标准2025BSI的新研究显示,超过一半的欧洲组织没有固定方法响应数据主体访问请求(DSARs)。BSI的网络安全和信息恢复部为GDPR做准备并实施了这项研究,强调三分之一的欧洲商业组织认为自己极有可能收到DSAR。
DSAR是一种法律机制,它允许欧洲公民充分考虑公司持有的所有个人数据的完整记录,解释为什么要保存这些信息以及他们想要的数据副本。
1、DSAR 和 GDPR
GDPR自5月25日星期五开始生效,大大提高了公民作为数据主体的权利意识,而且让欧盟公民处理或收集个人数据的机构不再受收费的抑制因素影响(如果是向信贷资料机构索取有关财务状况信息的请求,目前英国的组织可能会收取高达10英镑或2英镑的费用),以此响应DSAR。
所有公司都需要遵守更严格的规则,在欧盟内部用GDPR的框架保护数据和数据主体(公民)隐私。如果不遵守规则,最高可处以2000万欧元的罚款,相当于一个组织全球年营业额的4%。
2、DSAR及其对资源的影响
尽管提交私人公民提出的数据请求并不是一个新现象,但这个过程将随着GDPR的发展而变得更加便捷。机构接收DSAR的方式已突破传统邮政或电子邮件渠道,可以通过实时聊天门户、电话或甚至社交媒体渠道亲自接收。
研究还询问受访者将在5月25日后分配多少费用来处理组织中的DSAR,调查显示,有五分之一的组织估算费用将达到2.8万欧元。
根据GDPR,这些组织预计将在一个月内完成DSAR,而不是现有的40天期限。组织内的数据来源可以包括CCTV数据、电话呼叫数据、网络聊天记录数据、CRM记录和订单历史记录。如果DSAR涉及员工,还可以包括所有电子邮件、任何提及员工姓名的会议记录或与他们工作有关的文件或信件。
BSI行业服务部负责人Stephen O'Boyle在评论这项研究时表示,DSAR要想发挥作用可能需要经过复杂的过程:“实施DSAR所需的资源可能相当庞杂,不应被低估。同时,预计在GDPR规定的一个月期间内,众多组织将可能涉及大量数据。”
还有一个担忧是,这些组织可能面临来自不满的客户或前雇员的具有破坏性的DSAR;这些人中,有些人持私人的不满情绪,有些掌握足够的知识能够使某个被DSAR广泛覆盖的机构瘫痪。
Stephen直接对英国众多组织说:“DSAR背后的动机并不总是很那样明确,但最终结果可能产生包括资源方面的巨大代价;如果您的请求处理得不妥,可能会收到客户向信息专员办公室提出的投诉。准备工作是关键。制定有条理的计划,并考虑提供额外技术和工作人员意识培训等支持,将降低违反DSAR的风险。”
BSI的网络安全和信息恢复部提供一系列解决方案,帮助各组织遵守GDPR,包括咨询、培训、研究、技术解决方案和外包数据保护官(DPO)服务。
58 per cent of businesses have no defined process for responding to Data Subject Access Requests
New research by BSI, the business improvement company,has revealed that over half of European organizations have no fixed method in place for responding to Data Subject Access Requests (DSARs). The research, carried out by the Cybersecurity and Information Resilience division of BSI in preparation for the GDPR, also highlighted that a third of European businesses rate themselves as highly likely to receive a DSAR.
A DSAR is the legal mechanism which allows European citizens to obtain a full account of all personal data an organization holds on them, an explanation as to why this information is being held, and copies of this data should they wish.
DSAR and the GDPR
The GDPR, coming into effect on Friday 25 May, has greatly increased the awareness levels of citizens to their rights as data subjects, and also organizations processing or collecting personal data for EU citizens will no longer have the inhibiting factor of a charging fee (currently UK organizations may charge a fee of up to £10 or £2 if it is a request to a credit reference agency for information about financial standing only) for responding to a DSAR.
All companies will need to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU under the GDPR. Failure to comply could result in fines of up to €20 million or 4 per cent of an organization’s annual global turnover.
DSAR and impact on resources
While the submission of data requests from private citizens is not a new phenomenon, the process is about to get significantly easier with the GDPR. The way in which organizations can receive a DSAR has expanded outside of the traditional postal option, or email channels, and can be received verbally in person, through a live chat portal, verbally over the phone, or even via social media channels.
The research also asked respondents what cost they would be allocating post 25 May for handling DSARs in organizations and it revealed that one in five organizations estimated a cost of up to €28,000.
Under the GDPR, organizations will now be expected to complete DSARs within one month, rather than the existing 40 day timeframe. Sources of data within an organization can include CCTV data, phone call data, web chat log data, CRM records and order history. Where a DSAR relates to an employee, it can also include all emails, any meeting minutes where the employees name is mentioned or documents or correspondence relating to any work they have done.
Commenting on the research, Stephen O’Boyle, Head of Professional Services at BSI, said the implications of DSARs could be onerous: “The resources required to undertake a DSAR can be considerable, and shouldn’t be underestimated. Organizations will be expected to wade through huge volumes of data within the reduced one month window stipulated by the GDPR.”
There is also a concern that organizations may face disruptive DSARs from disgruntled customers or ex-employees, those with a personal gripe, or someone with enough knowledge to cripple an organization with an extensive DSAR. Addressing UK organizations directly, Stephen continued: “The motive behind DSARs is not always clear but the end result may include significant costs in responding in terms of resources, and the risk of a complaint to the Information Commissioner’s Office if your handling of a request falls short. Preparation is key and organizations who have a structured plan in place and who consider additional supports to aid it, such as additional technology and staff awareness training, will reduce the risk of non-compliance in responding to a DSAR.”
The Cybersecurity and Information Resilience division of BSI provides a range of solutions to help organizations become GDPR compliant including consulting, training, research, technical solutions and outsourced Data Protection Officer (DPO) services. For more information visit