How will you deal with the deluge of employee DSARs?

The UK’s recession is expected to deepen in 2023 with the economy forecast to lose 1.2% of gross domestic product (GDP). What that means in real terms is that we can expect to see a similar contraction in the marketplace.

This will happen as businesses seek to carve up the market through mergers and acquisitions, all of which will inevitably result in the paring back of the workforce to cut costs.

Managing employee data:

The weaponisation of data subject access requests

HR must prepare for a spike in DSARs

How to lead with data in times of crisis

The tech sector is well ahead of the curve here with big names such as Amazon, Salesforce, Microsoft, Tesla and Twitter all having contributed to the 140,000 redundancies made over the course of 2022.

Those casualties don’t always happen quietly, however, resulting in negative press for the company and there’s also another repercussion that many HR teams will find themselves ill-prepared for: the employee data subject access request (DSAR).

Ex-employees may even be targeted by lawyers who will push for a DSAR on their client’s behalf to support a case for unfair dismissal.

As the numbers grow, HR departments could become swamped, or if the function is outsourced it will become cost prohibitive. This is because fulfilling an employee DSAR is much more complicated than satisfying one made by a customer.

Decades of data

Employee data can span decades. It is used for a broad range of purposes, shared with third parties, frequently unstructured, and held in a variety of different locations.

Discovery will need to uncover numerous records, possibly including those from mobile texts, perhaps from when the employee phoned in sick, from work documents that bear their name, as well as general correspondence such as emails.

Working from home has further complicated matters, with personal information (PI) residing on collaborative platforms, so that conversations held over Slack, for example, or video recordings from Zoom are also deemed admissible.

There are exceptions to the rule. If the company can show that the material contains information about other individuals, if it’s not possible to redact the information without rendering the document nonsensical or if the company can’t obtain the consent of third parties, the request can be denied. But such a decision must be demonstrable and justified. Therefore HR must keep a record of the business purposes for which employee data is used if it wishes to decline a DSAR. 

Streamlining the process

For HR teams to be prepared for the DSAR deluge, they must work with other departments to develop data inventories and retention schedules to locate personally identifiable data.

An effective data inventory lowers risk and processing costs by reducing this ocean of information. HR should also refine their contracts with third parties, some of whom perform 50-60 HR functions for the company.

By bringing DSAR processing in-house and centralising and automating these workflows, the burden of DSARs can be significantly reduced. All data sources can be identified, connected to third-party solutions, redacted and presented back to the subject using a centralised e-discovery platform.

Not only does this ensure that HR saves significant time and resources as a result, but the business also stands to benefit by reducing the likelihood of legal expenses or reputational damage.

Paul Lewis is senior privacy advisor at Exterro