There has been a rise in the number of Data Subject Access Requests (DSARs) and complaints regarding the handling of DSARs received by the ICO. During the period of 2021-2022, a total of 30,000 complaints were received by the ICO, and most of them were from the general public. The complaints raised concerns about the privacy of personal data and how it was being handled. Among these complaints, the “right of access” topped the list, as information requests were taking too long to be fulfilled.
Despite good intentions, organisations are still struggling to comply with DSAR requirements and respond within the mandated timeframe. Large companies, including a major telecommunications provider, government departments, and councils, as well as small businesses, have been reprimanded by the ICO for delayed responses. In some cases, responses have taken up to 12 or even 23 months, causing significant distress to data requesters.
In this blog, we will examine subject access requests in greater depth and offer suggestions on how to handle them effectively, accelerating the entire DSAR process.
What is a DSAR?
To begin with, let’s have a brief refresher on what a Data Subject Access Request (DSAR) is. A DSAR or subject access request (SAR) is an individual’s right, under GDPR (or UK GDPR), to access their personal data and receive a copy of that data and supplementary information. In accordance with the UK GDPR, SAR requests must be responded to promptly and within one month of receipt. Requests can be submitted verbally, in writing, or via social media.
What is covered by a DSAR? What is involved in a DSAR process?
Data subject rights
DSARs can cover a wide range of data subject rights. For instance, under GDPR, data subjects have the right to access and receive a copy of any personal data held on them. Other individual rights include the right to rectify inaccurate personal data and the right to have personal data erased, all of which must be responded to within one month of the request to ensure DSAR compliance. In total, there are eight rights defined under GDPR:
- Right to be informed (Articles 13 & 14)
- Right of access (Article 15)
- Right of rectification (Article 16)
- Right of erasure/right to be forgotten (Article 17)
- Right to restrict processing (Article 18)
- Right to data portability (Article 20)
- Right to object to data processing activities (Article 21)
- Rights related to automated decision making, including profiling (Article 22)
The actions required for DSAR compliance depend on the specific right being requested.
The correct DSAR process response
When responding to DSARs, various steps may need to be taken, such as providing data summaries or deleting and correcting records. In certain cases, the process may extend beyond the organisation itself. For instance, if a request to opt-out of data transfer to third parties (data portability) is made, steps must be taken to ensure its implementation and subsequent deletion of any personal data held by third parties.
Timely response is crucial for DSAR compliance, taking into account the applicable laws in your country or countries of operation. Time frames for DSAR compliance can vary. For example, under the California Consumer Privacy Act (CCPA), subject access requests must be responded to within 45 calendar days, whereas the EU and UK GDPR require a response within one month of receiving the request.
Who is allowed to submit a DSAR?
Now, let’s consider who can submit a DSAR besides the data subject themselves. In addition to being a customer, the requester may be a parent or guardian of the subject, or a court-appointed official with power of attorney handling the subject’s affairs. Prospects, customers, employees, and contractors all possess the same data subject rights. For companies operating internationally, it is essential to examine the subject access rights in each country of operation and ensure compliance with the relevant data privacy regulations to effectively respond to requests from prospects, customers, employees, and contractors.
Required information to be provided as part of the DSAR process
As part of the DSAR process, certain information should be provided.
Upon receiving a data subject access request, you are required to confirm that you are processing personal data. “Personal data” refers to any information that is related to an individual or can be used to identify them. This may include personal details, email communications, medical records, or HR records. In addition to the confirmation, you should supply a copy of the personal data requested, along with other relevant information, such as:
- The purpose of processing the personal data
- Categories of personal data that you are processing
- The source of the personal data (if it was not collected directly from the subject)
- Any third parties that your organisation has shared the personal data with
- How long your company retains the data for
- Information on any automated decision making and profiling
- Confirmation of the subject’s eight GDPR rights
- Contact details for your data protection officer
To achieve DSAR compliance, it is essential to review the data regulations applicable to the countries where you operate. For comprehensive guidance on fulfilling a DSAR in the UK, you can find detailed information on the ICO website.
Responding to DSARs
Now, let’s address the question of whether you are obligated to respond to a DSAR and provide all the requested information.
