Jon Crowther

Jon Crowther

Founder and Managing Director of CyberSonix

Data Subject Access Request – An effective approach by CyberSonix

Share on facebook
Share on linkedin

Introducing Data Subject Access Requests


In a year of pushing the definition of agile to new limits, I thought I would share a recent case I was engaged in, regarding a Data Subject Access Request (DSAR). 
Recent changes in the GDPR legislation have seen an increase in employees (and former employees) submitting DSAR. Organizations that hold your private data, including employers and former employers are obligated by law to provide your data to you. This is regulated by the Information Commissioners Office (ICO). 

You can also request your data from any organization that holds and has held information about you. This includes banks, service providers, retailers, etc. However, do note that your medical information is regulated under different data legislation.
I have spent the last 10 years in all four corners of the globe, in a professional services capacity, using various technologies for the electronic discovery (eDiscovery) of data, across email, chat messages and other documents, within industrial sized, multinationals and the corporate landscape. This has been for a combination of litigation, compliance, human resources and regulatory matters. The scope of these matters could be as long as 10 years, as many as 100 people (custodians) and various complex enterprise data sources. There has always been a legal deadline to work to, as well as the co-ordination of significant human efforts to review all of the data legally.


A Data Subject Access Request – a case study

‘Your data’ includes anything in written form or stored in an electronic format about you. In a workplace, typically this includes primarily email and, more recently, chat messages. In this recent example, a Data Subject Access Request (DSAR) was made to my client asking for:
“Any (e-mail or other) correspondence relating to my person sent by or received, whether internal or external by the former employee and 15 other named current employees, during a 9 month period in 2020”

CyberSonix were engaged in a consultancy capacity, to assist in the collection, search, filter, review and production of electronic communication stored in the client’s infrastructure. This included physical on-premise infrastructure, but, as is typical for many organisations, also the Microsoft 365 stack, in the cloud.


Scoping and fact finding:

The first task was to provide the client with the CyberSonix Data Processing and Non- disclosure Agreement. This has been prepared specifically for our business with our legal consultants. The agreement provided necessary consideration around the relationship between a “Data controller” and a “Data processor”. It also provides the standard non- disclosure of data agreement. It may be that a client will provide their own non-disclosure agreement for both parties to sign.

Once the agreement was signed, I set up a call with the organisation’s IT manager and HR director. The purpose was to offer an introduction and background to what CyberSonix could do, a chance to offer more information about how best to handle the DSAR and, for me, to gain an understanding of the client’s infrastructure. The client subscribes to the Microsoft 365 E3 licensing that enables (amongst many other security and compliance tools) advanced eDiscovery features. The client was aware of the tools, but had not used them to date.

We agreed that the most cost-effective approach for this scenario was to utilize these tools. At the same time, we could future proof a workflow that the organisation could use going forward. It is worth mentioning that if there had been some traditional data sources (laptops, mobiles, on premise exchange or network file shares), we have tools and expertise to collect this data too. Similarly, if the Microsoft Advanced eDiscovery tooling was not subscribed to, we could “collect” the data ourselves, and host the DSAR data with our technology partner, in a cloud review application. For enhanced security, CyberSonix would still project manage this data once hosted.

At the conclusion of the call, I proposed sending over a Statement of Works. This lays out the terms and conditions of the CyberSonix consultancy business, along with cost estimates, based on the now defined scope of the analysis and when it would be complete.


The client enabled access to their Microsoft 365 environment and Cybersonix were able to set up a ‘case’ using the Microsoft Advanced eDiscovery feature. We started with running some searches based on the scope of the original DSAR request. After further consultation with the HR team, the search focused on:


Emails only: 
– Where the person’s name was mentioned in the body or subject of a message.
Within a 9-month date range in 2020.
Messages where the 15 other named employees were participants (included in   the ‘from’, ‘to’, ‘cc’ and ‘bcc’ fields)
Excluding messages where the person was a sender or recipient.


Reviewing the results

The results of the above search were then added to a ‘review set’. We were then able to produce an Excel metadata report of the results. This detailed the email messages which fitted the above criteria and included the recipient details, subject lines and date.
This review set was provided to the client who was able to review the detail and determine some exclusions, based on the subject matter of the individual emails. Exclusions included company broadcasts, system notifications, IT messages and regular business reports. . We then used these exclusions to refine the original searches and re-run them. This brought the number of messages down from a few thousand to a few hundred. These refined search results were copied to become a second, more refined,review set. At this stage, our specialist tool de- duplicates messages to bring the number of results down further. This report and exclude process was iterated and, at each stage, the search was saved so an audit trail of effort and approach was recorded. This ensures all that we do is fully transparent.

To assist in our review of the messages, in the final review set, CyberSonix created a query that searched for keywords and highlighted these keywords within the relevant emails. This allowed our client to more easily and swiftly review each email and tag for its relevance in line with the original DSAR request, and to guide the client on how to assess each email going forward.
The following tags were created to assist this process and to group the emails:
– Relevant
– Redaction
– Query
– Not relevant
– Redacted

Once complete, CyberSonix provided Excel reports for each “bucket” of the three tags used: relevant, not relevant and query. The client then reviewed these reports again and provided some further indications (based on subject and reviewer knowledge) of whether the message was relevant or non-relevant, removing all queries. CyberSonix applied Final Tags based on the reviewed excel reports. Final Tag totals were reconciled to the Excel reports.
Any Redactions were then applied to messages / attachments by the client from within the Microsoft advanced eDiscovery review set.


Producing the final report to fulfil the DSAR

Finally, CyberSonix created exports following approval from the client. Exports were of items tagged as Final Relevant, Final Query, Final Non-Relevant and produced in discrete batches (due to capacity of the tool and size of files). Each individual email message was exported as a PDF file, with redactions applied.
Once the exports were created in Microsoft Advanced eDiscovery, the client downloaded the items in their PDF format and distributed in accordance with the original DSAR..



Using this simple but thorough process ensured that the Data Subject Access Request was fulfilled in a timely manner and the person in question received all of the data containing their information in a clearly structured and easy to access way. Furthermore, Cybersonix ensured that should the client receive another DSAR, they had systems in place to ensure we could support them efficiently to create a report and collate the relevant emails and messages again.




More to explorer

eDiscovery Tool evaluation – Case Study

Share on facebook Share on linkedin Background “Discovery” Technology Tools exists that can index an organisations unstructured user data. This is typically

Ready to work with us?
Contact us to discuss how we can help build a strong digital brand presence.

Ready to work with us? Contact us to
discuss how we can help build a
strong digital brand presence.

+44 20 8078 3447