12 months on from our first intermediary platform generated SAR – What has changed?

It is almost a year since the Outsourced DPO received a subject access request from an information rights platform and at the time, we were filled with suspicion. Several months and many SARs later, has anything changed?

Back in December, receiving a SAR from an intermediary platform (Rightly.co.uk) seemed rather odd.  The Outsourced DPO was used to receiving SARs from solicitors and legal advisors, but had not received any from a database platform before.  But is there a difference between a SAR from a legal representative and one sent by the subject through a platform?  The GDPR envisages that data subjects will raise a right of access request easily and at regular intervals.  It suggests that controllers should, where possible, provide remote access to a secure system that provides a data subject with direct access to his or her personal data.  And the ICO envisages that requests may well be raised by third parties on behalf of data subjects.

The seemingly impersonal nature of a platform sending a request as opposed to a firm of solicitors is probably the only difference.  The only way to find out more about these platforms was to jump in, register an account and raise some SARs!

When the Outsourced DPO was undertaking some software testing a few weeks ago for a client he chose to create a new “junk account” email address to avoid receiving a shed load of spam from the systems being tested.  Literally, within seconds of creating this new “junk” gmail account, an unsolicited direct marketing email popped into the inbox from Booking.com.  The Outsourced DPO was stunned – how was it that Booking.com knew about this brand new gmail address and determined that its owner had consented to receive spam emails, it was literally only a matter of seconds old??

Shortly after this happened, I had a conversation with Rightly.co.uk about their information rights platform.  Two and two were put together and a SAR was raised on booking.com using Rightly.co.uk to test run the platform from a data subjects’ point of view and to see what information they said they hold.  Of particular interest is the source of the email address.

The Outsourced DPO was surprised at the ease with which SARs are raised on a rights platform.  Formulating a SAR letter is often a big deal to requestors and whilst templates are available, it can still be intimidating.  Requests can be raised in three mouse clicks on some rights platforms making it incredibly easy to do.  Each request is logged in a database and displayed on a dashboard to indicate its progress.  When the Outsourced DPO recently tested Rightly.co.uk, the workflow rules operating in the background were clearly corresponding with controllers and maintaining a history of correspondence.  From a requestor point of view, raising SARs becomes a matter of fire and forget … until the request payload is returned.

So, being somewhat trigger happy, another SAR was raised on Sainsbury’s – not because the Outsourced DPO particularly wanted to raise a SAR with them – mostly because there was a prominent logo which was just so easy to click on.  Click, click click …. SAR away!

To test some other parameters and to try to experience the Rightly approach as a controller, the Outsourced DPO also raised a SAR on one of his own companies.

So what are the benefits of an information rights management platform?

From a requestor point of view, each time a SAR is raised with a controller, the requestor will most likely have to verify their identity.  There are clear benefits of holding approved identity verification in one location such as an information rights platform like Rightly.co.uk so that different controllers can access the same documentation to check that the requestor is in fact who they say they are and entitled to the information requested.  Surely this provides an efficient and reliable method for controllers?

Controllers responding to requests often place the requested information into a secure folder for the requestor to access.  Information rights platforms provide a facility for controllers to load the requested information into their own secure environment which means that requestors will have information in one place.  Over time, it may be that there are a small number of such platforms thereby standardising responses and simplifying the provision of information to requestors.

Some of the challenges that controllers face with such requests are determining the scope of the request, verification of the data subject and the secure transfer of their data back to them.  A platform, could certainly help to a degree in each of these areas, which could take some of the burden away from controllers.  Of particular interest is the management of identification documentation which to be frank, a controller would wish to see but not retain.

It goes without saying that the platform providing such a service must be robust, reliable and trust-worthy – it would be a significant issue if it was compromised. Rightly have assured the Outsourced DPO that the data on their platform is encrypted both at rest and in transit as well as benefiting from several other security features.

What happened to the SARs?

There were interesting approaches to the SARs.  Initially a Sainsbury’s auto responder returned an email saying that the request had been received which looked very promising, but the next day, an email was sent by the privacy team advising that Sainsbury’s can only service data subject access requests that are made directly to them by the data subject.  Oh dear … tread very carefully Sainsbury’s!  Perhaps I should ask a lawyer to write to them raising a SAR and see if they take the same approach?  Nothing in the GDPR nor its recitals provides an avenue for a controller to refuse to comply with a SAR submitted via a third party.  What in essence is the difference between exercising a rights request by letter, outlook email, Mailchimp email, or Rightly.co.uk email?  If Sainsbury’s can see a distinction, the Outsourced DPO would be interested in discussing this further.

Booking.com have been silent after three weeks.  Watch this space for a further update in a few weeks as the Outsourced DPO is genuinely interested to pursue this SAR to determine how Booking.com obtained his personal data so rapidly.

So – has anything changed?  If done properly, there’s certainly potential for platforms to help make the rights request process easier for controllers to handle. The scope of request, ID verification and secure transfer of data are all areas that controllers can be helped with by such platforms. They’re still in a very nascent stage and will undoubtedly change as they mature. The Outsourced DPO will be watching this space closely!

Phil Brining

08/09/2020