Case Study

FTI Technology Automates Data Subject Rights Workflows for Life Sciences Company

  • LinkedIn icon
  • X/Twitter icon
  • PDF icon

A U.S.-based genetic testing company with regulatory obligations to accept and fulfill data subject rights for patients, employees, health care providers and other parties was looking to improve its processes and compliance. With the scope, scale and enforcement of data subject rights continually evolving across U.S. states, the company had a critical need to implement robust data handling processes, particularly for personally identifiable information and personal health information. The client engaged FTI Technology to design and implement an automated solution and public facing data subject request submission portal.

Situation

The client had recently licensed BigID, a data intelligence platform used for data security, privacy, compliance and governance, to connect numerous data sources into a centralized environment. The existing workflow for responding to data subject requests — including right to access, right to correct and right to delete as required under laws of numerous U.S. states — were manual and time intensive, requiring tracking of status requests through spreadsheets and coordinating across nearly 50 data source owners. This put the organization at frequent risk of failing to meet the 45-day fulfillment timeline required by applicable regulations.

The client had identified more than 200 disparate data sources that could be subject to a request. Indexing these was a six-week exercise for every data source, placing significant obstacles in the way of executing a migration and implementation.

Our Role

FTI Technology has expertise in data privacy and deep knowledge of leading information governance and privacy software platforms. A team certified and trained in the BigID platform designed a three-phase approach to enable the client to expedite the migration and automate data subject requests workflows.

The solution included:

  • Pre-automation analysis and design. Relevant stakeholders across the organization were interviewed to understand the existing processes and environment, so an inventory of data sources and their corresponding owners could be documented. The team designed an automated end-to-end workflow that included requests forms, all steps in the process once a request was received and the final data subject request report.

    During this phase, the root causes of data source indexing delays were identified and mitigated.

  • Automation build. FTI Technology developed and launched a public-facing submission portal for requests and integrated it into the company’s website, providing a centralized platform to accept requests and submit final reports to requestors. This included forms for the three types of requests (right to access, right to correct, right to delete) and automated actions, including notifications and tracking of all data source owner tasks, notifications, so that all submissions and subsequent steps could be effectively automated.

    As the new process was refined, configurations were updated and corrected to optimize indexing and eliminate data source connection issues.

  • Post-automation testing and recommendations. FTI Technology ran numerous test cases to ensure the process operated as expected and confirmed indexing was running optimally and consistently. The team made additional recommendations to help the client refine its data retention scope and controls to further support regulatory obligations.

Our Impact

Time intensive and manual data subject request workflows were overhauled and automated, making it possible for the client to gather information from relevant people and complete requests within regulatory timelines. The new program also provided the client with a foundation to meet changing requirements as new privacy and data governance laws emerge.

Additional results included:

  • Data subject request processing time reduced by approximately 50% and data source indexing reduced from six weeks to three days.
  • Utilized software functionality to include identify verification for data subjects submitting requests.
  • Connected hundreds of data sources to corresponding data owners in a centralized inventory.
  • Identified redundances and reduced the volume of data sources needed to fulfill data subject requests.
  • Comprehensive documentation of the workflows lifecycle and reporting of metrics for companywide data subject request activity.
Related topics:
Data Privacy

Related Solutions