Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Keiran Mather
Bulletproof red team demonstrate a novel approach to evade static analysis in Linux malware.
Read More
In a nutshell, a data subject access request – or DSAR for short – is when someone asks an organisation for a copy of all personal data they hold about them, and then that organisation provides it in a clear and structured way. In addition to the data itself, DSARs allow a data subject (like you or me) to find out things like what the organisation is doing with the data, who they’re sharing it with, how long its held on to for, where they got it from, and so on. On the surface it sounds like it could be a simple task, but finding, collecting and providing this information can be an extremely time-consuming and resource-hungry exercise for busines\ses who aren’t prepared.
DSARs (also sometimes called just SARs) are first on the list of data subjects’ rights in the GDPR, and for a good reason. Being able to see the data that businesses hold about us and what they do with the data, is fundamental to the aims and objectives of the GDPR – although it’s not actually new to the GDPR. DSARs were a part of the old Data Protection Act (1998) too, only previously it came with a fee of £10 and timeframe of 40 days. Under the GDPR however, legitimate requests must be free and there’s a strict one month deadline.
The ICO’s website clarifies this as follows: “You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals' rights.”
Articles 12 and 15 of the GDPR are the primary ones dealing with DSARs, and between them they ensure a data subject can request and be given a copy of their data in a way that’s transparent, lawful, accessible and fair.
Bulletproof has helpful free resources for organisations looking to find out more about GDPR. Why not download our educational GDPR white paper, watch our insightful webinar featuring our Head of Compliance, or view our interesting infographics?
The nature of modern business operations and the data-driven economy mean that volumes of personal data organisations hold are large, and constantly growing. This makes finding, collecting, collating and providing the data needed for a DSAR a significant challenge that can take a considerable amount of resources. For SMEs in particular, this can mean everything comes to a grinding halt when a DSAR comes in.
Even businesses looking for help can struggle to find it. There’s surprisingly little training on the subject of actioning DSARs and, without accessible GDPR expertise, it can be a hard for an organisation to fully understand the processes to follow. Even when companies do have a process to follow, it’s often entirely theoretical – there’s been no testing of the procedure and no relevant training. This makes for a chaotic mix.
Finding and collecting the data is only half the battle. It must be delivered to the data subject in an accessible, easy-to-understand format. This means that a simple data dump from your CMS won’t cut it, and there’s likely to be some additional (possibly manual) processing including the redaction of personal details of third parties where necessary.
Organisations facilitating DSARs must also be able to detect and respond appropriately to malicious requests. The data subject in question might have a grudge and may be aware that by requesting a DSAR they’re causing disruption to an organisation. Repetitive requests can be denied – “unfounded or excessive” is the GDPR wording – though you must build a case for why. This also highlights why it’s vitally important to keep a record of DSAR activity.
DSARs could come in any form: email, letter, phone, or social media . It could even come as part of a phone call with a separate department, such as customer services. Businesses need to be prepared to record and respond to DSAR requests however they arise. In addition to the technical challenge this presents, staff need to be trained and prepared for the DSAR process.
“Getting prepared for a DSAR will pay dividends when it comes to actioning one. And as time goes on you’ll find that saving of time and resources is repeated as more DSARs come in.”
The first thing an organisation needs to do is to get processes and procedures in place that will make handling a DSAR a matter of routine. This could prove difficult without internal GDPR expertise, but there are great cost-effective services available to help, such as outsourced Data Protection Officer (DPO). Secondly, make sure it’s not just a theoretical exercise. Test the process once or twice, and you’ll soon find the ways to make it as efficient and streamlined as possible.
Part of the process-building exercise is getting to know your data. You need to know where your data is, what it holds, who you’ve shared it with, and how to access it. Most organisation who are GDPR compliant will have undergone a data mapping exercise and have built a record of processing activities (ROPA). The ICO strongly recommends all organisations hold ROPAs, as a ROPA provides valuable information around all of your processing of personal data that will make tracking that data straightforward.
Compliant organisations will already have defined, implemented a retention schedule for your data, and you’ll know where the data resides and how long you keep it for. Having a robust retention policy means holding the minimum amount of personal data for the minimum period required. This means less data to manage and sift through when satisfying a DSAR.
If you’re reading this and thinking “I’m not sure my business has data maps, ROPAs and retention schedules” then I’ve got bad news – it’s very likely that you’re not GDPR compliant. Facilitating a DSAR alone does not make you GDPR compliant.
Not all enquiries from data subjects are in fact DSARs. And knowing this can save you a lot of time and resources. A customer might just want some information about the data you hold on them without it being a DSAR.
Key to this is understanding that not everything the customer is asking for is automatically a DSAR, especially if it’s an internal request. Engaging with the person who initiated the request can help both parties: DSARs by their nature can contain a lot of information, which may be overkill for the enquirer’s requirements and might not actually answer the questions they have. By aiming to identify the purpose of the request and the scope of information they’re asking for, you can help both customer and company: the data subject gets the information they want in a clear and concise way, and the company spends less time and resources on the DSAR.
Staff training is of vital importance here – your employees need to know how to differentiate between general data enquiries and official DSARs – and if it is a DSAR, know what to do.
As we’ve discovered, businesses who are fully GDPR compliant will have a much easier time facilitating DSARs, as a good deal of the legwork (such as finding out the ‘what when where why who and how’ of data) will have been done already. For business who aren’t GDPR compliant, I recommend addressing that as a matter of priority. Internal GDPR expertise is often thin on the ground in many organisations, but that doesn’t mean that help isn’t available. Bulletproof’s outsourced DPO service and excellent GDPR training schemes are both great resources to help get your DSAR process embedded and tested with minimal cost.
Finally, my top tip for organisations receiving a DSAR is to stop and try to reach out to the person making the request. Try to understand the purpose of their request, their personal aims, to see if you can provide them with the information they want outside of the DSAR framework. Afterall, the best way to facilitate a complex DSAR is to make it not a DSAR in the first place..
Vera is a GDPR Consultant who has contibuted insights into Data Subject Access Requests (DSARS) on the blog.
Bulletproof’s experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.