What is a Data Subject Access Request?
Data subject access requests (DSARs) are not new, but are gaining increased prominence and public interest as a result of the introduction in May 2018 of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
Although it was possible under previous data protection laws to make DSARs, GDPR has led to increased consciousness and understanding of the value of personal data and the need to ensure its proper use and protection, amongst consumers, employees, members of the public and organisations across all industries.
Any individual has the right, under both the GDPR and the DPA, to make a DSAR to any organisation that processes his or her data. In responding to a DSAR, the data controller must provide (1) a copy of the personal data which is being processed, (2) details of the categories of data being processed as well as the purposes for which it is being processed and the sources of that data, (3) an explanation of to whom/ where the data has or will be disclosed and, if transferred abroad, the safeguards provided, (4) details of the existence of any automated decision-making including profiling which is made using the data, and (5) information as to how long the data will be retained for. The data subject must also be told on their right to request rectification, deletion or restriction in relation to their data as well as their right to complain to the UK’s information regulatory body, the Information Commissioner’s Office (ICO), if they are unsatisfied.
Failure to comply with a DSAR has been identified by the ICO as one of the most significant data protection issues at present, amounting to 46% of the total complaints the ICO received last year. With DSARs being such a big issue for organisations and individuals alike, knowing how to process and respond to a DSAR within the required timeframe of thirty calendar days, is crucial.
What organisations can do to be ready for a DSAR
The GDPR does not explicitly describe the manner or format by which a DSAR can be made; it can be made verbally, in writing, or through an informal means, and does not need to specifically state on its face that that it is in fact a DSAR. These different mechanisms and ambiguities means that it is sometimes difficult for organisations to even recognise a DSAR has been made, let alone process it. Training individuals in all areas of a business to spot a DSAR is key.
Responding to a DSAR requires the data controller to carry out a reasonable search for the data subject’s personal data. This can involve searching through large amounts of data held in various formats and locations; email, word documents, phone records, text/messaging platform messages, as well as physical documentation (paper records). It is therefore key for organisations to have a clear understanding of the data they hold – where, why and how – in advance. Firms can take a number of steps to better prepare themselves for the inevitability of receiving a DSAR:
- Define and embed data governance and management practices
- Formulate policies and procedures for handling DSAR requests
- Have a clear record of the data that is held by the organisation, which is accurate and maintained (what, where, why and how). Where possible reduce the amount of personal data held by the organisation and securely erase, in line with the organisation’s data retention policy, personal information that is no longer required
- Train staff to be able to identify DSARs and to understand what their roles are when processing and responding to the requests
- Create template responses to ensure that all elements of the request will be complied with
- Ensure that the organisation’s Data Protection Officer (if it has one) is kept informed of the receipt and progress of DSAR handling and a central log is maintained
I’ve received a DSAR…. What next?
A request must be responded to within thirty calendar days, which includes the date you received the request even if it arrives late in the day or at a weekend. If an organisation cannot respond to a request in the required timeframe because of the complex nature of the request, then an extension of up to two months can be utilised; but the individual must be made aware of the extension and the reason for it. Whilst this does allow organisations more time to deal with requests, what constitutes a complex request is not defined and therefore an organisation has to independently assess whether a request would warrant the extension. It should be the exception rather than routinely used. If an organisation fails to meet the deadline, or the organisation fails to provide the individual with the information requested, then the organisation risks facing penalties for non-compliance. ‘Organisations have been reminded they could face a criminal prosecution if they fail to respect the public’s legal right to access their personal information.’
In most circumstances it is no longer possible to charge a fee for responding to a DSAR and if a fee is offered (requestors sometimes still send a cheque for £10, which was payable under the old law) it should be returned.
When processing a DSAR an organisation should first ensure that the person requesting the data is who they appear to be, if needs be by asking for ID documents. An organisation should then decide on the search parameters including considering where relevant data might be held and what keywords might be applied to find the requestor’s personal data amongst electronic records. Once the data set has been established, they should assess the information that is returned and determine whether or not each piece falls within the scope of the request i.e. does it contain the requestor’s personal data? They should then assess whether any exemptions apply to any of that data, for example communications covered by legal privilege which do not have to be disclosed even if they contain the requestor’s personal data. Finally the organisation must identify whether any of the documents to be disclosed contain the personal data of any other third parties. Those third parties’ consent to disclose their personal data should be obtained or, if this is not possible or practical, then that third party personal data must be redacted.
All of the steps and processes set out above can be significantly accelerated and streamlined by the use of technology. Processing large volumes of data, searching keyword terms and redacting third party data can be time consuming and expensive if appropriate resources are not deployed. The use of technology also increases control, transparency and provides a historical record of the request and the contents of the response.
Finally, once the information has been compiled, the organisation must ensure that the data is sent to the individual securely, so as to avoid breaching data protection legislation, and log the activity.
What we can do to help
Managing a DSAR is not always straightforward and can consume a disproportionate amount of organisational resource to process. Our team of experts can support you across the DSAR lifecycle:
- Provide guidance on the relevant law and how it impacts your organisation as well as the exemptions and exceptions available
- Help organisations to establish and embed policies and procedures which enable them to manage personal data in line with the relevant regulations
- Provide training and legal guidance on how to identify and process DSARs
- Process DSAR requests through our technology-enabled managed service which provides a flexible and cost effective solution
 Housing developer fined for ignoring data request, ICO, 7 February 2019
 Regulation (EU) 2016/679 (2016) Recital 63
Contact the authors
Melanie Hart is a Partner with Ince and advises on a broad range of corporate, commercial and individual disputes, and represents clients in litigation, arbitration and mediation. Much of her advice involves ‘dispute avoidance’ and developing risk management solutions in order to identify and mitigate risk at an early stage. Melanie assists clients in relation to all aspects of contentious data protection matters including preparing for and responding to data breaches/data hacks, responding to DSARs and using data protection rights and obligations in the context of litigation. You can contact her at MelanieHart@incegd.com
Jon Szehofer is a Partner with GD Financial Markets and leads our business consulting proposition. Jon has led a number of high-profile engagements for major global Investment Banks and industry associations, with a specific focus on regulatory change, risk management and organisational change. You can contact him at firstname.lastname@example.org
Rya Saunders is a business analyst with GD Financial Markets. Since joining GDFM she has been involved in a number of consulting assignments, including an industry specific AML solution and a major organisation re-design. You can contact her at email@example.com
Ince is a leading international law firm with 150 years’ experience providing clients with best in class legal and strategic advice, including in all areas of data protection and information law. If you would like more information about the services which Ince offers, contact our Chief Executive Adrian Biles at firstname.lastname@example.org
About GD Financial Markets
GD Financial Markets works with clients to solve their operational and regulatory challenges including practical implementation of regulatory processes. If you would like to know more about this or our other services, contact our Business Manager at email@example.com.