The GDPR (General Data Protection Regulation) has strengthened individuals’ rights to see what information organisations store on them. Requests for this information are called DSARs (data subject access requests) – or sometimes simply SARs (subject access requests) – and they can occur at any time.
Data subjects don’t need to go through a formal process to submit a DSAR. They can simply say, for example, ‘I’d like see what data you’re keeping on me’.
As such, everyone in your organisation who communicates with data subjects needs to be aware of the rules and your process for responding. If they don’t, your organisation is subject to the GDPR’s upper tier of penalties. That means the potential for fines of up to €20 million (about £18 million) or 4% of the organisation’s annual global turnover.
But what should your DSAR response process look like? Here’s our seven-step guide:
1. Verify the data subject’s identity
Requests can only come from the data subject or an authorised parent, guardian or representative. Organisations are therefore permitted to ask for further information from the person submitting the request to ensure they are who they claim to be.
This might involve requesting proof of ID or asking what their relationship is with your organisation. For DSARs made on behalf of minors, you are permitted to ask for proof of the requester’s relationship to the child.
2. Confirm the type of request
Submitting a DSAR is sometimes an initial step before invoking other rights, like the right to be forgotten, the right to rectification, the right to object and the right to restrict processing.
Data subjects often want to know the extent of the organisation’s processing before deciding whether to take further action. Other times, they are already aware of processing activities that they are unhappy with and immediately request remediation.
You must make sure you understand what the individual is asking for when they submit a request. If it isn’t already clear, you should confirm the request with the data subject.
3. Send the request to the relevant person
You should now hand the request over to the person or department with access to the necessary information. You might have someone, or a team of people, who take responsibility for handling DSARs. Alternatively, you might need to contact the owner of the asset (most likely a database) in which the information is stored.
Their first task will be to decide whether they can comply with the request within the one-month window permitted by the GDPR. This should be possible in most cases, but you might find that the request is complex – in which case you have the option of extending the deadline to three months. However, you are still required to contact the data subject within the initial deadline to inform them of the delay.
The GDPR provides little guidance on what constitutes ‘complex’, but it’s generally regarded as a request in which you are required to cross-reference information.
For example, in many instances, you can simply bring up someone’s file and export the information. However, if you hold data in multiple formats that aren’t easily searchable, you’ll be required to go through them all separately. That’s complex.
This will be the case for data that’s walled off for security purposes. You should have a system in place where only privileged employees can access, say, medical records or payroll details, in which case you need to contact an appropriate member of staff to gather this data.
- How to respond to a data subject access request – with free guide
- Why data subject access requests have becoming more common under the GDPR
- How do I retrieve my data from an organisation?
Likewise, gathering information that doesn’t align with specific data records (like CCTV footage and unstructured email data) is considered complex, because you either need more detail or for someone to search manually.
The person tasked with completing the access request might also determine that it’s manifestly unfounded, excessive or repetitive, in which case they can charge “a reasonable fee”.
There’s no guidance on what constitutes a manifestly unfounded or excessive request, and given that the burden of proof is on the organisation, you should be reluctant to make these claims.
Things aren’t much clearer when it comes to the what’s considered repetitive, but you can generally intuit this based on how often you collect personal data. If you’re continuously collecting data, the window for what’s considered repetitive might be as short as a few weeks.
By contrast, if you’ve collected only a handful of pieces of personal data – like a name and email address – and have stated no other reason to process data subjects’ information, then multiple DSARs within a year might count as repetitive.
4. Gather the necessary information
Now you’re ready to do the actual data gathering.
Depending on the way you process information, this might be held in a single file or spread out in several places. Either way, you should keep a master record somewhere that identifies where you can find data subjects’ personal data.
But it’s not only the data records themselves that you need to provide. Individuals also have the right to information about the data processing, such as:
- The lawful basis for collecting the data;
- Who that data has been shared with; and
- How the organisation obtained the data (if it wasn’t provided by the data subject).
5. Package the data
Data subjects can specify how they’d like to receive the information, which might be in hard copy or digital form.
You might therefore be required to convert the data from one format to the other.
6. Add extra information
Your response to the DSAR must explain to data subjects their other data subject rights and how to exercise them.
Likewise, you must also explain that the data subject has the right to lodge a complaint with the ICO (Information Commissioner’s Office).
7. Send the package to the data subject
You can now send the package to the data subject for them to review. You should do this in the form specified by the data subject, ensuring that the method you use is subject to adequate security measures. Remember, if the information is lost or stolen on the way to the data subject, it’s considered a data breach.
For online requests, you should establish a secure online system or email an encrypted version of the files.
If you’re providing hard copies of the data, you should send it by registered post. That way, you have proof that the package arrived and was signed for.
Avoid fines and the stress of DSAR uncertainty
You can find out more about this topic by reading A Concise Guide to Data Subject Access Requests.
This free guide helps you understand how DSARs fit into your organisation, explaining who should be responsible for fulfilling them, how they relate to the GDPR and the consequences of ignoring your obligations.
It also includes a visual guide to the DSAR response process to help you remember each step you must complete.