Responding to Data Subject Access Requests (DSARs)

Let’s face it. There is nothing straightforward or simple about responding to a data subject access request (DSAR).

The words ‘I want all of my data’ equate to hours of trawling systems, reviewing content, redacting files, and collating information before any disclosure can take place.

Dealing with DSARs can be a costly exercise, both in terms of resources and time. Furthermore, as you can no longer charge a fee, it means you cannot recoup any of the costs associated with providing the data subject with their data. Not to mention the required 30-day turnaround time (approx. only 20 business days!) which adds further pressure on your privacy team.

Whilst responding to DSARs can be onerous and time-consuming, you cannot take any shortcuts. It is vitally important that DSARs are handled fairly and independently, particularly where the request is internal and may involve HR records. This can narrow down your options for individuals who can process the DSAR internally. To demonstrate independence and transparency, HR representatives, for example, should not process an employee’s DSAR.

There are other factors to consider when responding to a DSAR. Human intervention for example, rather than electronic, has a number of clear advantages.

As per the Information Commissioner’s Office (ICO) guidance, it is essential to understand the context of a DSAR. This can only be achieved where the raw material is read by the human eye. Simply putting a name into redaction software is really not sufficient.

Factors to Consider

• Has any personal data been provided to you in confidence, such as from a confidential informant? You particularly need to think about HR requests, grievances, and formal complaints

• Is the request going to be time-consuming or particularly extensive? Is it a vexatious request? Does it need to be responded to?

• Is the request being made on behalf of someone else? How do you manage third-party requests and consent? A careful balancing exercise should be carried out before disclosure

• What if the request concerns a child?

• What if the request contains the names of other staff or staff from other stakeholders?

Pivotal to the redaction of documentation is deciding what elements of the document need to be removed and an exemption applied for the removal.

This is a timely process. Redaction should be performed and overseen by someone who is knowledgeable about the records and can determine what material should or should not be redacted.

Removing just the third party’s name may not be sufficient, as they may still be identifiable from the rest of the information. Again, a task that can only be achieved with human input.

Also, don’t forget the ICO guidance. A name is not always personally identifiable information (PII). To understand this, you must review the context of the DSAR, your collated documentation, and redact with this in mind.

URM can provide a specific service that enables you to outsource all, or selected DSAR requests. Our knowledgeable, experienced team can understand your DSAR, its context and package the redacted documentation ready for sharing in a timely manner. Our aim is to resolve your internal resource and knowledge challenges and provide you with professional and personal service.

Would you Like to Learn How URM’s Redaction Service Operates?

A typical operating model for a URM DSAR Redaction Service is as follows:

More about GDPR and DP

GDPR and DP Training

Consultancy Services

About URM

Follow us on