Data Subject Access requests (DSAR) or Subject Access Requests (SAR) tend to be treated as something companies would rather ignore, until they have no choice. Most organisations will strictly follow the saying “failure to plan is planning to fail” in terms of their sales and marketing efforts. Customer service teams look at complaints or negative reviews as an opportunity to make a dissatisfied customer into a happy customer, or even an advocate.
Why then is data and privacy management under the GDPR not treated as the same opportunity? A well-handled DSAR builds trust in the eyes of the individual and a well-publicised culture of good data and privacy protection helps sales and marketing and builds confidence in the wider customer base.
Under the UK and EU GDPR individuals (also called Data Subjects) have the right to make a Data Subject Access Request. These requests are designed to allow individuals to find out what personal data and supplementary information is held by your organisation about them. For detailed information on DSARs read our guide What is a DSAR?
Firstly, don’t panic, as a data superstar this is your time to shine and show your company’s commitment to the GDPR and a culture of good data governance and privacy management. It will happen eventually, in fact DSARs are on the rise. According to research by the Data Privacy Group in November 2021, UK businesses are spending between £72,000 and £336,000 per year handling data subject access requests. In the same year, the UK Data Protection Index reported a 66% increase in the average number of DSARs received. This is a good thing; people are increasingly aware of their rights and value their privacy. Your organisation can foster trust with your customers by handling their data correctly and responsibly.
Here is what you need to do according to the GDPR, Article 12(3):
1. Respond the DSAR without delay and within one month of receipt of the request.
Many people ask what is the time period within which you must respond to a request from the data subject, under the GDPR? Make sure you acknowledge receipt of the as soon as possible and answer the request within 30 days. This does not mean 30 working days but 30 calendar days. Read the DSAR carefully and make sure you understand what the individual is asking for. if there is anything you don’t understand it is OK to ask. It might even help you in your search.
2. You may extend the DSAR time limit by a further two months if the request is complex or if you receive a few requests from the individual.
If you need more time to deal with multiple DSARs or complex requests, you should inform the individual by the end of the 30 days of the request together with the reasons for the delay.
3. You should perform a reasonable search for the requested information.
Yep, you need to search everywhere where their personal data could be held and should not stop until there is nowhere left to look. This is the most time-consuming part of the process and we will look at how it can be made more efficient later in this post.
4. You should supply the information in an accessible, concise and intelligible format.
Nobody wants to receive hundreds of documents, but it may not be possible to supply all the data in one document. Try to ensure the information is in at least a spreadsheet and and/or pdf files and presented in a way that is easy to understand. It is not a good idea to send files in formats that most people would find difficult to open such as JSON.
5. The information should be sent securely.
Send the data in an accessible but secure format, for example directly to the individuals email address. It is important to include details of your privacy policy or link to it if it details why you hold their data, how it was recorded, how long you intend to keep it, who it is shared with and how they can ask for it to be amended or deleted.
6. You can only refuse to supply the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
It is possible but you must be prepared to prove that the request is unfounded or excessive. You will have to inform the individual of the reasons why, back it up with evidence and inform them of their right to complaint to the ICO or relevant authority.
7. You must inform the individual of their right to make a complaint to the ICO or other regulatory authority.
This is something that is often missed from DSARs, don’t forget to include it and make it clear.
Custom request forms, deadline management, reporting and much more
Free 14-day TrialIt is important to understand the GDPR and be able to recognise a DSAR when you receive it. You will need various policies in place to handle DSARs such as a means of recording access requests received verbally. If you are unsure about the identity of the individual making the request through email, social and other channels, you will need to verify it by asking questions only they should know the answers to.
It is possible that a third party, such as a family member or solicitor may make a DSAR on behalf of someone else. In this case you will need to get written consent from that individual that the third party is allowed access to the data. Remember you are against the clock to supply a prompt response, but the time limit can be paused if there is a need to ask the individual for more information or clarification.
It is particularly important to understand the nature of the supplementary information you need to provide in response to a subject access request. Too often answers to DSARs are criticised for being too generic. The more detailed you are with your response the better. Remember to include the information details for its amendment or deletion. This supplies transparency for the data subject and is less likely to result in a complaint to the relevant authorities.
If the data you hold also has data about other individuals, that data will need to be redacted. They have a right to privacy too and only information relevant to the data subject can be shown to them. There may be circumstances were supplying the requested data may give away details about someone else’s data or identity. This requires careful thought on your part about what information you can supply or getting permission from the other data subject. For example, the requesting individual may be able to guess the identity of another data subject from the information you supply. In this case permission would need to be sort from the person that could be identified or the data could not be provided.
One of the biggest challenges facing SMEs when responding to DSARs is a lack of systems and processes in place to deal with the request. The data is usually stored in many places, so simply finding, and accessing it can be difficult. Often it is stored in emails, cloud storage systems, physical documentation and even CCTV equipment. This is usually a manual process for most organisations and with the time limit the results are often a poor-quality generic response that costs your company time and money.
Data mapping is an important process for organisations to get accustomed to. Mapping what data you have, where it is held and who handles it; shows that the data you have has been handled appropriately and ensures SARs are responded to in a prompt and cost-effective manner. Check out our video What is Data Mapping Explained!
There is usually a lack of proper training for team members who are not qualified Data Protection Officers, but the task of handling DSARs has fallen to them. They are usually members of the customer service or complaints team and may have little or no formal training in data governance or privacy management. This can leave your organisation vulnerable to complaints and weaken your ability to defend against them.
Palqee’s user friendly software makes data protection and privacy management assessable, collaborative, and easy. Allowing you to record, map and easily report on the personal information you store. Detailing where it is stored, who handles it and its purpose. Delivering peace of mind, time savings and value for your organisation.
The #1 platform to operationalise Privacy and Data Governance
Free 14-day Trial