Since the introduction of the EU General Data Protection Regulation GDPR) in 2018, businesses are increasingly tasked with adhering to Data Subject Access Requests (DSARs). These are written requests made by an individual to an organization which holds their personal information, such as an employee and their employer, or a customer and their bank. GDPR accelerated the deadline for organizations to respond to these types of requests from 40 days to one month.
A UK-based technology firm received a DSAR from a former employee and had one month to adhere to the request. The firm needed to find the relevant documents without spending an exorbitant amount of money. They turned to Complete Discovery Source to help.
"The scope of this request was broad and unfocused. We would have had to search every one of our shared and local data repositories for relevant information," said the technology firm's senior counsel. “It quickly became apparent that the scale of the task precluded us from meeting the GDPR-mandated deadline without assistance."
"DSAR requests can be very complex. You must capture all the personal information held on an individual. Yet, your collection must also be targeted; you don't want to over-collect and be oversaturated with irrelevant information."
Senior Project Consultant
Narrowing an Unfocused Request
Based on the scope of the request, the technology firm received a two-month extension from the requestor.
Prior to receiving the documents from their client, CDS assisted the firm’s IT team in utilizing Microsoft Office 365 email compliance tools. The tools' keyword search functionality helped to cull the document set. However, the team still had to export over one million documents. The tech firm initially searched these documents to remove special category data such as documentation showing political opinions, religious beliefs, or racial and ethnic origin, among others prior to being provided to CDS.
“With such a large volume of data, we needed to cull the documents to meet the deadline,” Mark said. “In addition to RelativityOne's standard de-duplication functionality, additional advanced deduplication functionality was applied to ensure reviewers were only looking at unique data.”
CDS leveraged email threading to eliminate duplicative emails, alongside other RelativityOne Analytics tools. Then, they added the search terms from the initial Microsoft Office 365 collection to RelativityOne’s search terms report feature to gain further insight into the results on the initial data collection.
The large number of hits led CDS to question the percent of false positives. So, CDS started by isolating the documents containing only one key term and looked for textual patterns to identify false positives. While consulting with the review team, CDS removed any documents which were found to be legitimate false positives from the review set after a final quality control check was conducted.
With the use of Analytics and analysis of textual patterns, CDS reduced the data set from one million to only 12,544 documents. The four-person team reviewed this set and found they only needed to produce 2,285 documents to the requestor. A final QC found there were 629 documents within those 2,285 documents that required redaction. These documents contained confidential and personal data for other employees.
Adhering to GDPR-Mandated Deadlines with SaaS
Ultimately, using RelativityOne allowed the team to review the documents within the mandated deadlines and cull the document set by more than 99 percent. According to CDS estimates, a linear review of one million documents would have taken nearly 517 days using only four reviewers.
“Our client’s in-house technology tools would not have been able to handle a request of this nature,” said Mark. “Without our client utilizing RelativityOne, it would have been near impossible for them to complete the request within the timeframe.”
“CDS’ expertise and use of RelativityOne were pivotal in reducing a previously unmanageable body of data into a focused and workable data set."