Your Reading List & recommendations

The brilliant, dreaded Subject Access Request and how to get control of your unstructured data


Harry Stockbridge, Cyber Security Specialist at O2 Business, discusses our partnership with Ohalo, and how it can help with data management.

Quite rightly, as individuals we all have the right to ask an organisation what personal information they hold on us, how they’re using it and where they got it from. Under the Data Protection Act 2018 (GDPR), organisations have one working month to return the information. Invoking your right to erasure may follow. In a time where privacy concerns are high in public consciousness, this simple request helps empower us to take control of our personal data. Brilliant, right?

Well, if you’re responsible for fulfilling Subject Access Requests within an enterprise organisation, you may be a little less enthusiastic than me. The seemingly simple Subject Access Request often highlights a broad issue in large organisations affecting security, privacy and legal teams and that is simply finding out where your data is.

Finding Data Subjects’ data across the multitude of data sources in an enterprise organisation is a challenge. I regularly talk to organisations where today, most of the data discovery work in Subject Access Request matters is still manual. The result is that some companies are spending thousands of pounds and untold weeks on gathering data about the relevant Data Subject.

As you’d expect, when we receive our data request back, the personal data of others should be redacted. But poorly managed data subject access and deletion requests can result in the inadvertent leakage of personal data, which is often the first step towards regulatory complaints.

It’s not just Subject Access Requests

If those dealing with access requests are facing data discovery and governance challenges, you can bet others in the organisation are facing them too:

  • What about the contracts team that has thousands of contracts lying about on their old network drives and wants to search for all contracts that contain a particular counterparty or clause?
  • What about the legal and data science teams that need to redact thousands of documents at scale for desensitisation before exporting it to third parties?
  • What about the data governance teams that need to analyse petabytes of file contents to determine whether to delete that data or migrate it to cold storage?

So, what can be done?

At O2 Business, we are pleased to announce that we have partnered with Ohalo to help our enterprise customers achieve order out of data chaos.

Ohalo builds tools that help security and legal staff gain granular insight into how data is managed within their organisations. Ohalo’s Data X-Ray is a machine learning data classification, discovery, and entity scanning tool that identifies personal and sensitive data throughout enterprise organisations, so that they know exactly where the data that they hold is stored, how it is accessed, and where a particular data subject’s data sits.

Importantly, the Data X-Ray also performs auto-redaction of sensitive data, at scale. After discovering where data is held, a human can read and remove ten words per second, whereas Ohalo’s Data X-Ray can achieve 100,000 words per second. The once dreaded data governance tasks that took weeks or months, now takes minutes or hours.

Ohalo joined Wayra (part of the Telefónica family) through the NCSC Cyber Accelerator. The Accelerator supports the growth of start-up cyber companies who aim to bring new ‘better, faster and cheaper’ security products to market. Ohalo’s data intelligence capability is seen as a valuable addition to O2 Business’ wider cyber security capabilities.


All articles


Public sector

Safe & secure


Tech advice

Work smarter