August 25, 2021
Data subject access requests (or DSARs) are just one of the legal rights that individuals have under data protection law, but they are probably the request most known for causing the biggest headaches. If you have never had to deal with a data subject access request, their bad reputation comes from the fact that they can be a resource nightmare – sucking up time, money and effort.
There is added pressure because you are not allowed to charge a fee (so you cannot recoup the costs) and you have a time limit of 30-days to respond (so it might be that you have to drop other projects to prioritise the request).
Of course, it’s not all doom and gloom. DSARs are a fantastic way of ensuring businesses that use people’s data do so responsibly. DSARs can also act as a way of embedding good working practices. If something embarrassing comes out of the woodwork as part of a DSAR disclosure, it is an opportunity to reflect on whether your people policies or retention policies are actually working. Perhaps, more so than scary fines imposed by a regulator, DSARs are something that keeps businesses on track for data protection compliance.
The thing you need to know is, if someone submits a DSAR then you’re going to need to respond – regardless of the size of your business. Here are a few tips to ensure legal compliance with a subject access request.
Although the right to access your information is everyone’s legal right, that doesn’t mean it needs to be worded in a legal way (and you know how much we hate legal jargon here at Stephenson Law, so we’re totally on board!). This means that your business might receive a DSAR in a letter or email, over the phone, via your social media channels or even by using your website chat box.
Some examples of messages or requests which would be considered a DSAR include:
The last thing you want to happen is to miss a DSAR and the first you hear about it is from the ICO (The Information Commissioner's Office, the UK regulator for data protection) because the person complains that you have not responded to them. So it’s important you and your team are trained to recognise one.
You can make things a little bit easier for yourself by outlining on your website how someone can make a DSAR (e.g. by having a link to a designated e-mail) in clear and plain language – although, it is still up to the person making the request (known as a Data Subject) if they want to make the request some other way.
When someone asks you to give them a copy of the information you hold about them, the first step is to check through your systems, emails, internal chats, hardcopy documents etc to pull together the big pile of “Information About Them” into one place.
You probably already use a lot of tech to help support your business (you might even have created it yourself!). The downside of being able to conveniently share, save and download is that it can mean that documents are duplicated and stored across lots of different systems, folders and even (shock horror) on local drives. Thinking of the futuristic set-up you’ve got going on, with multiple systems, you might begin to understand why some people think DSARS are a nightmare to deal with. But don’t worry, here is how your tech can help you:
There are two things here to think about. The first is personal data (which is any information which can or could be used to identify a living person). The second is that the "Data Subject" is only entitled to their relevant personal data.
This means that you need to carefully check the information your search pulled up to make sure you are not sharing anything you shouldn’t be. This is especially tricky when it comes to responding to DSARs made by employees, because their personal data will be on lots of different things (for example, their name might appear on their email signature). In this example, you would not need to send every email that ever had their name on it – because a lot of that would be purely business information, or in the main text of that email might be about somebody else.
Not everyone realises that you only need to provide copies of the actual personal data, not copies of the documents which contains that personal data. It can be useful, and sometimes more appropriate, to send out the document but that can become disproportionate when there are thousands of emails. Here, our advice would be to specify the repeated information in a table.
Only provide copies of the emails where the main text of that email contains personal data. Of course, you need to redact (which means block out or remove) any information which is not about the Data Subject. You definitely would not want to be sending out confidential business information or someone else’s personal data to them!
It can get a bit tricky to decide what counts as personal data. For example, instant messages and emails often contain personal views of and about other people. Whether that should be disclosed to the Data Subject depends on the circumstances and what has been said, but you should know that sometimes it must be disclosed. Even if what was written makes you full body cringe, you might have to put it out there and (going back to the glass half full approach at the start of this blog) use it as a lesson to remind people what work systems should and should not be used for.
The ICO has guidance on its website on what it expects you to do and how to approach DSARs, but know that we’re here to help out as well. Stephenson Law is here to make DSARs less “DSARGHHHH” and more “DSAHHHHH” (that’s a sigh of relief by the way!).
If you'd like to discuss taking the ARRGHHH out of your DSARs, reach out to us on here.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.