The General Data Protection Regulation (GDPR) provides a variety of rights to the European Union (EU) residents. It specifies the standards for data protection and the rights of European citizens to control the processing and distribution of Personally Identifiable Information. Data Subject Access Request (DSAR) is a request made by an individual to obtain personal data and it is becoming one of the most difficult aspects of data privacy compliance. The analysis shows that over 50% of the DSARs miss the 30-days SLA, inviting huge fines from EU GDPR regulators. According to the Enforcement Tracker, it is found that from the cumulative fines, more than 40% are paid by Telecom, Media, and Broadcasting companies.
Key findings from Gartner’s Market Guide for Subject Rights Request Automation:
- Efficient and appropriate handling of the DSARs is crucial for a good privacy user experience (UX) for the consumers, yet many organizations still rely on ad hoc, manual, and incomplete provisioning of services
- Manual processing of a single subject rights request costs organizations more than $1,400 and most organizations take more than two weeks to provide a response
As the Digital Service Providers (DSPs) try to fulfill the DSAR within strict timelines, they face various challenges in the traditional request fulfillment process. Some of them include complex ecosystems, lack of tracking and reporting tools, manual approvals, and notifications. These challenges, in turn, impact the DSPs’ business through missed SLAs, high Opex, poor customer experience, financial and reputational damage. This article elaborates on the strategies that can be adopted by the DSPs to automate the DSAR fulfillment process, obtain a 360-degree view of the request, and improve GDPR compliance. The four-step process that enables the DSPs in achieving improved compliance is detailed below.
1. Request management:
Proper request management is primary for an efficient DSAR fulfillment process. When the customer sends a mail requesting personal information, the Data Protection Officer (DPO) creates the DSAR against the customer’s request. Usage of a unified service catalog helps the DPOs to efficiently view, submit and manage different types of DSARs. It provides self-service opportunities to the organization and acts as centralized management for all GDPR services and policies.
- Build business rules to auto-populate data based on the input which reduces the request creation time and avoids human errors
2. Automation of request fulfillment:
Once the DSAR is raised and managed, it is recommended to automate all the DPO activities which were carried out manually in legacy systems. The automation of the complete DSAR fulfillment can be done using custom workflows, thus accelerating the overall DSAR process. An effective automation workflow is suggested to perform various actions which include:
- Parsing the customer emails and creating the requests
- Querying the CMDB, Asset Management, and Network Inventory systems
- Creating approval records and triggering notifications to the respective teams
- Creating the fulfillment tasks and attaching the corresponding SLA workflows
- Create domain-driven reusable and templated actions, sub-flows, notifications, and variable sets
- Leverage the existing ITSM platforms like BMC Remedy, ServiceNow, or Atlassian JIRA SD. It helps in Opex savings and accelerates the creation of workflows due to inbuilt platform capabilities
- Avoid inventing the wheel again and try to utilize the platform capabilities before developing any new objects/code
- Make sure the workflows can be tailored to meet the third-party system API’s specifications
3. Automated notifications:
Proactive communication to stakeholders can be provided with automatic notifications. It avoids making calls to DPOs and fulfillment teams each time to know the status of the request and assists the DPOs in easier tracking of all the internal and customer notifications.
- When the request is pending approval, a notification can be triggered to the corresponding DPO, Legal, or Privacy team for faster approvals
- Have SLA notifications at 25%, 50%, 75% & 100% of the elapsed times for tracking the requests and to decide on the next best actions to be performed
- Automated SLA escalation notifications can be triggered to application teams and DPO managers at 75%, 100%, and every day till request closure. This helps in improving the overall compliance
4. Monitoring of access requests:
Monitoring and tracking of access requests using various scheduled reports and dashboards aids in auditing and proactive identification of impediments in DSAR management. Track the access requests by age, risk, status, country, and services using various actionable data visualizations. It can help the DSPs in improving the business processes, practices, and GDPR Compliance.
By implementing the four-step process explained in this article, a leading DSP in Europe experienced the following benefits.
- Reduction in time to log, classify, create, and assign tasks by 60%
- 40% potential savings by avoiding penalties from EU regulators
- Improved GDPR Compliance
- Enhanced DPO and customer experience
I thank Priyankaa A – Analyst, Strategic Insights, Prodapt Solutions for contributing her inputs.
Omprakash Chakrala – Senior Technical Architect, Prodapt Solutions.
Om Prakash Chakrala has around 18 years of consulting and architecture experience in Telecom and other business domains. He has a commanding knowledge of OSS/BSS, Cloud Computing, ITSM solutions, ITIL processes, SAFe, DevOps, CI/CD, and Workflow automation solutions. He is passionate about providing strategic/tactical solutions to the clients & has successfully helped many Telcos/DSPs (Digital Service Providers) with their business and IT transformation programs.
Om Prakash Chakrala is Senior Technical Architect at Prodapt, a two-decade-old consulting & managed services provider, singularly focused on the TMT (Technology Media & Telecommunications) industry that helps clients transform their IT, products, operations, and networks to meet their strategic objectives. Prodapt provides insights and thought leadership-led transformation services leveraging next-gen technologies such as robotic process automation (RPA), artificial intelligence/machine learning (AI/ML), software-defined networking/network function virtualization (SDN-NFV), and next-gen OSS/BSS systems.