Meet the expert: Matthew Goodbun to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Matthew is a Data Protection and Privacy Professional, with extensive knowledge of global Privacy compliance and Data Protection matters. A skilled and accredited practitioner, his program management, compliance expertise, and knowledge of global privacy laws means he is well positioned to translate regulatory compliance obligations into meaningful business contexts.

Matthew appears exclusively at PrivSec Global to discuss the complex and often challenging topic of Data Subject Access Requests (DSARs).

Below, Matthew answers questions on his professional journey and introduces some of the key issues arising in his PrivSec Global session.

Could you outline your career so far?

Initially I had career aspirations to become a museum curator and have undergraduate and postgraduate degrees in Art History and Anthropology. When concluding that I was not in a financial position to pursue this due to the prevalence of unpaid/low paid work concentrated in larger cities I made the decision to build my way up in a new direction working in a local government contact centre. 

I became interested in welfare reform and information governance, progressing into different roles, completing tasks and supporting projects related to compliance with Freedom of Information and Data Protection laws. 

I then completed a Project Management apprenticeship and have continued to study and gain professional qualifications related to Privacy, Data Protection, and Information Security as my career has progressed. 

I moved from local government to a technology company providing software to the public sector, progressing into a leadership role responsible for managing a global privacy programme. This involved developing training courses, raising awareness, implementing privacy standards, and managing the practical and operational application of requirements around governance, risk, and compliance. 

In my current role as a Senior Privacy Consultant, I work at BSI, the British Standards Institution. BSI is the National Standards Body which also provides consultancy, including Digital Trust Consulting. I provide privacy advisory services to a wide range of organisations, big and small, public, and private, that operate across multiple countries, requiring compliance with different data protection and privacy laws. 

Depending on the maturity of an organisation’s data protection framework, they may need support implementing additional standards and best practice, moving beyond the regulatory requirements to meet the needs of the organisation, and the expectations of their customers and consumers, where they have decided to take proactive steps to embed privacy in their culture and strategy.

I advise and guide organisations to ensure that they have the right processes, procedures, and mentality to consider the protection of employee, customer, and citizen personal data as part of business as usual. This involves translating regulatory requirements into practical and actionable tasks that can be implemented to make sure that the right controls are in place to protect individuals from harm. The right controls are also needed to protect an organisation’s reputation by minimising the likelihood and impact from an incident involving personal data that could cause an individual harm due to their personal data to being unavailable, inaccurate, or accessed by those that shouldn’t be able to see it.

What are the most important factors to consider when responding to employee DSARs?

This is one of the rights individuals have under an increasing number of data protection and privacy regulations across the world, including the GDPR in the UK and EU, the PDPA in Singapore, and emerging US state privacy laws. 

In the UK and EU, the process of exercising this right is referred to as a Subject Access Request (SAR) or a Data Subject Access Request (DSAR). This right generally entitles an individual (data subject) to access a copy of all personal data held about them by an organisation. This includes personal data collected directly and actively from them (e.g. name, address, contact details, and ID) as well as personal data processed indirectly and passively (e.g. IP address, decisions, inferences, shopping habits, risk-scoring, profiling, and opinions).

A request may be submitted using a formal or informal method so an organisation should ensure that staff are trained to recognise these requests and ensure that there is a documented procedure to follow when a request is received. All requests should be acknowledged as soon as they are received. 

Once the request and identity of the individual has been validated, the personal data relating to them should be prepared in an intelligible manner, without jargon or company acronyms and presented in an easily accessible way, to enable an individual to receive and access the data they requested.

An organisation should assign responsibility to a central team that coordinates these requests, this could be positioned in HR or a compliance function. However, depending on the volume and complexity of retrieving the personal data this process is likely to need input from the contact centre, the IT department, and any other department that is responsible for personal data within an organisation. It needs to be a collaborative effort.

It’s vital to ensure staff are trained to identify requests and that adequately trained resources can be assigned at short notice to deal with the request. It’s also key to know where the personal data are stored, how to export them from systems, and how to redact information that isn’t the data subject’s personal data. 

Responding to a request can be a complex and time-consuming task, so organisations should ensure that the policies, procedures, and people are in place.

In what ways can technology assist the DSAR process, and what risks are involved?

There are opportunities to automate and streamline different stages of the DSAR process, from a public-facing online request form, an automated triage and workflow, a case management system to record and track requests, all the way through to using e-discovery tools to aid the ability to search, sort, review and redact.  

If an organisation regularly receives high volumes of requests or experiences periodic spikes due to media coverage of high-profile DSARs which peaks public interest and action to submit their own request, then utilisation of technology solutions should be considered to prevent disruption to business-as-usual operational activities.

DSARs can be resource-intensive and time consuming, especially if they are complex and involve significant amounts of records. In theory, it should be a straightforward task to search for the relevant personal information about an individual, however the reality is that organisations may not have the right functionality and tools in place to access, search, and export the data to respond to a DSAR.  

If an organisation doesn’t have the right tools in place, it can often be too late to source and implement one when a request is received. The timeframe to respond to a DSAR under GDPR is within one month of receipt, and the response time for a consumer right of access request under the California Privacy Rights Act (CPRA) is 45 days. Timeframes vary but are short when you consider how long it can take to deal with a single request.

Preparation is key and a DSAR should not be a heavy burden for organisations that are ready and aware of what steps must be taken to respond to such a request, and what tools will assist them in doing so. 

Proactive steps and utilisation of existing documentation for regulatory compliance can help manage these requests effectively and efficiently, including up-to-date data flow mapping and records of processing activity and data inventories to understand where the data are stored and what the scope is.

Technology can help implement robust processing and searching capabilities, and automated redaction capabilities will support the reduction in the amount of manual work required to remove additional sensitive data related to individuals other than the requestor. 

It is important to remember that the right of access only entitles an individual to access their personal data. They should not be given access to the personal data or information relating to any other individual.