Firstly, you need to determine the nature of the information being requested and ascertain if it qualifies as “personal data” under GDPR or similar regulations. The ICO offers a helpful guide for determining what constitutes “personal data.” In certain circumstances, you may have grounds to refuse the request. For instance, if the request is evidently manifestly unfounded or excessive, or if it overlaps with another request that has already been submitted.
DSAR process challenges
Moving forward, there are challenges in delivering a cohesive response within the DSAR process. Understanding DSAR compliance and how to respond is just one aspect. Companies of all sizes face difficulties due to data being stored in numerous locations, large volumes of data to manage, multiple IT systems and applications housing data, involvement of third parties in data processing, and varying regulations and response timeframes for DSARs worldwide. These challenges are not insurmountable, and in the next section, we will explore seven steps to effectively handle and expedite DSARs.
How to handle a data subject access request
To handle a data subject access request, follow our step-by-step guide to enhance efficiency and ensure DSAR compliance. Firstly, it is advisable to designate a staff member as the data protection lead, responsible for overseeing the DSAR process. If you are a data processor, it is crucial to have a contract in place with the data controller and establish a process for handling DSARs collaboratively.
Step 1 – Confirm the identity of the subject and acknowledge receipt of the request.
Begin by confirming the identity of the person making the request to ensure you have the requested data and can securely distribute it. Perform a quick yet proportionate identity check, requesting verifiable ID or information known only to the requester (such as reference numbers or appointment details). It is crucial to prevent data breaches by ensuring information is not sent to the wrong person. If the DSAR is made on behalf of someone else, verify their authority to access the data.
Step 2 – Is the DSAR valid?
Carefully review the request, comparing it against the data subject access rights. Ensure that you provide the accurate information requested. Remember that certain circumstances might exempt the request, such as if it overlaps with another request or if it is deemed “manifestly unfounded.”
Step 3 – Accumulate the data
Gather all pertinent data records from across your organisation. Conduct a thorough search across computer systems, applications, emails and folders, social media platforms, external storage devices (e.g., hard drives, tablets, memory sticks), and recordings like CCTV footage and phone calls. We will discuss ways to expedite this aspect later in the blog.
Step 4 – Perform a thorough check of the data records
Before sending the information, meticulously review it to ensure it does not contain personal data concerning individuals other than the requester.
Step 5 – Redact where required
Redact any information that falls outside the scope of the DSAR. For example, if an email pertains to the requester but includes additional personal data, redact the irrelevant information. Redaction can be achieved by blacking out non-relevant personal information or by copying and pasting the relevant data into a separate document before sending it.
Step 6 – Clarify the subject’s rights
In addition to the supplied information, it is beneficial to remind the requester of their data privacy rights. Inform them that they can object to or request rectification of their data. Also, make them aware that they can lodge a complaint with the appropriate body (e.g., the ICO in the UK) if they are dissatisfied with how their DSAR was handled.
Step 7 – Provide the requested data to the subject
It is vital to document and maintain an audit trail of all steps taken during the process. Keep records of communications between the requester and your company, as well as details of the information sent.
For more information on DSARs and detailed guidance, if you are based in the UK, or do business in the UK, the ICO offers useful links, including an overview of DSARs and comprehensive guidance on the right to access.
Improving and expediting the DSAR process
To enhance the efficiency of the aforementioned steps and ensure timely completion of the DSAR process, the SecurEnvoy Data Discovery tool can be utilised. This tool assists in accelerating the review, collection, and packaging of data, streamlining the process and facilitating DSAR compliance.
In steps 3 and 4, SecurEnvoy Data Discovery automates the identification, retrieval, and organisation of requested data, regardless of its location within the organisation’s systems. This significantly speeds up the process and aids in meeting DSAR requirements.
By employing data discovery tools like SecurEnvoy, you gain additional time within the designated response period. This extra time can be utilised effectively in steps 1 and 2, where you identify the requester and the specific information being requested, as well as in steps 4 to 7, involving the thorough review, verification, and secure transmission of the requested information back to the requester.
Speed up DSAR compliance with SecurEnvoy Data Discovery! Request your free trial today.