Subject access requests are not new, but the GDPR introduced several changes that make responding to them more challenging.
Organisations now have less time to respond, and may no longer charge a fee (except in certain circumstances).
In this post, we explain what a DSAR is, and how to manage them in line with the GDPR’s requirements.
What is the right of access?
The right of access, commonly referred to as subject access, grants data subjects the right to obtain a copy of their personal data.
Recital 63 of the GDPR states that:
… a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
This means individuals can contact your organisation and request:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information (mostly the information provided in the organisation’s privacy notice).
Although these requests are known as DSARs, it is important to know that individuals don’t need to use that terminology to exercise their right.
The GDPR does not specify how to make a valid request, so instead an individual can simply say: “I would like to see what data you hold on me”.
What’s changed under the GDPR?
The GDPR introduced several key changes to the DSAR procedure.
1) You can’t charge a fee to comply
In most cases, DSARs must be fulfilled free of charge.
You can charge a “reasonable fee” to cover administrative costs if the request is clearly unfounded or excessive, or an individual requests further copies of their data following a request.
2) You have less time to respond
Subject access requests must be fulfilled “without undue delay”, and at the latest within one month of receipt .
3) Requests can be made in any form
DSARs can now be made electronically as well as physically, including through email, phone call or web contact forms.
The process for handling a DSAR (data subject access request)
If you’ve appointed a data protection officer (DPO), they should be skilled in dealing with all subject access requests and be able respond in the appropriate manner. But not all organisations need to appoint a DPO under the GDPR/ DPA 2018, and not all DPOs have the skills to handle DSARs. As a result, many businesses may be woefully unprepared when responding to such requests. This lack of process could result in unnecessary delays which could lead to an ICO enforcement action.
Since time is of the essence when responding to a DSAR, it’s a good idea to ensure you have an established DSAR process beforehand, so that you can deal with such requests quickly.
- Verify the identity
One of the first steps is to verify the identity of the requester so that you can determine whether you have all the information you need to fulfil the request.
- Clarify what the request is
Following that, find out a bit more about the request itself. Is it simply a request for access, or are they invoking other rights, such as rectification of the personal data being held?
- Is the request valid?
Establish whether the request is valid and if it can be completed within the one month period. If not, you can take further steps to request an extension (read more in our downloadable guide).
- Inspect the data
Once you start collecting the data, check whether the data needs to be amended and if you need to protect the personal information of any other data subjects.
- Choose the format
Once you’ve collected all the data, determine the most appropriate format in which to provide the information.
- Add extra information
Lastly, before sending the information, ensure the data subjects know their rights, including the right to lodge a complaint.
Infographic: Data Subject Access Request Flowchart
Are you following the correct steps when responding to a data subject access request? We’ve compiled an infographic on how to deal with a DSARS.
Free download: DSAR guide
To respond efficiently to DSARs, it is essential to have a proper procedure in place that everyone in the organisation can follow.
Our free guide provides a process for responding to DSARs that you can adapt to meet your needs and comply with the law.
- The key changes for organisations responding to DSARs under the GDPR.
- Who is responsible for handling DSARs.
- What data needs to be provided and exceptions to consider.
- A process for responding to DSARs that you can adapt to meet your needs and comply with the law.
This blog has been updated to reflect industry updates.