The EU GDPR (General Data Protection Regulation) grants data subjects the right to access their personal data. This is known as a DSAR (data subject access request).
Subject access requests are not new, but the GDPR introduced several changes that make responding to them more challenging.
Organisations now have less time to respond, and may no longer charge a fee (except in certain circumstances).
In this post, we explain what a DSAR is, and how to manage them in line with the GDPR’s requirements.
What is the right of access?
The right of access, commonly referred to as subject access, grants data subjects the right to obtain a copy of their personal data.
Recital 63 of the GDPR states that:
… a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
This means individuals can contact your organisation and request:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information (mostly the information provided in the organisation’s privacy notice).
Although these requests are known as DSARs, it is important to know that individuals don’t need to use that terminology to exercise their right.
The GDPR does not specify how to make a valid request, so instead an individual can simply say: “I would like to see what data you hold on me”.
What’s changed under the GDPR?
The GDPR introduced several key changes to the DSAR procedure.
1) You can’t charge a fee to comply
In most cases, DSARs must be fulfilled free of charge.
You can charge a “reasonable fee” to cover administrative costs if the request is clearly unfounded or excessive, or an individual requests further copies of their data following a request.
2) You have less time to respond
Subject access requests must be fulfilled “without undue delay”, and at the latest within one month of receipt .
3) Requests can be made in any form
DSARs can now be made electronically as well as physically, including through email, phone call or web contact forms.
Infographic: Data Subject Access Request Flowchart
Are you following the correct steps when responding to a data subject access request? We’ve compiled an infographic on how to deal with a DSARS.
Free download: DSAR guide
To respond efficiently to DSARs, it is essential to have a proper procedure in place that everyone in the organisation can follow.
Our free guide provides a process for responding to DSARs that you can adapt to meet your needs and comply with the law.
- The key changes for organisations responding to DSARs under the GDPR.
- Who is responsible for handling DSARs.
- What data needs to be provided and exceptions to consider.
- A process for responding to DSARs that you can adapt to meet your needs and comply with the law.