AI and the control of data subject access requests

Jaeger Glucina at Luminance explains why Farage and Coutts are just the tip of a data privacy iceberg

 

At the end of July, the latest Nigel Farage-driven story to dominate the British media cycle came to a head, with the announcement that Peter Flavel would be stepping down as the CEO of Coutts, the NatWest-owned bank which specialises in catering for high net worth individuals.

 

What may have started as a reaction to the loss of his banking services, following an apparent breach of client confidentiality, has quickly been turned into a larger conversation about the accessibility of personal information.

 

But what many may have missed in all the uproar is that Farage did not need to rely on any exceptional detective work in order to expose Coutts. In fact, the smoking gun which transformed this story into front-page news was a legal tool available to anyone, and which has its roots in EU legislation.

 

Understanding how he did so, and what that means going forward, may yet prove to be much more significant for business operations than any fallout from the Coutts case.

 

The DSAR challenge

The General Data Protection Regulation (GDPR) provides people with the ability to request all of the information that an organisation holds on them through something called a data subject access request or ‘DSAR’.

 

In essence, these protections aim to give individuals greater control over their data, which in today’s tumultuous landscape is essential. But such requests - as well as similar US-based legislation, such as the California Consumer Privacy Act - demand extensive legal resource for the organisations involved.

 

That’s because, for a business seeking to respond to a DSAR, it generally won’t be enough to simply consult a CRM or similar database and extract the personal data formally held about the requester. The request also extends to a variety of atypical working documents like spreadsheets, Slack messages or, as in the Farage case, email threads.

 

Even for a relatively modestly sized organisation, a DSAR may involve checking hundreds of thousands of sources across multiple systems to verify whether or not they contain relevant information.

 

And to add insult to injury, DSARs must be turned around within thirty days of receipt or the business risks a non-compliance fine of up to 4% of its global annual turnover. This is an enormous task for any legal team, never mind smaller businesses with a one- or two-person legal team, and often presents an additional strain to already overburdened lawyers.

 

The role of advanced AI

As time goes on, we are likely to see legal teams adapting to the reality of DSARs. One shift will come through greater familiarity with the process and the scope that legal teams have to resist or ameliorate requests: exemption clauses do exist, and being willing to invoke them may alleviate the burden of labour.

 

However, even this response clearly involves significant legal resource, and exemptions are by no means a given. On a broader level, businesses simply need a more efficient, more effective way of complying with DSARs.

 

Artificial intelligence can certainly deliver that. In essence, responding to a DSAR is about scanning gigantic datasets for the requester’s personal information, compiling the relevant data with an appropriate amount of context, and redacting any personal information which does not belong to the requester.

 

That’s precise, nuanced work – but it’s also highly repetitive work, which makes it an ideal candidate for AI-driven automation.

 

To put that into numbers: for one business - UK-based technology company, proSapient - introducing specialist legal AI into their workflow meant that they could cull a dataset of 166,000 documents down to 800 relevant items in four hours. This approach ultimately halved their DSAR response time while saving £20,000 in legal costs.

 

One thing is certain: DSARs are only going to grow in volume over the coming years. Every time a high-profile case puts them centre-stage, more people will become aware of the power they hold to gain insight into personal data usage. Indeed, we have already seen a significant growth in their usage from former employees seeking to challenge redundancy actions by observing the business’s decision-making processes.

 

Much about business cultures and working practices stands to be affected by DSARs. The first job for legal teams, though, is to arm themselves with the tools to manage the coming wave of requests.

 

---

 

Jaeger Glucina is MD and Chief of Staff at Luminance

 

Main image courtesy of iStockPhoto.com