HomeProtectGDPR's Nightmare Letter: How to Protect Your Data Currency from a DSAR

GDPR’s Nightmare Letter: How to Protect Your Data Currency from a DSAR

Need help gearing up for GDPR compliance? Check out our free GDPR resource kit!


General Data Protection Regulation, best known by its acronym GDPR, is a regulation that aims to provide European residents with more control and protection over their personal data.

Even US companies must be cognizant of complying with GDPR rules and regulations. If there are any European connections, even if it’s only one customer residing in Europe, GDPR will affect you. Global organizations may face potential penalties of up to 4% of global revenue in worst-case scenarios, and might even be ordered to stop processing!

So, how does one prepare for the “nightmare letters” of a DSAR?

Organizations across the globe need to ensure that they have an appropriate legal basis for Personally Identifiable Information (PII) that they create, collect, use and share, and that this information is also protected from misuse and exploitation.

Furthermore, under the regulations of GDPR, any person whose PII–such as browsing history, date of birth, or contact information–is being held by an organization can make a Data Subject Access Request. DSAR is a request for all information held by an organization that is related to the requesting person. You can imagine how this can be a nightmare for organizations that have taken a relaxed appraoch to data governance and categorization.

A DSAR grants the ownership of a person’s data to that individual. That means that organizations need a way to find all this content when that “nightmare letter” arrives. How do you easily tell an individual, as required by Article 15 of the GDPR, WHY you have their data, WHERE you store it, WHAT you have done with it, HOW you are managing it, and most importantly, WHO can see it?

AvePoint Has You Covered

Luckily, there are ways organizations can appropriately respond to DSARs and avoid hefty fines. Our Enterprise Risk Management solution already had you covered by providing a means to collect information about what privacy data is expected to be in what systems, defining who would have access to it and how it would be used. Building on this precedence, the latest versions of AvePoint’s Compliance Guardian and Cloud Backup provide tools to assist with these issues.

Cloud Backup provides a means to delete a user’s content from within Office 365 Mailboxes and OneDrive, supporting the European citizen’s “right to be forgotten” defined under GDPR. It also provides a trail of evidence for the Defensible Deletion/Disposition of the Content, and even supports the execution of multiple “right-to-be-forgotten” requests at once! These capabilities can be discovered through our new Data Privacy Dashboard: 

Many of AvePoint’s customers are using Compliance Guardian to provide flexible scope and filtering options to scan multiple data sources, from Microsoft Teams (and Office 365 in general) to G-Suite and more. This will help to cover most customers’ centralized policy-driven compliance and governance needs; however, under GDPR regulations and as a result of a DSAR, organizations may need to perform ad-hoc scans on specific datasets.

With the latest release of Compliance Guardian 4.4, Discovery+ lets customers already using AvePoint to identify and tag PII in their environments utilize the SharePoint Server Index to find data specifically related to one or more DSARs. Once found, the related data results are centralized into a single incident within Compliance Guardian where existing remediation actions such as deleting or exporting can be utilized based on the request requirements, before full results are exported to the requesting citizen. This tool combines the power of an eDiscovery tool with the power of AvePoint’s Incident Management system – headaches avoided!


Discover+ allows for complex search operations including:
data sources, AND/OR Booleans, document metadata, contains or equals, and before/after/between operations.

Today’s technology solutions are designed with the end-user in mind: get them the technology they need to accomplish the mission as efficiently as possible. However, companies are finding more and more that not considering privacy and security as part of the implementation design is a very costly mistake. As they say, data is the new currency, and if you aren’t mindful of how that data is being properly managed and stored, you will suffer the consequences. Talk to AvePoint to learn more about how we can help ensure the safety of your currency.


Looking for more content around GDPR? Subscribe to our blog to never miss a post!

Jay Leaskhttp://jay.leask.com/
I sell software, but my passion is to help translate the needs of the business into the capabilities of available technology. Over two decades in tech I have helped customers analyze collaboration solutions against actual mission needs in helping them select the best path based on their personal critical success factors. Per my training I’m a project manager (PMP), an engineer, an architect, and a designer; but ultimately, I’m a problem solver.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

More Stories