KPMG Law LLP logo

24 May 2024

Under the GDPR, data subjects have the right to request access to the personal data that an organisation holds about them. It can be difficult for organisations to respond to high volume data access requests.

In some cases involving significant amounts of personal data, a data subject access request (DSAR) made under the GDPR can bring the daily operations of a business to a standstill.

In this article, to help you streamline your DSAR process and minimise the impact to your day-to-day business, we take a look at some of the key points to consider when managing and responding to DSARs.

High volume DSARs

Under the framework of the GDPR, organisations are responsible for honouring an individual’s right to access their personal data.

A data controller has up to one month to respond to an access request (extendable under limited circumstances). The scope and complexity of DSARs can vary greatly, and the request can originate from different data subjects such as employees or customers.

Where, for example, an access request comes from an employee with many years of service, it might involve retrieving, reviewing, and redacting high volumes of data. Further, as prescribed by the GDPR, this must be done to an accurate standard and within the statutory deadline.

Failure to comply not only violates regulatory requirements but also exposes businesses to significant legal and financial risks, as well as potential reputational damage.

 “In responding to a request, often an all-hands-on-deck approach is necessary: input from the HR team, the IT team, in-house legal, and senior management may all be required” says Emma Ritchie, head of data protection and privacy at KPMG Law.

“This can be a huge drain on resources, and the sheer volume and complexity of data can overwhelm internal teams and hinder operational efficiency”, Ritchie adds.

Streamlining the DSAR process

There are a number of ways to streamline the DSAR process to ensure a timely and accurate response to a request, thereby reducing exposure to fines and reputational damage, and diverting crucial resources back to core business functions.

Technology solutions and automation:

Advancements in technology are revolutionising DSAR management, offering innovative solutions to streamline processes and enhance efficiency. Data analytics tools and automation software can accelerate response times, reduce manual effort, and improve overall data governance practices. “By leveraging technology solutions, businesses can stay ahead of the curve and adapt to evolving regulatory requirements while optimising resource utilisation” states Andy Glover, Director in KPMG Managed Legal Solutions.

Get proactive:

Proactive data management strategies are essential for minimising the impact of DSARs on business operations. These include implementing data minimisation policies, maintaining comprehensive records of personal data, and providing regular training to employees on DSAR handling procedures. By taking a proactive approach to data management, you can better anticipate and manage DSARs, and ensure compliance while maximising operational efficiency.

How we can help

As specialised service providers, KPMG Managed Legal Solutions together with KPMG Law offer invaluable support in navigating the complexities of DSARs. We utilise market leading AI integrated technologies to support your organisation throughout the response process.

Our team of dedicated document review specialists are on hand to relieve the resource burden and provide expert and cost-effective advice. Dovetailing with this, KPMG Law provides holistic legal advice and supports communications with data subjects and the supervisory authorities as required.

We know every business is unique, so whether you are a small business or an enterprise level organisation, our solution is scalable to accommodate your needs.

Future trends and regulatory developments

Finally, looking ahead, it’s important for all organisations to keep up to speed with emerging data privacy trends and regulatory developments.

From changes to the GDPR, to evolving consumer expectations, international data transfer rules, (and the imminent impact of the new European AI Act), many factors will continue to shape the landscape of DSARs.

By staying informed and proactive, you can ensure your business successfully adapts to regulatory changes, positioning you for long-term success in an increasingly complex regulatory environment.

Keep an eye on our website and LinkedIn for regular data protection and privacy updates or contact our KPMG Managed Legal Solutions team or our KPMG Law team directly.

Contact the team

Emer O'Brien

Emer O'Brien

Partner, KPMG in Ireland

Andy Glover

Andy Glover

Director, KPMG in Ireland

Emma Ritchie

Emma Ritchie

Head of Data Protection & Privacy, KPMG Law LLP

Discover more in Data Protection & Privacy Law