Innovating DSAR Fulfillment: A conversation with Microsoft
Many of the rights enumerated in the GDPR first came to the U.S. with the passage of California’s CCPA (January 2018) and the right to access data was one. The Data Subject Access Request (alternatively DSAR, SARS, and DSR) is how consumers exercise that right.
And while 29 states have introduced nearly 60 bills – many of which have failed, others still in committee – California to date has been joined by Utah (March 2022), Virginia (March 2021), Colorado (June 2021), and most recently Connecticut (April 2022). All have the right of access.
“But while they all have a lot in common – they’re all steeped in GDPR principles – there are many things that make them unique,” reminds WireWheel’s CPO Buck, and this of course adds to the compliance challenges: responding to DSARs, and in particular the challenge of unstructured data, has proven to be a resource intensive and costly one.
Joining WireWheel CPO Rick Buck to discuss the operational challenges in responding to DSAR requests are Hammad Rajjoub, Director of Product Marketing, Microsoft Purview and Priva Ecosystem and Sheridan Clemens, WireWheel’s Senior Engagement Manager who provides a live demo of the WireWheel–Microsoft integrated solution.
The Challenge of Unstructured Data when Responding to DSARs
When data lives in [structured] environments it’s very easy to query and then go back and honor the subject requests. Where it gets complicated is in unstructured data.
—Rick Buck, WireWheel
Simply knowing what options to present to people when they come to you to exercise their rights, is perhaps the first challenge in DSAR fulfillment. It can be managed at the state level, or at the national level as an all-encompassing response that would likely be based on the most restrictive jurisdiction in which the organization operates.
But a key challenge is that data lives in a number of places. It resides in structured data environments as predefined, fixed formats which are easy to create rules around, control, and query. Even here though, understanding where all your data resides requires some leg work (think data mapping and asset inventory).
That said, where it gets really complicated is in unstructured data. Data that lives in places that are not predefined or in specific formats: The MS Word, PPT, PDF, spreadsheets, email, text, and chat, for example.
These are neither easy to query or to analyze. They don’t necessarily have manageable controls around how that data could be used, or where it goes. Importantly, unstructured data makes up about 80% of an organizations data. And when producing this data (which can often contain references to other data subjects) it must be redacted which further complicates DSAR fulfillment.
And now in California, when the CPRA comes into effect in January 2022, DSAR rights are currently slated to be expanded to include employees. And this gets a lot more complicated – especially in that it is highly likely that employee data not associated with the subject of the DSAR will become exposed as part of that query. Furthermore, emails and documents regarding an employee often contain information – such as commentary – that is out of the scope of the request. This information too must be redacted.
So, the challenge becomes:
- Finding the relevant data (structure and unstructured)
- Removing (or redacting) the data that is irrelevant to the DSAR
- Producing that data in a safe and secure way
- Reporting in a readable format for the requestor (consumer or employee); and vitally
- Enabling the backend systems to honor any of the downstream implications (e.g., correct or delete).
In short, “it is a full lifecycle event” – whether tackled manually or through automation – notes Buck. And it is a WireWheel core competency.
Meeting the Challenge of Unstructured Data in DSAR Fulfillment
Privacy regulation applies to the entire data life cycle. From data collection to data storage to access to transfer through retention and diligence. It is a complex lifecycle and privacy applies to each and every one of those stages.
Rajjoub relates that research from ISACA “Privacy in Practice (2021), shows that
- 10% of organizations have no privacy training.
- Only 80% update their data map and flow regularly with 32% of those organizations doing so manually with email, spreadsheets, and in-person communication. And interestingly,
- 97% haven’t fully automated DSAR management.
When working with their own customers (Priva is Microsoft’s privacy solution for unstructured data), Microsoft has identified these as key areas of opportunity. Particularly the need for scalability.
“And if you add attributes of confidentiality and identifying if the data is part of legal hold, the equation becomes that much more complex,” says Rajjoub. “We also learned from our customers [that they] find it very, very difficult to gain visibility into the personal data, especially for the unstructured data environments…this process is very complicated.”
Not having [DSAR fulfillment] automated at scale, organizations are spending a ton of money, time and resources…to respond to requests and that’s creating a lot of friction and challenges for our customers. And this is where the Microsoft perspective comes in.
The cost is significant:
- $1,702.28 average cost per DSAR
- 135.61 DSARs per month
- $230,000+ per month on DSAR fulfillment on average
To meet these challenges, the WireWheel–Microsoft integration is focused on enabling organizations to automate the discovery of personal information and take immediate and necessary actions. Importantly, it also provides needed visibility into associated risks arising from such things as data hoarding and cross-border data transfers.
The goal is that when a DSAR is received, the relevant data within the Microsoft 365 environment (all that unstructured data) is automatically collected.
Most importantly, we want to meet our customers, where they are in their privacy journey….That’s why we have built our privacy subject right request APIs that enable Microsoft solution to integrate with our customers’ existing infrastructure.
“Our Microsoft Priva integration with WireWheel is important because now,” concludes Rajjoub, “our joint customers can respond to subject access requests in a unified manner across the entire digital state covering both structured and unstructured data provides a ton of value: an automated, unified, and customizable complete lifecycle DSAR response – at scale – from request verification to production of structured and unstructured data including redactions.”
During the session, WireWheel’s Senior Engagement Manager, Sheridan Clemens, provides a brief demo of the integrated solution where he takes the audience from the consumer or employee’s request initiated in WireWheel’s Trust Center and through the integrated workflow management.
To request a demo or proof of concept, please contact WireWheel here.