Data Subject Access Requests & How to handle them

Under GDPR a data subject has the right to access the personal information that an organisation holds on them. This is known as a Data Subject Access Request – DSAR and includes personal data from a customer, employee, or a contractor.

What is a Data Subject Access Request (DSAR)?

A DSAR is a request for information from someone whose personal data you hold. The EU GDPR and the UK GDPR give everyone in both the EU and the UK rights over the use of their personal data within the context of Rights of the Data Subject. This means an individual can decide how their personal data can be used.  

One of the rights of the individual under GDPR is ‘Right of Access’ this is a DSARs. When an individual submits a DSAR to an organisation the organisation must then provide with the relevant information about them.

What needs to be included in a DSAR?

The request may be for a ALL the information that is held about the individual or it may be specific to certain information, whatever the request the relevant information must be provided.

Today the world is digital where information can be stored in emails and files and not forgetting sometimes even on paper this can lead to a large volume of information.

The first task for an organisation is to determine ‘what is personal data’ relating to the individual. Personal data is defined in GDPR Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person. This could include, name, address, phone, address, email address, for a full explanation data see the ICO explanation.

Every organisation that collects personal data should have the details provided within their Privacy Notice of the data that they collect about the individuals.

What information cannot be provided

If the personal data that has been requested has 3rd party details within it then these details should be redacted, the information requested within the scope of the DSAR should only refer to the person making the request. This is important because if details of a third are given accidentally then this will lead to a data breach.

Where sensitive company information is referred to then this can also be redacted.

When a DSAR is submitted

When an organisation receives a DSAR the requester does not need to state that they are submitting a ‘Data Subject Access Request’ nor do they have to state why they require the information.

The only question that an organisation should ask the requester is to verify their identity. Again, failure to do this could result in a data breach, by giving personal details to the wrong person.

Requests for a DSAR can be made using either by email or letter, so every organisation needs to be able to recognise a DSAR when they receive it.

How long does an organisation have to respond?

The GDPR states that DSARs must be fulfilled ‘without undue delay’ and there is a time limit of one calendar month.

Organisations can extend the deadline to up to three months, however they must be able to prove that they are justified in doing so EG if the request was complex. However, the organisation must respond to the requester updating them that this is the case and give an explanation as to why this is the case.

For some organisations this could be a challenge, so it is important that a clear and easy to understand procedure is implemented.

Is there a fee for a DSAR?

No fee can be charged, GDPR Article 12 (5)states that the response to a DSAR must be provided free of charge, Organisations can no longer charge a fee for dealing with a straight forward DSAR.

However, where the request is excessive or manifestly difficult then a reasonable fee can be charged but again you must be able to justify this. If the requester requires additional copies of the information supplied, then a reasonable fee can be charged.

Can a DSAR be submitted on behalf of someone else?

Yes, individuals can authorise someone else to make a request on their behalf.

For example

  1. Where a 3rd party has been given the authorisation to look after another person’s affair
  2. A parent or someone with parental responsibility is seeking information about a child
  3. A friend or relative is making the request on behalf of another individual
  4. A solicitor is acting on behalf of a client

It is the responsibility of the organisation to ensure that they are satisfied about the person making the request and that they have seen verification and authorisation from the requester before the information is given.

The DSAR process

For organisations to handle a DSAR successfully there needs to be a very clear process in place. The GDPR does not stipulate a process it is therefore up to the organisation to implement such a process ensuring that those that handle personal data are trained and know what to do.

Time is limited thus  handling a DSAR so requests need to be dealt with quickly and efficiently. Atypical process would look as follows:

Week One

  1. Receive DSAR, pass to the designated person to deal with it
  2. Verify identity of requester
  3. Log SAR in SAR log
  4. Notify all relevant departments where the data subjects data is being processed

Week Two

  1. Information gathering from all relevant departments

Week Three

  • Combine all the gathered information into one file
  • Redact information of any 3rd parties unless consent has been given from the 3rd parties for their details to be given as part of the SAR
  • Redact any commercially sensitive information
  • Submit for sign off by Data Protection Officer or Data Manager or Senior Management

Week Four

  1. SAR has been reviewed and signed off internally
  2. Upload to secure file or sharing location or print (as is required)
  3. Notify the Data subject that to collect or access the information as requested
  4. Record date and time of SAR in the SAR log.

Ensuring success with a DSAR

To ensure success with DSARs and ensure that you respond within the GDPR requirements the organisation needs a clear step by step process to be in place.

The organisation needs to implement measures to ensure ongoing success and compliance.

These measures include:

Staff training

Make sure that all staff who are dealing with personal data know how to recognise a DSAR. Ideally all staff involved in data protection matters should have regular data protection training.

DSAR responsibilities

Appoint a person or a team that is going to take the responsibility for dealing with the DSARs.

Expert advice

Make sure that there is always access to expert advice, this could be the DPO within your organisation or perhaps work with a consultancy or outsourced DPO to advise on complex requests.

If you or your organisation need further help and advice on how to deal with DSARs then please do contact us – we are here to help.

Scroll to Top