Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
In a nutshell, a data subject access request – or DSAR for short – is when someone asks an organisation for a copy of all personal data they hold about them, and then that organisation provides it in a clear and structured way. In addition to the data itself, DSARs allow a data subject (like you or me) to find out things like what the organisation is doing with the data, who they’re sharing it with, how long its held on to for, where they got it from, and so on. On the surface it sounds like it could be a simple task, but finding, collecting and providing this information can be an extremely time-consuming and resource-hungry exercise for busines\ses who aren’t prepared.
DSARs (also sometimes called just SARs) are first on the list of data subjects’ rights in the GDPR, and for a good reason. Being able to see the data that businesses hold about us and what they do with the data, is fundamental to the aims and objectives of the GDPR – although it’s not actually new to the GDPR. DSARs were a part of the old Data Protection Act (1998) too, only previously it came with a fee of £10 and timeframe of 40 days. Under the GDPR however, legitimate requests must be free and there’s a strict one month deadline.
The ICO’s website clarifies this as follows: “You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals' rights.”
Articles 12 and 15 of the GDPR are the primary ones dealing with DSARs, and between them they ensure a data subject can request and be given a copy of their data in a way that’s transparent, lawful, accessible and fair.
Bulletproof has helpful free resources for organisations looking to find out more about GDPR. Why not download our educational GDPR white paper, watch our insightful webinar featuring our Head of Compliance, or view our interesting infographics?
The nature of modern business operations and the data-driven economy mean that volumes of personal data organisations hold are large, and constantly growing. This makes finding, collecting, collating and providing the data needed for a DSAR a significant challenge that can take a considerable amount of resources. For SMEs in particular, this can mean everything comes to a grinding halt when a DSAR comes in.
Even businesses looking for help can struggle to find it. There’s surprisingly little training on the subject of actioning DSARs and, without accessible GDPR expertise, it can be a hard for an organisation to fully understand the processes to follow. Even when companies do have a process to follow, it’s often entirely theoretical – there’s been no testing of the procedure and no relevant training. This makes for a chaotic mix.
Finding and collecting the data is only half the battle. It must be delivered to the data subject in an accessible, easy-to-understand format. This means that a simple data dump from your CMS won’t cut it, and there’s likely to be some additional (possibly manual) processing including the redaction of personal details of third parties where necessary.
Organisations facilitating DSARs must also be able to detect and respond appropriately to malicious requests. The data subject in question might have a grudge and may be aware that by requesting a DSAR they’re causing disruption to an organisation. Repetitive requests can be denied – “unfounded or excessive” is the GDPR wording – though you must build a case for why. This also highlights why it’s vitally important to keep a record of DSAR activity.
DSARs could come in any form: email, letter, phone, or social media . It could even come as part of a phone call with a separate department, such as customer services. Businesses need to be prepared to record and respond to DSAR requests however they arise. In addition to the technical challenge this presents, staff need to be trained and prepared for the DSAR process.
“Getting prepared for a DSAR will pay dividends when it comes to actioning one. And as time goes on you’ll find that saving of time and resources is repeated as more DSARs come in.”
The first thing an organisation needs to do is to get processes and procedures in place that will make handling a DSAR a matter of routine. This could prove difficult without internal GDPR expertise, but there are great cost-effective services available to help, such as outsourced Data Protection Officer (DPO). Secondly, make sure it’s not just a theoretical exercise. Test the process once or twice, and you’ll soon find the ways to make it as efficient and streamlined as possible.
Part of the process-building exercise is getting to know your data. You need to know where your data is, what it holds, who you’ve shared it with, and how to access it. Most organisation who are GDPR compliant will have undergone a data mapping exercise and have built a record of processing activities (ROPA). The ICO strongly recommends all organisations hold ROPAs, as a ROPA provides valuable information around all of your processing of personal data that will make tracking that data straightforward.
Compliant organisations will already have defined, implemented a retention schedule for your data, and you’ll know where the data resides and how long you keep it for. Having a robust retention policy means holding the minimum amount of personal data for the minimum period required. This means less data to manage and sift through when satisfying a DSAR.
If you’re reading this and thinking “I’m not sure my business has data maps, ROPAs and retention schedules” then I’ve got bad news – it’s very likely that you’re not GDPR compliant. Facilitating a DSAR alone does not make you GDPR compliant.
Not all enquiries from data subjects are in fact DSARs. And knowing this can save you a lot of time and resources. A customer might just want some information about the data you hold on them without it being a DSAR.
Key to this is understanding that not everything the customer is asking for is automatically a DSAR, especially if it’s an internal request. Engaging with the person who initiated the request can help both parties: DSARs by their nature can contain a lot of information, which may be overkill for the enquirer’s requirements and might not actually answer the questions they have. By aiming to identify the purpose of the request and the scope of information they’re asking for, you can help both customer and company: the data subject gets the information they want in a clear and concise way, and the company spends less time and resources on the DSAR.
Staff training is of vital importance here – your employees need to know how to differentiate between general data enquiries and official DSARs – and if it is a DSAR, know what to do.
As we’ve discovered, businesses who are fully GDPR compliant will have a much easier time facilitating DSARs, as a good deal of the legwork (such as finding out the ‘what when where why who and how’ of data) will have been done already. For business who aren’t GDPR compliant, I recommend addressing that as a matter of priority. Internal GDPR expertise is often thin on the ground in many organisations, but that doesn’t mean that help isn’t available. Bulletproof’s outsourced DPO service and excellent GDPR training schemes are both great resources to help get your DSAR process embedded and tested with minimal cost.
Finally, my top tip for organisations receiving a DSAR is to stop and try to reach out to the person making the request. Try to understand the purpose of their request, their personal aims, to see if you can provide them with the information they want outside of the DSAR framework. Afterall, the best way to facilitate a complex DSAR is to make it not a DSAR in the first place..
Vera is a GDPR Consultant who has contibuted insights into Data Subject Access Requests (DSARS) on the blog.
Bulletproof’s experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.