How to manage data subject access requests (DSARS)
What is a data subject access request?
In a nutshell, a data subject access request – or DSAR for short – is when someone asks an organisation for a copy of all personal data they hold about them, and then that organisation provides it in a clear and structured way. In addition to the data itself, DSARs allow a data subject (like you or me) to find out things like what the organisation is doing with the data, who they’re sharing it with, how long its held on to for, where they got it from, and so on. On the surface it sounds like it could be a simple task, but finding, collecting and providing this information can be an extremely time-consuming and resource-hungry exercise for busines\ses who aren’t prepared.
DSARs (also sometimes called just SARs) are first on the list of data subjects’ rights in the GDPR, and for a good reason. Being able to see the data that businesses hold about us and what they do with the data, is fundamental to the aims and objectives of the GDPR – although it’s not actually new to the GDPR. DSARs were a part of the old Data Protection Act (1998) too, only previously it came with a fee of £10 and timeframe of 40 days. Under the GDPR however, legitimate requests must be free and there’s a strict one month deadline.
The ICO’s website clarifies this as follows: “You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals' rights.”
Articles 12 and 15 of the GDPR are the primary ones dealing with DSARs, and between them they ensure a data subject can request and be given a copy of their data in a way that’s transparent, lawful, accessible and fair.
Business challenges from DSARs
Organisations facilitating DSARs must also be able to detect and respond appropriately to malicious requests. The data subject in question might have a grudge and may be aware that by requesting a DSAR they’re causing disruption to an organisation. Repetitive requests can be denied – “unfounded or excessive” is the GDPR wording – though you must build a case for why. This also highlights why it’s vitally important to keep a record of DSAR activity.
What can business do to prepare for DSARs?
DSARs could come in any form: email, letter, phone, or social media . It could even come as part of a phone call with a separate department, such as customer services. Businesses need to be prepared to record and respond to DSAR requests however they arise. In addition to the technical challenge this presents, staff need to be trained and prepared for the DSAR process.
“Getting prepared for a DSAR will pay dividends when it comes to actioning one. And as time goes on you’ll find that saving of time and resources is repeated as more DSARs come in.”
Part of the process-building exercise is getting to know your data. You need to know where your data is, what it holds, who you’ve shared it with, and how to access it. Most organisation who are GDPR compliant will have undergone a data mapping exercise and have built a record of processing activities (ROPA). The ICO strongly recommends all organisations hold ROPAs, as a ROPA provides valuable information around all of your processing of personal data that will make tracking that data straightforward.
Compliant organisations will already have defined, implemented a retention schedule for your data, and you’ll know where the data resides and how long you keep it for. Having a robust retention policy means holding the minimum amount of personal data for the minimum period required. This means less data to manage and sift through when satisfying a DSAR.
Not all enquiries from data subjects are in fact DSARs. And knowing this can save you a lot of time and resources. A customer might just want some information about the data you hold on them without it being a DSAR.
Key to this is understanding that not everything the customer is asking for is automatically a DSAR, especially if it’s an internal request. Engaging with the person who initiated the request can help both parties: DSARs by their nature can contain a lot of information, which may be overkill for the enquirer’s requirements and might not actually answer the questions they have. By aiming to identify the purpose of the request and the scope of information they’re asking for, you can help both customer and company: the data subject gets the information they want in a clear and concise way, and the company spends less time and resources on the DSAR.
Staff training is of vital importance here – your employees need to know how to differentiate between general data enquiries and official DSARs – and if it is a DSAR, know what to do.
Making DSARs manageable
As we’ve discovered, businesses who are fully GDPR compliant will have a much easier time facilitating DSARs, as a good deal of the legwork (such as finding out the ‘what when where why who and how’ of data) will have been done already. For business who aren’t GDPR compliant, I recommend addressing that as a matter of priority. Internal GDPR expertise is often thin on the ground in many organisations, but that doesn’t mean that help isn’t available. Bulletproof’s outsourced DPO service and excellent GDPR training schemes are both great resources to help get your DSAR process embedded and tested with minimal cost.
Finally, my top tip for organisations receiving a DSAR is to stop and try to reach out to the person making the request. Try to understand the purpose of their request, their personal aims, to see if you can provide them with the information they want outside of the DSAR framework. Afterall, the best way to facilitate a complex DSAR is to make it not a DSAR in the first place..
Get help with your data protection obligations
Bulletproof’s experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.Learn more
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.