DSAR-RRRGH! Dealing with Data Subject Access Requests (DSARs)

20 August 2021

DSARs are just one of the legal rights that individuals have under data protection law, but they are probably the request most known for causing the biggest headaches. If you have never had to deal with a DSAR, their bad reputation comes from the fact that they can be a resource nightmare – sucking up time, money and effort.

There is added pressure because you are not allowed to charge a fee (so you cannot recoup the costs) and you have a time limit of 30-days to respond (so it might be that you have to drop other projects to prioritise the request).

Of course, it’s not all doom and gloom. DSARs are a fantastic way of ensuring businesses that use people’s data do so responsibly. DSARs can also act as a way of embedding good working practices. If something embarrassing comes out of the woodwork as part of a DSAR disclosure, it is an opportunity to reflect on whether your people policies or retention policies are actually working. Perhaps, more so than scary fines imposed by a regulator, DSARs are something that keeps businesses on track for data protection compliance.

The thing you need to know is, if someone submits a DSAR then you’re going to need to respond – regardless of the size of your business. Here a few tips to help you out:

 

1) Make sure you know what a DSAR is

Although the right to access your information is everyone’s legal right, that doesn’t mean it needs to be worded in a legal way (and you know how much we hate legal jargon here at Stephenson Law, so we’re totally on board!). This means that your business might receive a DSAR in a letter or email, over the phone, via your social media channels or even by using your website chat box.

Some examples of messages or requests which would be considered a DSAR include:

  • “What information do you hold on me?”
  • “I want to know what personal data you have stored about me.”
  • “Can you please tell me what personal data you hold on me and why?”
  • “I’d like to know what personal data of mine you have.”
  • “Please send me all the information you hold on me.”

The last thing you want to happen is to miss a DSAR and the first you hear about it is from the ICO (the UK regulator for data protection) because the person complains that you have not responded to them. So it’s important you and your team are trained to recognise one.

You can make things a little bit easier for yourself by making it very clear on your website how someone can make a DSAR (e.g. by having a link to a designated e-mail) – although, it is still up to the person making the request (known as a Data Subject) if they want to make the request some other way.

 

2) Use technology (combined with good old-fashioned housekeeping!) to help you respond to a DSAR

When someone asks you to give them a copy of the information you hold about them, the first step is to check through your systems, emails, internal chats, hardcopy documents etc to pull together the big pile of “Information About Them” into one place.

You probably already use a lot of tech to help support your business (you might even have created it yourself!). The downside of being able to conveniently share, save and download is that it can mean that documents are duplicated and stored across lots of different systems, folders and even (shock horror) on local drives. Thinking of the futuristic set-up you’ve got going on, with multiple systems, you might begin to understand why some people think DSARS are a nightmare to deal with. But don’t worry, here is how your tech can help you:

  • Change your settings to enable the “retention” functionality. The standard default position is that your systems will keep storing information forever, but most of the big platforms (think Google and Microsoft) will let you change that and pick a retention period. This means that the system will automatically delete emails, instant messages or whatever you use that platform for after a certain period. This will significantly reduce the amount of information you have to sift through (which even has a bonus of reducing overheads, because digital storage gets expensive!). But be warned, you may want to have a separate folder to save off certain documents or emails that you want to keep for longer (e.g., a signed contract or legal advice) and you’ll need to remember to do this manually (unless someone out there has a handy tip on how to set this up as well? We’d love to hear!)
  • Use the search bar. You explain to individuals which search terms you’ll use to carry out the search. You might use their full name, initials, their email address or even their job title. Lots of systems include a search bar functionality. An extra tip is that if you include quotation marks, that will look for that entire phrase. For example, typing Stephenson Law might return lots of documents which include the words Stephenson, Law and Stephenson Law. But if you type “Stephenson Law”, you’ll only get search results for the whole phrase. 
  • Share links to documents instead of attachments (and update the editing permissions). This reduces the risk of having lots of versions of the same document saved on your system and can prevent people saving local copies to their device. It is likely you are paying a fee to use that platform or product so get your money’s worth by using its different functionality!
  • Extract data into searchable formats, for example, transferring data in excel spreadsheets to databases.
  • Use descriptive file names for documents. Be careful not to omit the client name as it can be easily missed when searching for documents if they are generic.
  • Map out your systems visually to show where data is stored, use a charting tool and keep it up to date.
  • Practice good data hygiene and archive and delete files (within your regulatory requirements).
  • Avoid duplicating data and work from single sources of truth where possible.

3) People are only entitled to their personal data

There are two things here to think about. The first is personal data (which is any information which can or could be used to identify a living person). The second is that the “Data Subject” is only entitled to their personal data.

This means that you need to carefully check the information your search pulled up to make sure you are not sharing anything you shouldn’t be. This is especially tricky when it comes to responding to DSARs made by employees, because their personal data will be on lots of different things (for example, their name might appear on their email signature). In this example, you would not need to send every email that ever had their name on it – because a lot of that would be purely business information, or in the main text of that email might be about somebody else.

Not everyone realises that you only need to provide copies of the actual personal data, not copies of the documents which contains that personal data. It can be useful, and sometimes more appropriate, to send out the document but that can become disproportionate when there are thousands of emails. Here, our advice would be to specify the repeated information in a table.

For example:

FormatType of personal dataYour personal data
EmailName, job title, corporate email addressMs Made Up, Fancy Job, M.Up@imaginaryexample.com

Only provide copies of the emails where the main text of that email contains personal data. Of course, you need to redact (which means block out or remove) any information which is not about the Data Subject. You definitely would not want to be sending out confidential business information or someone else’s personal data to them!

It can get a bit tricky to decide what counts as personal data. For example, instant messages and emails often contain personal views of and about other people. Whether that should be disclosed to the Data Subject depends on the circumstances and what has been said, but you should know that sometimes it must be disclosed. Even if what was written makes you full body cringe, you might have to put it out there and (going back to the glass half full approach at the start of this blog) use it as a lesson to remind people what work systems should and should not be used for.

The ICO has guidance on its website on what it expects you to do and how to approach DSARs, but know that we’re here to help out as well. Stephenson Law is here to make DSARs less “DSARGHHHH” and more “DSAHHHHH” (that’s a sigh of relief by the way!).

If you’d like to discuss taking the ARRGHHH out of your DSARs, reach out to us on here.

Check out our insights section for more data protection top tips, and to get the latest updates straight to your inbox, be sure to sign up to our newsletter.