Do you need help managing a DSAR?

27th January 2022DSAR

What is a Data Subject Access Request?

A Data Subject Access Request (DSAR), often referred to as a SAR, gives individuals a right to be informed of the personal information that an organisation holds on them.

A DSAR is intrinsically linked to an individual’s right to rectification and forces a Controller to reveal what data it is processing to allow the individual to check its accuracy and lawfulness of the processing.

DSAR’s are not a new concept and have been a fundamental right for many decades; however, the GDPR introduced several changes that make requesting information much easier for individuals and far more challenging for organisations to respond to the requests.

Below we will go through the basics of what you need to know about DSAR requests, what information you need to provide in a DSAR response, what information can be redacted, who should respond, and the process for handling a DSAR.

What information do you need to provide in a DSAR response?

This all depends on the request. A Controller may be asked to send a copy of a specific document, personal information relating to them for a certain period or cruelly ask for all of the information held on them.

Just as an aside, you may wish to note that individuals have a right to a copy of the information held about them, not necessarily a copy of any documents held on them. So, whilst providing copies of documents and redacting any information not relating to the requestor, is often the easiest way to complete a DSAR, you could just as lawfully convert the personal data to a flat text file.

Once you have discovered all the potential information that ‘may’ relate to an individual, which you will usually identify using some form of eDiscovery tool, be that the basic search tool in your email platform, or clever full-blown eDiscovery software, you then need to determine which elements of that discovered information would be classed as ‘personal data’ under the definition of the GDPR.

Individuals are not entitled to any information not considered by the GDPR to be personal data, nor any personal information related to other people, although in certain situations, information relating to managers, decision-makers etc, can be provided.

The discovery phase of any request may end up becoming very time-consuming, as you may need to investigate local and cloud-based CRM systems, emails, instant messaging, social media, productivity tools, backups and archives, other locations, and don’t forget those manual indexed records.

If you can prove that a significantly disproportionate amount of data is being discovered, you can ask the requestor to narrow the scope of the request. Still, suppose they insist on receiving it all unless you can prove to a very high standard why the request would require disproportionate effort to complete. In that case, you must supply the information in its entirety.

Personal information must be provided alongside other supplementary material, such as the relevant details provided in the organisation’s privacy notice.

Can information be redacted?

Organisations can, where relevant, and sometimes must, redact any information that’s not within the scope of the DSAR.

For example, you may have documents of the individual’s that have details of other people alongside them. In these situations, you must redact all personal data not relating to the individual making the request. This is because you will be committing a data breach if you share someone else’s personal data.

If 80% of a page is to be redacted, it is often quicker and easier for the individual to read, to transcribe the 20% to a text file and provide that.

Who should respond to a DSAR?

Only a Controller of data should manage a DSAR, i.e. not a Processor, and where an organisation has appointed a Data Protection Officer (DPO), it is their responsibility. In the absence of a DPO, the department responsible for most of the processing usually takes the lead. Therefore, this typically falls to HR, as in our experience, and most DSAR’s are from current or ex-employees.

Either way, there should always be one individual responsible for compliance with a high-level overview of DSAR processes and documents. The buck stops with them in terms of ensuring that all DSAR requests are resolved promptly.

This does not mean the DPO should respond to each request personally. The DPO should have control over the processes and assure compliance along the way.

What is the process for handling a DSAR?

As the ICO notes, there is no specific process for making a request, so someone could call or write and say, “I’d like to see the data you have on me”, and that would be classed as a genuine subject access request. Anyone in your organisation who may receive a DSAR must know what to look out for and who to contact.

Below is the simplified process to follow so that you can respond quickly to a DSAR request:

  1. Verify the identity

This is so you can determine the identity of the requestor and whether you have all the information to fulfil the request. Whilst you are waiting for proof of identity, the one calendar month countdown clock stops.

  1. Clarify the request and its validity

Requests are purpose blind, meaning that a requestor does not need to give you a reason as to why they want the information, and unless it requires disproportionate effort, you should not ask. However, you can clarify if the scope of the request can be narrowed to speed up the enquiry. If the request is valid, it should be completed as soon as possible and at the latest within one month. However, if needed, you can extend by two months, but you must both have justification and keep the individual informed.

  1. Check the data

When you start collating the data, check to see if you need to protect the personal data of any other individuals, and you may need to suppress any sensitive company information or information which attracts legal or litigation privilege. Applying exemptions is complex – if in doubt, seek help.

  1. Choose the format

When you’ve collected all the data within scope of the enquiry and suppressed or redacted inappropriate information, you must establish the most appropriate format to provide the information. Talk with the requestor to see how they would like the information – hardcopy or digital. Always send the data in a secure encrypted format.

  1. Add the extra information

When fulfilling the request, which must be done in the most secure way possible, advise the data subjects of their rights, including the right to file a complaint with the appropriate data protection authority if they are unhappy, although they should always speak with you to allow you the opportunity to assist further before any Regulator is involved.

Important points to note

It would be helpful to highlight two things; you cannot force an individual to make their request in writing or to use a specific form; you can invite them but not force them; Controllers have been fined for being obstructive in this area. Secondly, it is a criminal offence to withhold, delete or alter any information which a data subject is lawfully entitled to receive.

How to ensure the DSAR is a success

To ensure that the DSAR is a success and prevent any challenges when responding to the request, you should implement the following into your organisation, such as staff training in the process of DSAR and appointing someone to take responsibility for the DSAR’s. However, even if you do have a DPO, there will always be some challenging requests that will require guidance and Griffin House Consultancy can help with this.

If you are unsure of anything we have mentioned above and feel that you would gain value from the peace of mind and extra support of working with specialists in this field, please contact us here or take advantage of your complimentary 30-minute consultation.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.