How to manage data subject access requests (DSARs)

Vera Ishani Headshot
Written by Vera Ishani  GDPR Consultant

23/04/2021

What is a data subject access request?

In a nutshell, a data subject access request – or DSAR for short – is when someone asks an organisation for a copy of all personal data they hold about them, and then that organisation provides it in a clear and structured way. In addition to the data itself, DSARs allow a data subject (like you or me) to find out things like what the organisation is doing with the data, who they’re sharing it with, how long its held on to for, where they got it from, and so on. On the surface it sounds like it could be a simple task, but finding, collecting and providing this information can be an extremely time-consuming and resource-hungry exercise for businesses who aren’t prepared.

DSARs (also sometimes called just SARs) are first on the list of data subjects’ rights in the GDPR, and for a good reason. Being able to see the data that businesses hold about us and what they do with the data, is fundamental to the aims and objectives of the GDPR – although it’s not actually new to the GDPR. DSARs were a part of the old Data Protection Act (1998) too, only previously it came with a fee of £10 and timeframe of 40 days. Under the GDPR however, legitimate requests must be free and there’s a strict one month deadline.

The ICO’s website clarifies this as follows: “You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals' rights.”

Articles 12 and 15 of the GDPR are the primary ones dealing with DSARs, and between them they ensure a data subject can request and be given a copy of their data in a way that’s transparent, lawful, accessible and fair.

Clipboard with checklist icon

Want to find out more about GDPR?

Bulletproof has helpful free resources for organisations looking to find out more about GDPR. Why not download our educational white paper, watch our insightful webinar featuring our Head of Compliance, or view our interesting infographics?

Business challenges from DSARs

An icon with a server block and shield

High volumes of data

The nature of modern business operations and the data-driven economy mean that volumes of personal data organisations hold are large, and constantly growing. This makes finding, collecting, collating and providing the data needed for a DSAR a significant challenge that can take a considerable amount of resources. For SMEs in particular, this can mean everything comes to a grinding halt when a DSAR comes in.

An icon with a globe and a school hat

No process or training

Even businesses looking for help can struggle to find it. There’s surprisingly little training on the subject of actioning DSARs and, without accessible GDPR expertise, it can be a hard for an organisation to fully understand the processes to follow. Even when companies do have a process to follow, it’s often entirely theoretical – there’s been no testing of the procedure and no relevant training. This makes for a chaotic mix.

An icon with laptop and book together

Extra work to provide it in an easy-to-understand format

Finding and collecting the data is only half the battle. It must be delivered to the data subject in an accessible, easy-to-understand format. This means that a simple data dump from your CMS won’t cut it, and there’s likely to be some additional (possibly manual) processing including the redaction of personal details of third parties where necessary.

An icon with cross in a circle

No ability to detect malicious requests

Organisations facilitating DSARs must also be able to detect and respond appropriately to malicious requests. The data subject in question might have a grudge and may be aware that by requesting a DSAR they’re causing disruption to an organisation. Repetitive requests can be denied – “unfounded or excessive” is the GDPR wording – though you must build a case for why. This also highlights why it’s vitally important to keep a record of DSAR activity.

A group of folders and one labeled 'Requests

What can business do to prepare for DSARs?

DSARs could come in any form: email, letter, phone, or social media . It could even come as part of a phone call with a separate department, such as customer services. Businesses need to be prepared to record and respond to DSAR requests however they arise. In addition to the technical challenge this presents, staff need to be trained and prepared for the DSAR process.

Vera avatar
Vera Says:

“Getting prepared for a DSAR will pay dividends when it comes to actioning one. And as time goes on you’ll find that saving of time and resources is repeated as more DSARs come in.”

An icon with a clipboard and pencil

Process, procedure, and practice

The first thing an organisation needs to do is to get processes and procedures in place that will make handling a DSAR a matter of routine. This could prove difficult without internal GDPR expertise, but there are great cost-effective services available to help, such as outsourced Data Protection Officer (DPO). Secondly, make sure it’s not just a theoretical exercise. Test the process once or twice, and you’ll soon find the ways to make it as efficient and streamlined as possible.

An icon with a folder and padlock

Get to know your data

Part of the process-building exercise is getting to know your data. You need to know where your data is, what it holds, who you’ve shared it with, and how to access it. Most organisation who are GDPR compliant will have undergone a data mapping exercise and have built a record of processing activities (ROPA). The ICO strongly recommends all organisations hold ROPAs, as a ROPA provides valuable information around all of your processing of personal data that will make tracking that data straightforward.

Compliant organisations will already have defined, implemented a retention schedule for your data, and you’ll know where the data resides and how long you keep it for. Having a robust retention policy means holding the minimum amount of personal data for the minimum period required. This means less data to manage and sift through when satisfying a DSAR.

If you’re reading this and thinking “I’m not sure my business has data maps, ROPAs and retention schedules” then I’ve got bad news – it’s very likely that you’re not GDPR compliant. Facilitating a DSAR alone does not make you GDPR compliant.

An icon with an open email

Is it actually a DSAR?

Not all enquiries from data subjects are in fact DSARs. And knowing this can save you a lot of time and resources. A customer might just want some information about the data you hold on them without it being a DSAR.

Key to this is understanding that not everything the customer is asking for is automatically a DSAR, especially if it’s an internal request. Engaging with the person who initiated the request can help both parties: DSARs by their nature can contain a lot of information, which may be overkill for the enquirer’s requirements and might not actually answer the questions they have. By aiming to identify the purpose of the request and the scope of information they’re asking for, you can help both customer and company: the data subject gets the information they want in a clear and concise way, and the company spends less time and resources on the DSAR.

Staff training is of vital importance here – your employees need to know how to differentiate between general data enquiries and official DSARs – and if it is a DSAR, know what to do.

IT security is focused on protecting computer systems from malicious intent

Making DSARs manageable

As we’ve discovered, businesses who are fully GDPR compliant will have a much easier time facilitating DSARs, as a good deal of the legwork (such as finding out the ‘what when where why who and how’ of data) will have been done already. For business who aren’t GDPR compliant, I recommend addressing that as a matter of priority. Internal GDPR expertise is often thin on the ground in many organisations, but that doesn’t mean that help isn’t available. Bulletproof’s outsourced DPO service and excellent GDPR training schemes are both great resources to help get your DSAR process embedded and tested with minimal cost.

Finally, my top tip for organisations receiving a DSAR is to stop and try to reach out to the person making the request. Try to understand the purpose of their request, their personal aims, to see if you can provide them with the information they want outside of the DSAR framework. Afterall, the best way to facilitate a complex DSAR is to make it not a DSAR in the first place..


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.