Data Subject Access Requests (DSARs) – The Need for Education and Centralised Processes

Having a well-drilled team following a clearly defined process for DSARs is all well and good, but will be largely redundant if DSARs received across the organisation are not getting through to your dedicated individual or team.

We have come across numerous examples of DSARs being received by individuals who are not aware of their significance and, as such, the requests are either ignored or assigned to the ‘to do’ file or drawer.  

One of the biggest challenges we all face is the fact that DSARs often arrive in the organisation without any clear explicit indication that they are actually a DSAR!  The Information Commissioner’s Office (ICO), which has released some useful guidance on the best approaches to responding to a DSAR, confirms that neither the phrase ‘subject access request’ nor Article 15 (GDPR) have to be referred to in an information request in order to constitute a DSAR.  It also confirms that a request can be made either verbally or in writing, which effectively means that a DSAR can be received in various forms and by a multitude of individuals across your organisation.  Let’s start by looking at the identification conundrum.

Identifying a DSAR

It is vital that all of your staff understand what a DSAR is, so they can quickly identify when one has been received.  It is likely that your staff have received some basic training on data protection and their responsibilities, but they may still be unsure of what a DSAR is.  They will know what personal data is, so it is important that they also know that any individual can request their personal data at any time and in any form (verbal or written).

A pop-up session or bite-size training module on DSAR identification is highly recommended to re-affirm this message to your staff.  In addition, all staff need to be aware of the dedicated team or individual in your organisation who are responsible for responding to DSARs.

Most importantly, they need to be made aware of the need to promptly pass any request for information to the assigned individual/s who can then review, acknowledge, investigate and respond accordingly.  It is also essential that staff are made aware that they should not attempt to respond to the DSAR themselves.

It is highly likely that some requests may be forwarded to your data protection specialist/s which are not in fact DSARs, but it should be left to your specialists to make that assessment.

Controlling Entry Points of SARS

Whilst it is possible that DSARs can be received across the organisation, there are measures that you can take to try and limit or control the entry points.  Your customer services team is likely to be a first port of call (both via email and telephone) for customers wishing to exercise their right to access personal data under Article 15.  As such, the training of these front-line staff should be prioritised so they can forward all data protection related queries promptly to the appropriate people.

Setting up and promoting a dedicated email inbox to manage DP-related queries will also help filter requests coming into your organisation.  Customers, suppliers and other external third parties will appreciate having a dedicated ‘data protection@’ address, rather than sending mails in speculatively to individuals where there is a greater probability of things getting lost or delayed.  A dedicated email address also helps in maintaining a log or register of requests.

‍

Benefits of a Centralised Process

Maintaining a centralised process is not only important in the identification of DSARs and tracking requests you have received, but also in ensuring the most appropriate response is issued.  Responding to a DSAR requires specialist knowledge to ensure that you minimise further risks to your organisation. The DP specialist/s will know exactly what must be included in a response and by when.

There are various nuances to consider when sharing personal information (and when not to share!) particularly in protecting individuals’ personal information and freedoms. Many documents will need to have specific information redacted before they can be disclosed, which requires trained and skilled specialists to conduct, before a DSAR can be responded to.  A central register will also help you identify any ‘serial requesters’ who have sent in multiple DSARs or where requests have been denied in the past.

Summary

To sum up, the key starting point in any DSAR process is to quickly identify that a request for information is actually a DSAR!  A trained workforce that is knowledgeable of your organisation’s data protection obligations and understands exactly what to do when they receive a request (i.e. who/where to forward the request to) will not only speed up the response times, but also improve the quality of the response your organisation provides.

In doing so, you will maintain the goodwill of the individuals’ requesting information and keep the ICO from knocking on your door for failing to meet your obligations!

‍