Backup and Recovery

GDPR Subject Access Requests: Can You Respond?

Lee Aber
Chief Information Security Officer
March 22, 2018

Imagine the world after the May 25, 2018 General Data Protection Regulation (GDPR) enforcement date has passed. “Clare Smith”, one of your customers who resides in London, submits a Subject Access Request (SAR) asking what data your company has on her. What is the first thing you, as a Data Controller, will do to respond? Are you even able to respond in a timely fashion, defined by GDPR as 30 days. More importantly, do you know where Clare’s information actually is throughout all of your infrastructure, databases, files, attachments, backups, and third-party Processors?

Without a data inventory and a scalable process for responding to SARs, this individual request could become a time-consuming fire drill. Just think about how many people it would take across your company and your third-party vendors to process Clare’s request. This example focuses on just one of the multiple Data Subject Rights that you must already comply with for GDPR. What happens when more and more EU Data Subjects begin to exercise their rights under GDPR? Do you have a scalable solution to respond to these requests within the standard 30-day window?

Know your data and be more transparent with Data Mapping for GDPR.

Inventorying data, a process also referred to as Data Mapping under the GDPR, is a process that helps companies better understand their landscape of what personal data they have and, quite honestly, come to grips with it. Performing this exercise forces companies to think about how data flows in, through, and out of their business. At OwnBackup, we consider Data Mapping from data capture to data deletion, the entire Data Lifecycle. Once you have mapped out your Data Lifecycle, then you can begin to practically work out what your GDPR obligations and requirements are, as well as more efficiently respond to Subject Access Requests.

Why else is this important? A key aspect upon which GDPR is founded is Data Transparency. Data Transparency not only instills trust into your personal data processes, that should be built around privacy by design, but also how you empower your Data Subjects to understand your data processing activities. This includes providing mechanisms for them to challenge the accuracy of their data, object to processing of their data, and remove their data altogether.

If you have not started to prepare, now is the time to roll up your sleeves and kickoff your data inventory mapping exercise. Companies often struggle to understand their GDPR requirements if they have not yet analyzed what data they have, how it is classified, how sensitive the data is, where the data is stored, with whom it is shared, and how it is backed up.

Pro-tip: Documenting your data inventory process helps you prepare for the GDPR Accountability Principle. Under this principle, companies processing EU Subject Data are required to demonstrate and prove how they are compliant with GDPR.

Basic strategies for performing Data Mapping

  1. Start documenting your Data Lifecycle using workflows. You can use Microsoft Excel or another third-party tool to articulate how your data moves through your organization.
  2. Follow your Data Lifecycle, including when and where data enters your company’s possession and when it is ultimately destroyed. What servers or systems does it touch along the way?
  3. Detail what types of Personal Data you process across your infrastructure. Is it Personally Identifiable Information, financial account numbers, human resource-related data, credit card numbers, insurance, marketing, or some other type of personal data?
  4. Now think further - what metadata, such as IP address, cookies, etc. do you possess? Is personal data included in your logs? Where do those log files end up?
  5. What is the source of the personal data? When was consent obtained, for what purpose, and for how long?
  1. What is your legal basis for processing this personal data? Is it for compliance, marketing, or some other reason? Is it to perform under a contract or derived from consent?
  2. Where is the data geographically located? Where are the data servers or hosting facilities? In which country?
  3. With whom do you share the data? Think through which vendors have it, such as backup providers, hosting providers, sub-processors, etc.?
  4. Was the personal data obtained directly from the Data Subject or from a third-party source?
  5. What is your retention period for the data? How long are you allowed to actually keep it? What or who determines this data retention schedule? How is this schedule implemented?
  6. How is personal data deleted and is a confirmation or notification provided to the Data Subject?
  7. Saving the best for last: How will your data inventory be maintained going forward?
Remember: Data inventory should be a company-wide initiative. One person, or even one department, will not know how all of the data flows around a business. It takes a lot of talking to people from various department and analyzing all the tools in use, in order to find out what is going on with your company’s data. Especially in large organizations, specific people will usually have just a piece of the information landscape puzzle. Under GDPR, all those pieces need to come together to create a complete view.

After mapping your data, how easily can you get to it?

After putting together your data inventory, define whether or not you can easily locate Data Subject information across all those databases, backups, attachments, and third-party Processors. If the process will be too difficult and time-consuming at scale, implementing a new process or purchasing a new solution to allow you to easily query your data might be a good option. Once you identify all of the places you store Personal Data, you will need to be able to efficiently and easily query them. When selecting data storage or management solutions, whether it be a CRM, a database, or a backup, you’ll need to ensure the solution selected has powerful, extensive search capabilities.

Now that you’ve thought through why you need a GDPR data inventory and mapping process, let’s go back to our example with Clare Smith...You can now easily locate where Clare’s information is across your databases, backups, attachments, and third-party processors, and respond to Clare well within the standard 30 day deadline.

OwnBackup makes it easier to find and access Data Subject information in archived data, metadata, and attachments.

As Data Controllers, you’re responsible for maintaining an inventory of personal data, including the data in your archives. This can be one of the more difficult obligations of a Data Controller, particularly because you must not only furnish your Data Subject(s) with details of how their data is handled, shared, and used, but also provide notification without undue delay.

Data Controllers using OwnBackup will be able to perform global personal data searches across their archives, identifying the region and attachments in which the Personal Data resides. This will be possible on-demand and within minutes.


View the GDPR Right to be Forgotten - Compliance for your Backups webinar recording to learn more about maintaining Data Subject transparency by setting up a Data Inventory.

Find out more about OwnBackup’s GDPR data protection solution and find answers to some of the most commonly asked questions that we’ve received at our GDPR webpage.

You may also like

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.
Schedule a Demo
magnifiercrossmenuchevron-downchevron-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Copy link
Powered by Social Snap