Demystifying the DSAR: Responding to Data Subject Access Requests

What is a Data Subject Access Request?

Data subject access requests (DSARs) are not new, but are gaining increased prominence and public interest as a result of the introduction in May 2018 of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

Although it was possible under previous data protection laws to make DSARs, GDPR has led to increased consciousness and understanding of the value of personal data and the need to ensure its proper use and protection, amongst consumers, employees, members of the public and organisations across all industries.

Any individual has the right, under both the GDPR and the DPA, to make a DSAR to any organisation that processes his or her data. In responding to a DSAR, the data controller must provide (1) a copy of the personal data which is being processed, (2) details of the categories of data being processed as well as the purposes for which it is being processed and the sources of that data, (3) an explanation of to whom/ where the data has or will be disclosed and, if transferred abroad, the safeguards provided, (4)  details of the existence of any automated decision-making including profiling which is made using the data, and (5) information as to how long the data will be retained for.   The data subject must also be told on their right to request rectification, deletion or restriction in relation to their data as well as their right to complain to the UK’s information regulatory body, the Information Commissioner’s Office (ICO), if they are unsatisfied.

Failure to comply with a DSAR has been identified by the ICO as one of the most significant data protection issues at present, amounting to 46% of the total complaints the ICO received last year. With DSARs being such a big issue for organisations and individuals alike, knowing how to process and respond to a DSAR within the required timeframe of thirty calendar days, is crucial.

What organisations can do to be ready for a DSAR

The GDPR does not explicitly describe the manner or format by which a DSAR can be made; it can be made verbally, in writing, or through an informal means, and does not need to specifically state on its face that that it is in fact a DSAR. These different mechanisms and ambiguities means that it is sometimes difficult for organisations to even recognise a DSAR has been made, let alone process it.  Training individuals in all areas of a business to spot a DSAR is key.

Responding to a DSAR requires the data controller to carry out a reasonable search for the data subject’s personal data.  This can involve searching through large amounts of data held in various formats and locations; email, word documents, phone records, text/messaging platform messages, as well as  physical documentation (paper records). It is therefore key for organisations to have a clear understanding of the data they hold – where, why and how – in advance.  Firms can take a number of steps to better prepare themselves for the inevitability of receiving a DSAR:

• Define and embed data governance and management practices
• Formulate policies and procedures for handling DSAR requests
• Have a clear record of the data that is held by the organisation, which is accurate and maintained (what, where, why and how). Where possible reduce the amount of personal data held by the organisation and securely erase, in line with the organisation’s data retention policy, personal information that is no longer required
• Train staff to be able to identify DSARs and to understand what their roles are when processing and responding to the requests
• Create template responses to ensure that all elements of the request will be complied with
• Ensure that the organisation’s Data Protection Officer (if it has one) is kept informed of the receipt and progress of DSAR handling and a central log is maintained

I’ve received a DSAR…. What next?

A request must be responded to within thirty calendar days, which includes the date you received the request even if it arrives late in the day or at a weekend. If an organisation cannot respond to a request in the required timeframe because of the complex nature of the request, then an extension of up to two months can be utilised; but the individual must be made aware of the extension and the reason for it. Whilst this does allow organisations more time to deal with requests, what constitutes a complex request is not defined and therefore an organisation has to independently assess whether a request would warrant the extension. It should be the exception rather than routinely used.  If an organisation fails to meet the deadline, or the organisation fails to provide the individual with the information requested, then the organisation risks facing penalties for non-compliance. ‘Organisations have been reminded they could face a criminal prosecution if they fail to respect the public’s legal right to access their personal information.’^[1]

In most circumstances it is no longer possible to charge a fee for responding to a DSAR and if a fee is offered (requestors sometimes still send a cheque for £10, which was payable under the old law) it should be returned.

When processing a DSAR an organisation should first ensure that the person requesting the data is who they appear to be, if needs be by asking for ID documents. An organisation should then decide on the search parameters including considering where relevant data might be held and what keywords might be applied to find the requestor’s personal data amongst electronic records. Once the data set has been established, they should assess the information that is returned and determine whether or not each piece falls within the scope of the request i.e. does it contain the requestor’s personal data?  They should then assess whether any exemptions apply to any of that data, for example communications covered by legal privilege which do not have to be disclosed even if they contain the requestor’s personal data. Finally the organisation must identify whether any of the documents to be disclosed contain the personal data of any other third parties. Those third parties’ consent to disclose their personal data should be obtained or, if this is not possible or practical, then that third party personal data must be redacted.

All of the steps and processes set out above can be significantly accelerated and streamlined by the use of technology.   Processing large volumes of data, searching keyword  terms and redacting third party data can be time consuming and expensive if appropriate resources are not deployed.   The use of technology also increases control, transparency and provides a historical record of the request and the contents of the response.

Finally, once the information has been compiled, the organisation must ensure that the data is sent to the individual securely, so as to avoid breaching data protection legislation^[2], and log the activity.

What we can do to help

Managing a DSAR is not always straightforward and can consume a disproportionate amount of organisational resource to process. Our team of experts can support you across the DSAR lifecycle:

• Provide guidance on the relevant law and how it impacts your organisation as well as the exemptions and exceptions available
• Help organisations to establish and embed policies and procedures which enable them to manage personal data in line with the relevant regulations
• Provide training and legal guidance on how to identify and process DSARs
• Process DSAR requests through our technology-enabled managed service which provides a flexible and cost effective solution

[1]  Housing developer fined for ignoring data request, ICO, 7 February 2019
[2] Regulation (EU) 2016/679 (2016) Recital 63