A Milyli customer started using Relativity and Blackout to process General Data Protection Regulation (GDPR) Data Subject Access Requests (DSARs). According to them, it made the DSAR process faster and more accurate – and as a result, less operationally expensive – so we wrote up their story in an ungated case study.
To help other Relativity and Blackout users understand how they can do the same, we mapped the traditional electronic discovery model (EDRM) to a DSAR workflow. But let's start with three reasons why this is the right approach.
Why Process GDPR DSARs with Relativity +Blackout
Reason 1: DSARs can touch a variety of document types and personal identifier information. Not every tool can process a DSAR's scope of content correctly or quickly. However, Relativity with Blackout can.
In Relativity, Blackout can run automated inverse redaction jobs on the DSAR documents. Using advanced data pattern recognition, Blackout can eliminate all the data except that of the DSAR petitioner.
Reason 2: Forty days is the required turnaround for processing a DSAR. If there is a large amount of documents scattered across departments or held by third parties, a manual review can slow production on a DSAR to a crawl. Missed deadlines lead to costly fees, so consider cutting time with automating tools.
"We were able to apply 800,000 redactions in just two days [with Blackout] – accomplishing nearly a year and a half’s work in a few weeks. If we had performed [a] manual review, the estimated time for redactions alone would have been 540 days." See who said it. →
Reason 3: It is a more efficient use of resources. Just like no one wants a kitchen full of single-use appliances, no organization wants a tech budget full of expensive single-use software. Relativity's versatility allows it to do eDiscovery projects while also handling something "eDiscovery adjacent," like a DSAR – with Blackout adding redaction functionality for either scenario.
So How Do You Map a DSAR Workflow to the EDRM?
Step 1: Identify The Sources
Start by collecting all of the documents and files relevant to the DSAR. They should include hardcopy documents as well as electronic data. This often means working across an organization to pull files from customer and employee management systems, shared drives, email accounts, and so on. Don't leave any digital nooks and crannies where personal data lives unexamined.
Step 2: Detail All Responsibilities
It is critical that everyone involved in the DSAR know their specific role and responsibilities – even if that role is just intake of the petition and instructions on how to engage with the petitioner. Appoint a project manager similar to those that oversee case reviews. They should outline who needs to do what down to the letter.
Step 3: Outline All Changes
The DSAR project manager should also detail the document changes will be made separately from the list of roles and responsibilities. This will help ensure documents are culled or included appropriately and any private information that should not be shared is secured or withheld.
Step 4: Think About Timeframes, Not Just Due Dates
It is important to communicate any deadlines and milestone explicitly to the broader team, but the project manager should operate with a more flexible understanding of the full project timeline. With early and late tasks, they should know where they can add/subtract time from the larger scope of the project.
Additionally, they should factor in time for post-mortems, audits, and/or compliance filings as part of a DSAR's operational "cost."
Step 5: Learn This Simple DSAR Workflow!
INTAKE AND VALIDATION: After receiving a valid DSAR, gather any additional personal info from the petitioner to facilitate the workflow. (E.g. confirm the spelling of their name, any nicknames they used, D.O.B., etc.)
SCOPING: This includes the outlining responsibilities, success criteria, and timelines. (Steps 1-4 above.)
IDENTIFICATION AND COLLECTION: Next, evaluate which source documents are relevant before gathering them all in a central location (I.e., Relativity).
REVIEW/PROCESSING: This includes the batching of documents, redaction jobs, and quality control reviews.
PRODUCTION AND HANDOFF: Create a secure and traceable communication –most likely an email– that explains the enclosed data to the DSAR petitioner. (Blackout exports files in GDPR-compliant Excel format.)
Step 6: Translate
From there, it's just a matter of aligning these DSAR stages to the EDRM. In the image below, the green boxes are the stages of the DSAR workflow, and the orange and blue boxes are those of the EDRM, with the blue representing where Blackout touches the process.
Although eDiscovery workflows are not as linear as a DSAR workflow, the only significant difference between the actual tasks is how they are labeled. With a new lens, there is no reason GDPR-compliant DSARs can't become a significantly less time-consuming and costly task.