AI cannot manage your Data Subject Access Requests, but eDiscovery can

The rise of DSARs

The introduction of regulations like the GDPR and CCPA has empowered individuals to request access to their personal data. This has led to a noticeable increase in DSARs, not only from customers but also from employees, often with a view of fact-finding ahead of a dispute. As businesses grow and accumulate more data, the complexity and volume of these requests continue to escalate.

The challenge of managing DSARs

Handling DSARs manually can be a daunting task. The process involves identifying, retrieving, and reviewing vast amounts of data spread across various systems. This is time-consuming and resource-intensive, often requiring dedicated personnel to ensure compliance within the stipulated timeframes. Data controllers are under an obligation to disclose data which is relevant to the requestor but also have an obligation to protect the personal data of third-parties and they have it in their best interest not to disclose anything beyond what they are required to.

Best practices for managing DSARs

To effectively manage DSARs, businesses should adopt a structured approach:

1. Establish clear policies: Define and document procedures for handling DSARs, ensuring a streamlined approach to collection and initial review of size and potential impact.
2. Utilise technology: The use of an eDiscovery platform can streamline the DSAR process through advanced search and review capabilities. Investing in your own systems may be too costly and still then require personnel who can manage the platform and review the documents, so partnering with firms who have this capability is ideal.
3. Monitor and review: Continuously review the DSAR process to identify areas for improvement. Ensuring you have MI on the process for future review is crucial and should be something that any supporting firm should be able to provide.

The limitations of AI to respond to DSARs

Analysing a document set at a macro level requires a subjective understanding of a DSAR and what is required in terms of the following:

• The specific stipulations of the request.
• Reading into the requestor's intent and desired output.
• What is legally required, in terms of what the controller does and does not need to share with the requestor.

This blend of understanding, along with automated tools such as deduplication, allows an eDiscovery analyst to reduce a set of responsive documents by up to 90%, often taking a problem from thousands of documents to review to a few hundred. As of yet, reviewing a document to decide if it's relevant to a DSAR and potentially disclosable, goes beyond the remit of an AI model, as it requires a reviewer to assess a document which mentions the data subject's name and decide if the responsive content meets the following criteria:

• It is definitely the correct person being referred to.
• It is part of discussion about them, as opposed to an incidental mention such as them being copied into an email.
• The content is not exempt from disclosure such as for privilege or third-party personal data.

As the data controller only needs to disclose what is required of them, a balancing act is needed for redaction, to ensure unnecessary and exempt content is redacted while still leaving in necessary content and avoiding regulatory criticism for over-redacting.

Conclusion

Can AI manage my DSARs? The short answer is no. However, Fieldfisher with Condor can offer a solution which will streamline the process, take the problem off your hands, and save you money. Legal technology is continuously developing and there continues to be elements of technology that thrive when a human expert is in the driving seat.