seeing the issue through that lens can be a real blind spot. That’s because it’s also about the ability to deliver this information to any EU citizen who asks for it. As with the old Data Protection Act (DPA) it replaces, any EU citizen can issue what is known as a Subject Access Request (SAR) to see what information firms hold about them.

However, there are significant changes your firm should be aware of. Under the DPA, organisations had to respond to a SAR within 40 days of receiving a written request. Under GDPR, this timeframe shrinks to 30 days. Plus, the previous nominal fee for this service is also being removed for all reasonable requests, making SARs free – which many commentators believe will result in an uptake in requests.

In order to comply with all aspects of GDPR, including the ability to manage the expected increase in volume of SARs in a shorter time frame than before, it’s vital that organisations have a strategy in place. And since the typical SAR demands a copy of all personal information, details of how it has been used, all the third parties which whom it has been shared, how long it has been stored, and details of any data breach — they are actually the perfect GDPR preparedness test. If you can respond thoroughly and within the deadline, congratulations – you’re compliant with the SAR component of GDPR!

If not, prepare for trouble. And not just from the regulator, but from the public. Possible PR ramifications are huge. According to the Information Commissioner’s Office (ICO), the largest number of data protection cases the ICO currently sees are complaints about mishandling SARs (46% in 2015/16 and 42% in 2016/17).

If one considers how quickly social media can inflame situations as well, financial services firms really will need to ensure they succeed in their SAR requirement.

It’s a delicate situation – and banks and insurance firms, who hold a huge volume of highly sensitive data on individuals and are in a highly regulated environment, will likely be in the firing line.

CSP: A Modern Solution to a Modern Problem Set

A Content Services Platform (CSP) approach could well be your new best friend when it comes to GDPR and SARs. That’s because a CSP means that firms managing Subject Access Requests can easily identify data residing within multiple/different information silos within their business, and are able to rapidly serve up this data as SAR requests are made, in an appropriate format and in a timely manner.

A Content Services Platform can also look at file systems for unstructured content alongside the enterprise systems it connects with, such as databases applications containing structured data. And when you consider how many data records could be involved here:

• Complaints or customer service notes
• Bank and insurance statements or related static data (e.g. the content of application forms)
• Medical history (e.g. for life or medical insurance applications)
• Car details and driving history
• Work experience history and educational qualifications (e.g. to support a lending application)
• Employee salary details, plus notes of employee disciplinary/grievance hearings
• Telephone call recordings, CCTV footage – and more?

It’s clear that a centralised hub that connects structured data systems with unstructured content repositories, organisations benefit from a 360-degree view of GDPR related data, from which SAR specific information can easily be pulled, compiled, and delivered, could be extremely useful – both to improve the customer experience and deliver a better service to your customers a well as digitally transform, especially in a highly competitive environment with the fintech arrival.

It is impossible to predict how many SARs banks, building societies, insurance firms and others will receive when GDPR comes on stream. But given the way the Facebook and Cambridge Analytics scandals have raised the overall data privacy temperature, it’s sensible to be prepared.

Doing so means ensuring personal data is secure and can be quickly located and delivered upon request according to GDPR requirements. Make sure you have the right tools in place to manage SARs– else it could cost you a lot of blood, sweat and tears if you don’t act in good time.

The author is Director of Product Marketing at Content Services leader Nuxeo (www.nuxeo.com)