DSAR-RRRGH! Dealing with Data Subject Access Requests (DSARs)

20 September 2019

DSARs are known for causing headaches. For those of you fortunate enough to have never had to deal with one (and probably don’t know the true misery they bring), they are a resource nightmare – sucking up time, money and effort.

Under the GDPR, the time limit for responding to a DSAR has been reduced to one month and the £10 fee has been scrapped. However, the biggest change is the rise in data protection awareness following the media attention the GDPR has received in the last 24 months. Consequently, we have witnessed a huge spike in DSAR activity and it’s something that businesses of all sizes need to be aware of.

Having a process in place for dealing with DSARs can ease a lot of the pain and we have a few tips to help you out:

1. Make sure you know what a DSAR is

It is important not to get caught off guard. Just because you’ve never received a DSAR doesn’t mean that you never will. There is no set format required for a DSAR, and they can be made in writing, verbally, via your social media channels or website chat box. Data subjects don’t need to tell you why they’re making the request, which can make them harder to spot.

Examples of requests that would be considered a DSAR include:

“What information do you hold on me?”
“I want to know what personal data you have stored about me.”
“Can you please tell me what personal data you hold on me and why?”
“I’d like to know what personal data of mine you have.”
“Please send me all the information you hold on me.”

The last thing you want is for a DSAR to be missed and the first you hear about it is from the ICO when the data subject makes a complaint to them about your lack of response, so it’s important that your team is trained to recognise one. We also recommend having guidance on your website on how someone should make a DSAR.

2. Using technology to help respond to a DSAR

You are probably using a lot of tech in your business. Consequently, documents are often duplicated and stored across different systems, folders and drives – including local drives (shock horror).

Responding to even the simplest of DSARs through a purely manual process can be tedious and incredibly time consuming. Sorting through emails is quite often the biggest problem, particularly if you’re dealing with a request from an employee (see below).

Technology can help by:

– sifting through files to find personal data tags
– de-duplicating identical copies of data
– locking documents to prevent attachments and links from being shared
– removing unnecessary email threads, masking third party email addresses and signatures and so on.

Reducing the data you hold is a fundamental step to helping you comply with data minimisation principles and you’ll be incredibly grateful for it when dealing with a DSAR. You can also use tech to enable you to enforce retention periods, so data is automatically and routinely deleted.

3. Remember, the data subject is only entitled to their personal data

One of the most important aspects of responding to a DSAR is ensuring that nothing is disclosed to the data subject that shouldn’t be. You need to ensure that you respond fully to the request without disclosing confidential business information, personal data belonging to a third party, or other exempt data.

This can be particularly tricky when responding to requests from employees, because data for them is typically stored all over the business and there will usually be masses of email correspondence to sort through.

Not everyone realises that you only need to provide copies of the actual personal data, not copies of the documents within which it is contained. Though it can be useful and appropriate to send the full or redacted document, this becomes excessive when dealing with emails because there will be thousands of them.

Our tip is to list the repeat information in a table – for example:

Emails dated between xx/xx/xx – xx/xx/xxFirst Name
Work email
Work telephone

And only provide copies of the emails where the actual body of the email contains personal data, redacted as appropriate of course. You definitely do not want to send out confidential business information or personal data belonging to another.

This is a grey area because emails often contain personal views of and about other individuals. As a result, it can take a degree of skill to determine who the personal data actually belongs to! The ICO has provided some useful guidance on this. And only provide copies of the emails where the actual body of the email contains personal data, redacted as appropriate of course. You don’t want to send out confidential business information or personal data belonging to another.

The right of access is a fundamental right of the data subject. It’s important that you can identify and respond to them in the proper manner and timescale. Whilst it is unlikely that responding to a DSAR will ever be an enjoyable process, the suggestions above may just make it that little bit less painful (and will make for happier data subjects and regulators).

To discuss DSARs with a member of our team, drop us a line at hello@stephenson.law.