Data Subject Access Requests, or DSARs, didn’t start with the GDPR, but it’s fair to say that there have been many more of them since GDPR came into law*.
So what is a DSAR and how should organisations respond when they receive one?
The GDPR upholds the right of an individual, (i.e. a ‘data subject’),
“to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…”
The information that an organisation must provide can include:
- The organisation’s lawful basis for processing;
- The names or categories of any third parties with whom that information has been shared;
- The period for which the personal data will be stored;
- Information about how the personal data was obtained;
- Information about automated decision-making, including profiling, and the reasons for and potential consequences of that automation.
What do you have to do?
Above all, you have to comply. This is a legal obligation and you must respond to the DSAR within one month.
You must ensure the identity of the individual asking for the information. Ideally you should establish a standard initial response to a DSAR, which provides you sufficient details to fulfil the request. For example, requesting proof of their ID, or their authority to act on behalf of a named individual.
You must permit electronic requests. It is not legally permissible to insist, for example, that the subject access request is sent by post.
You cannot charge a fee. In most circumstances you will have to provide subjects with the information that they request free of charge. There are some limited cases in which organisations may apply a reasonable fee, but these are very much the exception.
You must remind the data subject of their further rights. This includes the right to object to the processing of the data, to request rectification of that information or to lodge a complaint with the Information Commissioner’s Office.
What impacts do DSARs have on organisations?
Organisations should determine who is responsible for responding to a subject access request. Typically this will be within the remit of the data protection officer (DPO). Or, if there is no DPO, then DSARs should be handled by someone with up-to-date data protection knowledge and training in GDPR compliance.
Organisations should establish a clear and robust process to handle DSAR enquiries which should include verifying the identity of the individual clarifying the request, insuring that the request is valid, searching for and inspecting the data, determining an appropriate format to provide the information, communicating the response and ensuring that the individuals rights are explained in full.
Staff training is also important, both to manage the processes described above and to help all members of staff identify a subject access request. There is no defined format for a subject access request, nor is there a requirement that an individual even uses those words. So, it’s important that staff training includes awareness that a DSAR could be requested during the course of a normal conversation.
Time, money and expertise.
DSARs could come from any direction. Members of staff, former employees, unsuccessful job applicants, customers – all are examples of individuals who might make a DSAR.
With the number of DSARs on the increase, and with the possibility of another huge increase as the Covid-19 Pandemic progresses, the time associated with managing DSARs could be detrimental. But the potential cost of non-compliance is also likely to be unacceptable, as the heavy GDPR penalties will apply for failing to meet your obligations.
Not all organisations have appointed a DPO so it’s not always easy to know how well you will respond to DSARs. If you don’t have the internal expertise and practical experience in this area of data protection you could be well advised to take some professional advice.
* The Information Commissioner’s Office report that complaints related to DSARs doubled in the first year after the GDPR came into law.