The dangers of Subject Access Requests

14th August 2019

When you receive a Subject Access Request (SAR) you are obliged to return a copy of all of the information you hold on the requestor within 30 days. This time limit adds pressure to the organisation to process the request as soon as possible.

This task can, therefore, be rushed and sensitive information of others or confidential business information could be sent out in error.

In this PrivSec Report article, sensitive information was handed out in a SAR which required immediate action from the charity firm involved. Taking more time and resource from the charity. This could have been avoided if a tool had been in place to automatically redact information.

The security data breach compromised the personal data, including bank information, account numbers, pension contributions and wages details of almost all its 170 employees.

The SAR was requested by a former employee whose data was likely to have been in the same document with other current employees. This mistake highlights that a secure process needs to be put in place to prevent a breach like this. Although measures may already be in place to protect anything that is considered personal identifiable information, how do you ensure the content within these documents isn’t confidential business information? Or that the context of the document doesn’t give away any restricted information? How does the person instructed to complete the SAR on behalf of the company understands what is deemed to be confidential when that information may have not been shared with them?

In developing SmartRedact, we knew that the need was there in order to ensure Subject Access Requests were efficient, compliant and has measures in place to protect businesses from not only a data breach but also a leak of intellectual property.

SmartRedact is available now, so, mitigate your risk exposure today and get in touch.

View More Articles