Practitioners Insight – what is a Data Subject Access Request (DSAR) and how to deal with them
What is a DSAR?
Every data subject has the right to obtain, from a data controller, confirmation as to whether personal data is being processed, access to the personal data and further information as set out in Article 15 of the GDPR. This is known as a Data Subject Access Request (DSAR).
Failure to respond to a DSAR will probably lead to a complaint to the ICO who will investigate your failure to respond. The fines and sanctions that the ICO can impose are serious!
When receiving a DSAR from a current or former employee, there is often a sigh of fear and frustration! Dealing with DSARs is often very time consuming and labour intensive. We have seen a significant rise in DSARs being made and it is important that you are ready and able to respond in the event that you get one. There are certain circumstances where you are not required to respond, I do not propose to go into these circumstances in this insight but please feel free to get in touch if you would like further information. This note assumes that we have a DSAR that needs to be responded to.
I would recommend that all organisations have a policy and process in place to deal with DSARs. This ensures consistency in handling with the request, and if your Data Protection manager is not available (holiday/ ill health) it means you can deal with the request confidently in their absence.
The first things I look at when a DSAR is sent to me by a Client:
1. You have one month in which to respond to the request. As soon as you have received it, put the date in your diary and highlight it
2. Who in the organisation will be handling the request and who else will be involved in the search?
3. Carry out an initial assessment of the request – do you even process data concerning the individual?
4. Are we clear that the request is from the person who has made it? If in any doubt at all, request ID
5. If the DSAR is simply ‘give me everything that you hold which names me’, request that the data subject narrows the scope of their search, i.e. specific events, specific dates, specific people, location of data – you are entitled to do this and it is important that you understand what the individual is looking for. If the request is from a former employee who has been employed by you for 20 years, there will be a huge amount of information in personnel files and email servers, the ‘give me everything’ request therefore may be excessive. If the scope of the request is substantial and complex, consider extending the time to respond. The one month response period can be extended by a further two months and it is important that you notify the data subject of this extension and reasons that you require it.
6. Write to the data subject and acknowledge receipt, setting out when you will respond by, the approximate number of documents and ask to clarify the scope of their request (if required).
7. Once the data subject has narrowed the search, let the search commence. The duty is to make a genuine and extensive search which is ‘reasonable and proportionate’. Search mailboxes, personnel files, back-ups, deleted data and any other storage systems you have.
8. Are there any applicable exemptions to the subject access rules?
9. Redact third party data, redact information which is not relevant or is not personal data at all (financial performance for example) or is confidential.
10. Prepare a response in line with Article 15 GDPR
In our experience, the significant volume of disclosure in DSARs is in relation to emails. To assist you, we have prepared a short note for you to use internally to encourage staff to maintain good email discipline.