A Better Way to Respond to Employee DSARsby David van Dokkum
At Phaselab we’re on a mission to make it easy for companies to build compliant and respectful privacy programs at scale. One of our strengths is building at the intersection of complicated policy requirements and complex data systems, and we’re excited to sink our teeth into a growing problem for large-scale privacy orgs: employee data subject access requests (DSARs).
Though they’re not as frequent as consumer requests, when they do come in they can be extremely painful, department-halting events. We estimate that roughly 1-2% of employees in the EU are submitting DSARs, with a smaller but growing number in California. Properly managing a request can require tens of thousands of dollars in legal fees and staff time. Conversely, mishandling the request could lead to litigation costs ten times higher and potential fines from data protection authorities. Most of this work is being done manually, but we’re building a better way.
🤔 Slow down boss, what’s so tricky about employee DSARs?
Most DSAR tools are built with consumer/customer requests in mind. They help streamline the request ingest and verification process and integrate with the systems where companies store consumer data (help desks, CRMs, internal databases, etc). Consumer requests tend to pull from structured data stores that only contain sensitive data about the consumer themselves, which a company is obligated to return and potentially delete if the consumer requests it.
Employee data, on the other hand, is a bit more squishy. What constitutes employee data can vary depending on jurisdiction, but for most large companies it will largely be contained in unstructured data stores like Slack, email, and ad hoc documents in Google Drive, Workday, or Microsoft 365. Most of these systems have eDiscovery APIs, but those APIs often just return every single document related to a user, leaving you to do the heavy lifting of sorting through tens of thousands of messages.
You’ll need to find relevant employee data across all of your systems, redact anything from the documents that is out-of-scope, confidential corporate information, or personal information about someone else and then get it shipped off to the requestor in as little as 30 days. This is not your run of the mill consumer DSAR request, and the stakes are high.
🎲 Let’s talk about the stakes
Over the last couple of months we’ve been chatting with privacy leaders in the US and the EU about this very problem (you can read more about our findings here!), and one phrase kept coming up again and again: “employee DSARs are being weaponized!”. Thinking about filing a wrongful termination suit? Why not request access under the CPRA to your performance reviews, or discussions between your manager and HR about your termination? When releasing this kind of information, companies need to be thinking ahead about how this information might be weaponized against them in future litigation, which means outgoing documents need to be carefully reviewed and sanitized.
Teams we spoke to are spending 20+ hours responding to a single one of these requests, and due to the often sensitive nature of the data, that’s 5-6 of your most senior people in legal, HR, and IT. The higher up the requestor was in your org, the more data there is to review and the higher the risk.
🛠 What we’re building
We're building the first purpose-built tool specifically for responding to employee DSARs. We’re approaching the problem with a couple principles:
- First and foremost, this is your most sensitive business data. We don't play games with security and privacy. Everything we do is single tenant and encrypted from auth to AI modeling. Wherever we have an opportunity to let our clients host their own data, we make that option available to avoid expanding data surface area in the name of privacy.
- All of our AI tools are designed to have a human in the loop. These documents need a human eye on them, so we're focusing on making the machine/human collaborative process fast and iterative. We want to give you power tools, not a pink slip.
- We’re aligning product goals with real-world outcomes. The less time you spend mired in document review, the more time you can spend researching the most recent case law. The more confidence you have that something confidential isn’t going to slip through into a pdf, the better sleep you’ll get!
We’re building a modern integration suite that takes full advantage of native search/discovery tools in each platform. Requests are generated in one centralized place, farmed out to all relevant systems, and brought back quickly for review. We follow and apply guidance from our top-notch legal advisors on what exactly constitutes personal employee data in one jurisdiction vs. another, and you can always specify a custom DSAR scoping policy for any jurisdiction.
Within each document, we detect and auto-redact personal info like financial account numbers, emails, and other protected data classes. But we think that’s table stakes for a privacy platform. We're going one step further and introducing confidential data redaction: sensitive business conversations about future earnings, M&A, team and employee performance, customers and partnerships can all be removed from documents automatically without combing through the text line by line, building keyword lists, or hitting ctrl-F.
Finally, we’re wrapping it all up in a clean UI that provides additional workflow, request, and team management tools so you can keep track of all of your in-flight DSARs.
We're excited to be building these tools in tandem with our early partners. If you'd like to join the crew and help guide the direction of the product, we'd love to have you join our closed beta, just shoot us a note at firstname.lastname@example.org or tap the button below.