Data Subject Access Requests (DSARs) Services

Latest update:
25 Jul
2022

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation (data controller).

As such, a data subject access request (DSAR) can be made by a wide range of individuals such as customers, employees (past and present), tenants and even people visiting a website.

DSARs can be made in writing, verbally and by social media.  It is also possible for a third party to request a DSAR on behalf of someone else.

If an electronic request is made, the data controller should provide the information through a commonly used electronic format, unless the data subject requests the information through another medium.

Data controllers also need to be aware that an access request can be made without formally being titled a ‘subject access request’ or similar.

Which Organisations/Data Controllers Need to Comply with DSARs

The simple answer is any organisation which processes personal data (difficult to think of many that don’t) will potentially need to comply with this requirement of the UK GDPR.

Thus, if your organisation has never received a DSAR, don’t get complacent, you may do in the future and you need a process and skilled resources to deal with it.

What are Some of the Challenges of Responding to a DSAR?

1. Timescale

Whilst there is nothing new about DSARs (they were first introduced by the DPA 1998), the UK GDPR included some additional requirements which introduced some challenges for data controllers responding to a DSAR.

One of the more obvious ones is the 1-month timescale in which data controllers must respond to an access request.

An organisation can only request additional time (up to a further 2 months) if procedures are considered to be too complex to meet the 1-month deadline, or if the same data subject has made numerous requests.

Data controllers, however, cannot obtain extensions on the grounds they are relying on data processors to provide the necessary information.

Timescale aside, there are numerous other challenges that data controllers must overcome in responding to a DSAR.

2. Validation

The legislation says that data controllers need to satisfy themselves that a DSAR is valid, and that the requester is in fact the data subject or someone acting on their behalf, like a solicitor or Citizens Advice.

Challenge:

  • So how do you satisfy yourselves?
  • What documentation do you request to confirm their identity?
  • How do you process and store this ID?
  • How long can you keep it for?

3. Vexatious Requests

How do you separate the genuine requests from the vexatious or malicious requests sent to potentially drain your resources?  How can you evidence that a request is malicious?

4. Resources

Do you have enough people to pull together everything you need to facilitate a request?  Do you have access to the systems?  Is your records management in place so you know how to locate documents that need to be disclosed?  Do you have the appropriate software to do professional redaction or are you still using a black felt tip and a photocopier?

5. Knowledge

URM has found this to be the biggest issues faced by organisations.

Do your people have the knowledge and skills to be able to facilitate requests?  Do they really know what personal identifiable data actually is?  A name alone within a document is not necessarily personal data that has to be disclosed in response to a DSAR.  Do you have the software and skills to pull together all the emails that mention a particular person or a particular complaint?

DSAR Redaction Service

It is important that DSARS are handled fairly and independently, especially where the request is internal and may involve HR records.

One of the areas which organisations often struggle with when dealing with a DSAR redaction is understanding what legal exemptions are available and more importantly can be applied.

This, naturally, will dictate when data can or cannot be released, e.g., where legal privilege applies to communications between an organisation and its solicitor.

Questions that organisations find challenging when redacting documents as part of a DSAR include:

  • What if personal data was provided in confidence, such as from a confidential informant, e.g., as part of a grievance and formal complaints process?
  • What if an access request is going to be unduly time consuming or particularly voluminous?
  • How do you determine if a DSAR is vexatious?  What evidence do you need to provide?  Do you actually need to respond to it?
  • What if someone else is requesting information on the data subject’s behalf?  How do you manage third-party requests and manage consent?
  • What if a DSAR concerns a child?
  • What if documents involved in the DSAR contain the names, or other personal information, of other staff or staff from other stakeholders?

Deciding on what elements of a document need to be redacted and where exemptions can be applied is a time-sensitive process and one which requires a skilled interpretation of the UK GDPR.

This is where utilising a third party provider, such as URM, can be useful.

One of the fundamental rights of an individual, under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation
Thumbnail of the Blog Illustration
Data Protection
updateD:
25/7/2022
Data Subject Access Requests (DSARs) – The Need for Education and Centralised Processes

In this blog, we will discuss the importance of ensuring that your whole organisation can identify a DSAR, the benefits of controlling the entry points of DSARs and creating a centralised DSAR process

Read more
Thumbnail of the Blog Illustration
Data Protection
updateD:
25/7/2022
How to Respond to a Data Subject Access Request (DSAR)

Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).

Read more
Thumbnail of the Blog Illustration
Data Protection
updateD:
22/7/2022
What is the Difference Between Personal Data and Sensitive Personal Data?

There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term! So, let’s see if we can clarify the situation

Read more
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.