This is not a new concept, but the GDPR introduced several changes that make responding to them more challenging.
Organisations now have less time to respond and can only charge a fee to complete a request under certain circumstances.
Let’s take a look at everything you need to know about DSARs, including how to respond to them in line with the GDPR’s requirements.
What are data subject access requests?
DSARs are the result of the GDPR’s right of access – one of eight data subject rights enshrined in the Regulation.
Essentially, requests grant individuals a copy of any information that the organisation holds pertaining to them.
Organisations must also confirm that their personal data is being processed (so they can’t simply ignore the request if it’s not relevant) and supply other supplementary information, such as the details provided in the organisation’s privacy notice.
What information is an individual entitled to?
Organisations must provide a full list of the personal data it stores on the individual. This isn’t simply a case of pulling up everything you store on that person, because you might have information about that person that isn’t considered personal data – such as internal memos about their files – which don’t need to be shared.
Your first task, therefore, is to determine what information related to the individual is considered personal data under the definition of the GDPR.
Next, you need to make sure the information is provided in a concise, transparent and intelligence form. The way you store data might make sense in the wider context of your practices, but it might not make sense on its own, in which case individuals might be confused about what exactly they’re looking at or why your organisation needs it.
The UK’s data protection regulator, the ICO (Information Commissioner’s Office) provides the example of an organisation that keeps its data in coded form, with individuals’ attendance at a training session logged as ‘A’ while non-attendance at a similar event logged as ‘M’.
“Without access to your key or index to explain this information, it would be impossible for anyone outside your organisation to understand,” the ICO writes.
“In this case, you are required to explain the meaning of the coded information. However, although it is good practice to do so, you are not required to decipher poorly written notes, as the GDPR does not require you to make information legible.”
What’s changed under the GDPR?
Data subject access requests existed before to the GDPR took effect, where they were known simply as ‘subject access requests’. However, the Regulation introduced three key changes to the DSAR procedure.
1) You can’t charge a fee to comply
In most cases, DSARs must be fulfilled free of charge.
You can charge a “reasonable fee” to cover administrative costs if the request is clearly unfounded or excessive, or an individual requests further copies of their data following a request.
2) You have less time to respond
Subject access requests must be fulfilled “without undue delay”, and at the latest within one month of receipt.
3) Requests can be made in any form
DSARs can now be made electronically as well as physically, including through email, phone call or web contact forms.
The process for handling a DSAR
Like many aspects of the GDPR, access requests have a formal name that organisations must be aware of for compliance purposes, but that doesn’t mean individuals need to know the terminology.
There’s no specific process for making a request, so someone could simply say “I’d like to see what data you have on me” and that would be considered a legitimate request.
As such, it’s important that anyone in your organisation who may receive such a request knows what to look out for and who to pass the message on to.
In many organisations, the DPO (data protection officer) will responsible for handling DSARs. However, if you aren’t required to appoint one, you’ll need to find an alternative approach.
Since time is of the essence when responding to a DSAR, it’s a good idea to ensure you have an established DSAR process beforehand, so that you can deal with such requests quickly.
- Verify the identity
One of the first steps is to verify the identity of the requester so that you can determine whether you have all the information you need to fulfil the request.
- Clarify what the request is
Following that, find out a bit more about the request itself. Is it simply a request for access, or are they invoking other rights, such as rectification of the personal data being held?
- Is the request valid?
Establish whether the request is valid and if it can be completed within the one month period. If not, you can take further steps to request an extension (read more in our downloadable guide).
- Inspect the data
Once you start collecting the data, check whether the data needs to be amended and if you need to protect the personal information of any other data subjects.
- Choose the format
Once you’ve collected all the data, determine the most appropriate format in which to provide the information.
- Add extra information
Lastly, before sending the information, ensure the data subjects know their rights, including the right to lodge a complaint.
How to ensure data subject access request success
There are many steps you can take to help your organisation manage DSARs. Your first task is to create a flowchart to make sure you respond promptly, thoroughly and in line with the GDPR’s requirements.
There are also ways you can make your organisation more resilient to the challenges that come with responding to DSARs. For example, you should implement measures addressing:
- Staff training
Data subjects can theoretically submit a DSAR whenever they’re communicating with a member of your staff. You must therefore make sure that all relevant employees can recognise a request and know how to respond.
- DSAR responsibilities
You should appoint someone or a team of people to take responsibility for responding to DSARs. This might be your DPO or it could be another employee who is familiar with the GDPR’s compliance requirements.
If only one person takes on this task, you must make sure other employees know how to complete a request, so they can fill in during holidays or other absences.
- Expert advice
Unless you were able to appoint an experienced DPO to oversee access requests, there’s a good chance that the person overseeing your response process is relatively new to the task.
In most cases that won’t be a problem, because once you into the swing of things, it’s a relatively routine operation. However, there will be some challenging requests that require guidance, such as through one-off consultancy services.
Infographic: data subject access request flowchart
Are you following the correct steps when responding to a data subject access request? We’ve compiled an infographic on how to deal with a DSARS.
Free download: DSAR guide
To respond efficiently to DSARs, it is essential to have a proper procedure in place that everyone in the organisation can follow.
Our free guide provides a process for responding to DSARs that you can adapt to meet your needs and comply with the law.
- The key changes for organisations responding to DSARs under the GDPR.
- Who is responsible for handling DSARs.
- What data needs to be provided and exceptions to consider.
- A process for responding to DSARs that you can adapt to meet your needs and comply with the law.
A version of this blog was originally published on 14 August 2019.