Top tips on how to tackle Data Subject Access Requests
While it’s great people have the right to request copies of their personal data, there’s no doubt Subject Access Requests (SARs) can be challenging to complete adequately and on time.
(If you’ve ever had the misfortune to get a request from a disgruntled employee, for example, you’ll understand how complex these requests can become).
Some organisations are turning to tech to improve their processes for gathering information and redacting data where necessary. However, our recent survey shows the take-up of organisations using external tech solutions is currently relatively low, with just 15% of organisations using an external solution to ease the burden of DSAR requests.
To give you a helping hand, we’ve asked 10 experts who routinely handle requests, to share their top tips, (they’re not all strictly speaking DPOs, but forgive me for wanting to keep the headline succinct).
1. Keep in touch
Chris Field | Privacy Director | Harte Hanks (US)
When addressing a DSARs, it is critical DPOs take the time to ensure their communications with data subjects are positive. Always use simple language that’s easily understood when communicating. Acknowledge requests as soon as possible and set expectations as to when requests will be complete. Use calendar reminders to help you proactively notify data subjects of any delays and always check the information provided by the business. Be sure it relates to the data subject, and include clear descriptions as to what the data represents and how it is used.
2. The personal touch
Andy Bridges | Data Quality and Governance Manager | REaD Group
In our experience, one of the most important aspects when dealing with both DSARs and standard DPO cases is to ensure there is acknowledgment and understanding from the first stage. It is, of course, fundamental to ensure that your organisations’ processes and procedures are properly implemented, but also important not to lose sight of the human elements which often gets missed. I have spoken directly to many data subjects and in most cases that personal touch has made a big difference and reassures the consumer that they are being treated with respect and dignity – which in turn helps to alleviate their concerns about how their personal data is being processed and why.
3. Focus on the agreed scope
Sara Howers | Data Protection Officer UK | CGI IT UK Ltd.
Although we cannot insist on a data subject giving us parameters for their access request, many do, and in these cases it’s important to restrict the data selected and supplied to within those parameters and not to over-supply the data. As many of us rely on a number of parties to collate information for us, even when we pass on those parameters, they aren’t always picked up and adhered to (sometimes because their own selection tools are a little overly inclusive), so it’s very important that we sense check all feeds in & restrict them accordingly. After all, you don’t want your DSAR to end up being the cause of a data breach in itself.
4. Don’t be unduly influenced by other matters
Michael Bond | Group Data Protection Officer | News UK
In my experience, the right of subject access is most often asserted where there are ongoing grievances or complaints relating to employees or customers. As such, there may be broader issues that turn on the results of a request. As the person managing the request, it is important to ensure that the subject access process is not unduly influenced by these broader customer or employee matters but kept separate; thereby preserving the integrity of the subject access process and impartiality and independence of the DPO.
5. What about request from third party portals?
Gerald Coppin | Deputy Group Data Protection Officer | Springer Nature Group
A growing trend is for a DSAR to be submitted by a third party portal that insists the data subject is not contacted as part of the process, and organisations are instructed that any questions or follow up be undertaken solely through the third party. There is still the responsibility on your organisation to verify the identity of the data subject and this can be done by using the direct contact details of the data subject (if provided). Often these requests are accompanied with scanned images of legal documents (passport, driving licence, visas, permits, ID card, etc) and you should be mindful that these images are still stored on your systems even if the data subject has not confirmed the request as genuine.
6. Keep track of time
Claire Robson | Data Protection Officer | Great Ormond Street Hospital Children’s Charity
Managing a DSAR within the 1-month timescale is tricky, particularly where you have a geographically spread organisation or multiple record-keeping systems. Establish a process to help staff identify a request – getting it to you promptly ensures you don’t lose too many days before you’ve even started. Know your record keeping systems – understanding what is held where, helps you locate, and retrieve the records needed. Are you reliant on other teams? Establishing KPIs for response times and setting expectations of them can help. Throughout, keep an eye on progress so you can quickly identify and notify the requestor if it’s going to take longer.
7. Can tech help?
Simon Morrissey | Legal Director Information Rights | BBC
The frequency and scale of individual DSARs has led to technology assuming an increasingly important role to play in the handling of DSARs, both in terms of managing the overall DSAR workflow and the collation, review and redaction process. There are now technology solutions available that allow an organisation to track a DSAR from inception to completion and which also contain a reporting tool that can assist with compliance reporting. As far as collation, review and redaction is concerned, there are also technology solutions which use machine learning to improve de-duplication and email de-threading, thereby reducing the volume of documents that require review. Machine learning is also being used to analyse the human level review and redaction of the documents potentially in scope to ascertain the relevance of the documents not yet reviewed. This can also result in a significant reduction in the number of documents that require manual review and redaction.
8. How to cope with employee emails?
Data Protection Officer | Haymarket Media Group
Employee DSARs can be the most complex. You will need to take a view on how to tackle email communications and strike a balance between other employees’ confidentially and the right of access. An employee expressing an opinion about another employee to somebody else is personal data, but did they expect a level of confidentiality to be upheld when it was written as a private message? Whichever way you decide, it’s important all employees are clear on your company’s stance, so they know such messages may be disclosed as part of a DSAR. Remember, only the personal data needs to be provided, so including hundreds (if not thousands) of BAU emails might not be necessary. Automatically filter out those that would clearly be BAU and search for any personal data on a smaller volume of emails.
9. Remember the exemptions
Chris Whitewood | Privacy & Data Protection Officer | Direct Line Group
When considering what your DSAR response will consist of, you will need to understand what information a data subject is legally entitled to and when information can legitimately be withheld. If information is to be withheld, then it is important that you clearly document internally what information is to be withheld and what exemption you are relying upon. Your DSAR Team will need to be trained as to how exemptions apply and understand the nuances of the Data Protection Act 2018. This will assist you when responding to any requests for clarification from the ICO or further correspondence from data subjects.
10. Respond securely
Temi Akindele | Data Protection & Legal Counsel | The Prince’s Trust
When responding to a request by email, the information must be sent securely. Often (depending on the secure email solution) the secure email will look different from the regular email address that the DSAR was sent to and/or acknowledged from. It is advisable to follow up immediately with an email (from the regular email) to ask the recipient to confirm that they have received the information and are able to view it. Their reply will serve as proof of receipt of the response. If your secure email solution can track when the response was viewed and the information downloaded, save this receipt with the DSAR records. The cover email should also inform the recipient how to escalate if they are unhappy with the response; include the details for an internal contact in the first instance as well as the ICO’s details.
Philippa Donn, October 2020
On 21 October 2020 the ICO published new detailed Right of Access Guidance.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.