August 25, 2021
Data subject access requests (or DSARs) are just one of the legal rights that individuals have under data protection law, but they are probably the request most known for causing the biggest headaches. If you have never had to deal with a data subject access request, their bad reputation comes from the fact that they can be a resource nightmare – sucking up time, money and effort.
There is added pressure because you are not allowed to charge a fee (so you cannot recoup the costs) and you have a time limit of 30 days to respond (so it might be that you have to drop other projects to prioritise the request).
Of course, it’s not all doom and gloom. DSARs are a fantastic way of ensuring businesses engaging in data processing do so responsibly. DSARs can also act as a way of embedding good working practices. If something embarrassing comes out of the woodwork as part of a DSAR disclosure, it is an opportunity to reflect on whether your people policies or retention policies are actually working. Perhaps, more so than scary fines imposed by a regulator, DSARs are something that keeps businesses on track for data protection and compliance.
In this article, we tackle how to respond to a DSAR, from upholding UK GDPR compliance, to the ins and outs of a DSAR submission. You'll come away with a clear understanding of how to handle data privacy, how to deal with a data subject access request, and how to abide by data protection law.
First thing's first: if someone submits a DSAR, you’re going to need to respond – regardless of the size of your business. Here are a few tips to ensure legal compliance with a data subject access request.
Although the right to access your information is everyone’s legal right, that doesn’t mean it needs to be worded in a legal way. This means that your business might receive a DSAR in a letter or email, over the phone, via your social media channels or even by using your website chat box.
Some examples of messages or requests which would be considered a DSAR include:
The last thing you want to happen is to miss a DSAR and the first you hear about it is from the ICO (The Information Commissioners Office, the UK regulator for data protection) because the person complains that you have not responded to them. So it’s important you and your team are trained to recognise one.
You can make things a little bit easier for yourself by outlining on your website how someone can make a DSAR submission (e.g. by having a link to a designated e-mail) in clear and plain language – although, it is still up to the person making the request (known as a Data Subject ) if they want to make the request some other way.
When someone asks you to give them a copy of the information you hold about them, the first step is to check through your systems, emails, internal chats, hardcopy documents etc to pull together the big pile of “Information About Them” into one place.
You probably already use a lot of tech to help support your business (you might even have created it yourself!). The downside of being able to conveniently share, save and download is that it can mean that documents are duplicated and stored across lots of different systems, folders and even (shock horror) on local drives. Thinking of the futuristic set-up you’ve got going on, with multiple systems, you might begin to understand why some people think DSARS are a nightmare to deal with. But don’t worry, here is how your tech can help you:
There are a couple of things to think about when it comes to personal information and the privacy rights of data subjects. The first is personal data (which is any information which can or could be used to identify a living person). The second is that the "Data Subject" is only entitled to their relevant personal data.
This means that you need to carefully check the information your search pulled up to make sure you are not sharing anything you shouldn’t be. This is especially tricky when it comes to responding to DSARs made by employees, because their personal data will be on lots of different things (for example, their name might appear on their email signature). In this example, you would not need to send every email that ever had their name on it – because a lot of that would be purely business information, or in the main text of that email might be about somebody else.
Not everyone realises that you only need to provide copies of the actual personal data, not copies of the documents which contains that personal data. It can be useful, and sometimes more appropriate, to send out the document but that can become disproportionate when there are thousands of emails. Here, our advice would be to specify the repeated information in a table.
Only provide copies of the emails where the main text of that email contains personal data. Of course, you need to redact (which means block out or remove) any information which is not about the Data Subject. You definitely would not want to be sending out confidential business information or someone else’s personal data to them!
It can get a bit tricky to decide what counts as personal data. For example, instant messages and emails often contain personal views of and about other people. Whether that should be disclosed to the Data Subject depends on the circumstances and what has been said, but you should know that sometimes it must be disclosed. Even if what was written makes you full body cringe, you might have to put it out there and (going back to the glass-half-full approach at the start of this blog) use it as a lesson to remind people what work systems should and should not be used for.
The ICO has guidance on its website on what it expects you to do and how to approach DSARs, but know that we’re here to help out as well. Stephenson Law is here to make DSARs less “DSARGHHHH” and more “DSAHHHHH” (that’s a sigh of relief by the way!).
Has your organisation been asked to delve into the personal information you collect on data subjects? We’re data protection law experts, highly experienced in getting data on your good side. From dealing with a data breach, to squeaky-clean UK GDPR compliance, we work tirelessly to ensure our clients are on the right side of data privacy laws.
Discover how we can support you with DSAR compliance, whether that's tackling the ins and outs of a DSAR submission, or compiling a DSAR response. Find out more about how we can support you with data subject access requests here.