Efficiently handling Data Subject Access Requests (DSARs)
The right of access; the right everyone has to ask an organisation for a copy of their personal data. But fulfilling it can prove challenging, time-consuming and costly for organisations.
Complaints about DSARs account for a fifth of all complaints raised with the UK’s Information Commissioner’s Office (ICO Annual Report 2021-22).
People are clearly not satisfied with how many organisations are responding to requests. This could in part be organisations failing to comply, and in part people misunderstanding what they are entitled to receive.
Late last year the ICO took the step of issuing a number of reprimands to public sector bodies and a commercial media company, in relation to DSARs. A key issue is failure to respond in time, and significant backlogs developing. The law says we must respond within one calendar month, this can be extended by up to a further two months where requests are unduly complex.
DSARs are nothing new; people had the right to request a copy of their personal data long before GDPR. Organisations are expected to have robust procedures in place and the technical capabilities to fulfil requests. What GDPR did, back in 2018, was raise awareness of this right and it’s clear more people are submitting requests.
So, how do we make sure we on the front foot and are able to efficiently respond to the requests we receive?
5-point checklist for handling DSARs
1. Staff awareness
A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them, and know what to do if they receive or spot one. Everyone needs to know time is of the essence, so training is vital. The last thing you need is a delay at the very start because a request wasn’t quickly acted upon.
2. Knowing where our data is
We can’t begin to fulfil requests unless we know where personal data is located across the organisation. What systems need to be searched, which may differ depending on who is submitting the request, do paper filing systems need to be in scope, do we need to approach suppliers to assist… and so on.
This is where having an up to date Record of Processing Activities (RoPA) and/or Information Asset Register (IAR) which states where and how we store data can really help to speed up the process.
3. DSARs and unstructured data challenges
It can prove particularly time-consuming searching for personal data within email systems and other internal messaging systems. This can throw up an eye-watering number records, which can take painstaking hours to sift through to identify relevant personal data.
A clear method for searching unstructured data is essential. Automated tools can make this more efficient and thorough.
Many organisations which receive a significant volume of requests will have a dedicated person or team to handle them. But where organisations have fluctuating numbers of requests it can be difficult to predict how many people within the organisation need the expertise to handle them.
We need to factor in holidays and the potential for sick leave. Have we got other adequately trained staff, or alternative resources on standby to provide cover, especially if we get higher than routine volumes?
In a recent case in Belgium, the data protection authority ruled the fact the person who normally handled DSARs was on long-term absence was not an excuse for a late response. I think other data protection authorities would take a similar view.
It can also pay to clearly allocate responsibilities. Often other people will have to free up their time to help deliver the DSAR process, for example retrieving the data, collating or reviewing it.
5. Robust procedure
Having a clear procedure which walks staff through the key steps and considerations is invaluable, especially for times when key members of staff aren’t available and someone else needs to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on.
To avoid failing to respond to DSARs in time, to try and avoid complaints escalating and potential unwelcome regulatory scrutiny, it pays to be prepared. We need to be able to log requests, keep records, effectively retrieve data, manage workflows, review documents, apply redactions and respond on time. This can be done using routine business tools, but where DSARs are becoming unduly time-consuming and costly, technical solutions developed in-house or via an external provider can help to automate and streamline the process.