How to Respond to a Data Subject Access Request (DSAR)

Latest update:
25 Jul

Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR). The words ‘I want all of my data’ equate to hours of trawling systems, reviewing content, redacting files, and collating information before any disclosure can take place.

Dealing with DSARs can be a costly exercise, both in terms of resources and time. Furthermore, as you cannot charge a fee, it means you cannot recoup any of the costs associated with providing the data subject with their data.  Not to mention the required 30-day turnaround time (approx. 20 business days!) which adds further pressure on your privacy team.

Whilst responding to DSARs can be onerous and time-consuming, you cannot take any shortcuts.  It is vitally important that DSARs are handled fairly and independently, particularly where the request is internal and may involve HR records, which can vastly narrow down your options for individuals who can process the DSAR internally.  To demonstrate independence and transparency, HR representatives, for example, should not process an employee’s DSAR.

There are other factors to consider when responding to a DSAR.  Human intervention for example, rather than electronic, has a number of clear advantages.

As per the Information Commissioner’s Office (ICO) guidance, it is essential to understand the context of a DSAR.  This can only be achieved where the raw material is read by the human eye.  Simply putting a name into redaction software is really not sufficient.

Factors to Consider

  • Has any personal data been provided to you in confidence, such as from a confidential informant?  You particularly need to think about HR requests, grievances, and formal complaints.
  • Is dealing with the request going to be time-consuming or particularly extensive?  Is it a vexatious request?  Is it manifestly unfounded or excessive and therefore does not need to be responded to?
  • Is the request being made on behalf of someone else?  How do you manage third-party requests and consent?  A careful balancing exercise should be carried out before disclosure.
  • What if the request concerns a child?
  • What if your response to the request contains the names, or other personal information, of other staff or staff from other stakeholders?

Pivotal to the redaction of documentation is deciding what elements of the document need to be removed and a legal exemption (from the list in Schedule 2 of the Data Protection Act 2018) applied justifying the removal.

This is a time-sensitive process.  Redaction should be performed and overseen by someone who is knowledgeable about the records and the statutory exemptions available, and who can determine what material should or should not be redacted.

Removing just the third party’s name may not be sufficient, as they may still be identifiable from the rest of the information.  Again, a task that can only be achieved with human input and judgement, not solely by automated decision-making (i.e., redaction software alone).

Also, don’t forget the ICO guidance.  A name on its own is not always personal data disclosable in response to a DSAR.  To understand this, you must review the context of the DSAR, and your collated documentation, and redact with this in mind.

Thumbnail of the Blog Illustration
Data Protection
ISO 27701:2019 and the GDPR

The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) both rquire organisations to protect and ensure the privacy of any personal data which they process...

Read more
Thumbnail of the Blog Illustration
Data Protection
UK International Data Transfer Agreement

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers. The international data transfer agreement...

Read more
Thumbnail of the Blog Illustration
Data Protection
Tips on Demonstrating UK GDPR Compliance

The easy way (if it was available!) would be to certify to an approved UK GDPR certification scheme. The Data Protection Act 2018 gave the UK’s privacy regulator, the Information Commissioner’s...

Read more
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.