1. What Was the Situation?
A global technology client operating in the transport industry faced complex challenges in managing high volumes of law enforcement requests and data subject access requests (DSARs).
The legal environment surrounding the law enforcement requests involved navigating various international laws and ensuring compliance with GDPR requirements, particularly regarding the assessment of the legal bases for these requests and their proportionality in relation to the data requested. In addition, the client needed help maintaining their DSAR tracker, locating and redacting sensitive information, and preparing responses for data subjects.
2. How Did We Help the Client?
We deployed a team of two junior privacy professionals, one from the UK and the other from Poland, to support the client across the following two main areas:
(1) Law Enforcement Requests:
- Preparing responses: Assisting the client in drafting detailed and accurate responses to messages and requests for data received from the authorities.
- Researching international laws: Researching the various international laws referenced by the authorities, evaluating whether they provided a valid legal basis for requesting the data.
- Advising customer service agents: Providing advice to internal customer service agents on issues that arose in relation to law enforcement requests, ensuring they were well-equipped to handle in-coming questions.
- Collaborating with internal counsel: Working closely with the client’s internal legal counsel to address complex or contentious requests and resolve any issues.
- Assessing authority powers: Researching the powers of international authorities to determine whether they had the right to request the data, ensuring that the client only complied with legitimate requests.
- Proportionality and necessity analysis: Conducting an analysis under the GDPR to assess whether the scope of the data requested was proportionate and necessary to the crime being investigated, ensuring that the client adhered to data minimisation principles.
Data Subject Access Requests (DSARs):
- Advising and instructing customer service agents: Providing guidance to the client’s customer service team on handling DSARs and ensuring that they understood the process and legal obligations involved.
- Maintaining the DSAR tracker: Ensuring that the DSAR tracker was consistently updated with the status of requests, deadlines, and follow-up actions.
- Locating requested data: Locating the data requested by the data subjects, working with the client’s IT team to identify and extract the relevant information.
- Redacting sensitive data: Redacting internal IDs, third party personal data, and other sensitive/non-relevant information from the in-scope documents before sharing it with the data subject.
- Preparing responses: Drafting responses to the data subjects, clearly explaining the data provided and addressing any follow-up questions they might have.
3. How Did They Benefit?
By providing a skilled team of junior privacy professionals to manage high volumes of law enforcement requests and DSARs, the client was able to focus their internal privacy resources on more complex and strategic projects.
At the same time, the client had the comfort that day-to-day activities were being handled efficiently. Our team streamlined the law enforcement request and DSAR processes, allowing the internal team to focus on critical decision-making. The client also avoided the need for permanent hires, instead relying on flexible support that scaled with their needs.
Our support not only enabled the client to meet their regulatory obligations efficiently but also meant that the client was able to maintain strong relationships with authorities whilst upholding the privacy rights of their data subjects.
