Data Subject Access Requests – 10 Quick Tips
Handling DSARs efficiently and effectively
DSARs can be challenging to handle and complete on time, especially when you get one from a disgruntled ex-employee with a grievance.
While it’s clearly important for people to be able to request and receive a copy of their personal data, I fully appreciate how tricky they can be to fulfil. Prior to joining the DPN more than seven years ago, I used to handle them myself and now I spend a fair bit of time helping clients with the requests they receive. Without further ado, here are my quick tips.
Ten Quick DSAR Tips
1. Staff Awareness
A request can come into any part of the business. Requests can be made in writing, verbally or even via social media. We’re told however they come in they’re valid. Customer-facing staff and others need to know how to recognise them and what action to take. And not all requests for information will be a DSAR.
2. It’s not a right to documentation!
People have the right to request a copy of their personal data, but they don’t have the right to receive reams of documents which might contain just their name or email address, or in part relate to them. You can extract relevant personal data from documents and emails, as long as the context is made clear.
3. Always acknowledge DSARs
Quickly acknowledge any request. It can also be helpful to explain a little more about what they can expect to receive. This can save issues further down the line if the individual doesn’t get what they expected to. Always be personable and polite, even if they aren’t!
4. Diarise response date
Be sure to set the date for when the DSAR must be fulfilled by. This is one calendar month from the date you received it. You can start the clock after you’ve received any necessary confirmation of their identity . You can pause the clock if you need to seek further clarification.
5. Talk to the requester
Don’t always sit behind the comfort of an email A telephone call may be a novel suggestion, but in my experience actually speaking to the person (if they are happy to take your call) can make a huge difference.
6. Be wary of requests from third-party portals
Increasingly organisations are receiving DSARs and other privacy rights requests via third-party portals which offer to submit the requests on behalf of individuals. Sometimes multiple requests can be received at once. You have a responsibility to check these requests are genuine, be sure the individual is who they say they are and the third-party has the authority to act on their behalf.
I’ve written more about this here: Managing Erasure Requests or DSARs via Third-Party Portals
One person, or indeed the data protection team, can’t fulfil these requests on their own. Make sure others who’ll need to support in gathering relevant information understand their responsibilities, and in particular the need to prioritise any actions. The clock keeps ticking and a calendar month can race away.
8. Share the knowledge
What happens if the person who routinely handles requests is off sick? Or the person from the IT team who knows how to gather the data is on holiday? Make sure other people are familiar with the process, and have a clear written procedure others can pick up if necessary.
9. Don’t forget the exemptions
There’s information you can legitimately withhold. The exemptions are there for a reason – to cover information you’ve good reasons for not disclosing. This might be information relating to other individuals, details subject to legal privilege or commercially sensitive information. Sometimes you’ll be obliged to rely on an exemption, other times you may choose to rely on one or not. Be sure to tell people if you’ve used one (or more) and why.
The ICO’s Right of Access Guidance covers the exemptions and links through to relevant sections in the Data Protection Act 2019.
10. Respond securely
The last thing you want is to cause a potential data breach when responding to a DSAR! It can be helpful to liaise with the individual about how you send the data to make sure this will work for them. While secure sending is crucial, you shouldn’t make it difficult for them to access.
Hmm, should I have done more than 10 tips? Be proportionate when asking for proof of id, consider the privacy of others… and I could go on. Check out our DSAR Guide for more information.
Often DSARs are straightforward, but sometimes they’re a minefield. Having a clear procedure can go a long way to making sure things run as smoothly as possible.