Data Subject Access Requests - Part Two

Phil Brown, Norfolk's Data Protection Mardler
Receiving a DSAR

If you are a business owner, you could be on the receiving end of a Data Subject Access Request (DSAR). This is a message from someone who just wants to know what personal data you may or may not have about them. You don’t have to know that person or even have done business with him or her, but you do need to know how to respond to such a request. 

In part one, the MD of WidgetsRU had just read a DSAR, some 3 weeks after it had been received by the company. If he had the chance, he would do well to read part two of this blog. It covers what the law says around DSARs, how you can prepare to respond before you receive a DSAR and what you should consider doing once you have received one. 

So, what does the law say? 

If you want to look at the details then I refer you to Articles 12 and 15 of the GDPR and the associated recitals (63 & 64), but to save you the effort I have paraphrased the key points below:

  • You must respond within one calendar month from the day you receive the request. If the deadline is a weekend or a bank holiday, then the next working day applies. Although the GDPR does not state this, the current ICO guidance is that the clock only starts ticking once you have confirmed the identity of the request, BUT, this does not give you an excuse to delay establishing the requester’s identity;
  • For complex or multiple requests, you may have up to 2 more months, but you must respond in the first month with an explanation. It should be noted that the term ‘complexity’ relates to the request not the effort involved for you to provide an answer;
  • Before taking any positive action, you need to be sure that you are dealing with the right person, this means doing some form of identity check. It’s your choice how this is done but you should be wary of collecting even more personal data from the individual just to prove they are, who they say they are;
  • Requests that are either ‘manifestly excessive’ or ‘unfounded’ are invalid. Unfortunately, these terms are not defined but to most businesses the situations will be obvious. An example could be where a business is subject to an organised deluge of DSARs in a very short time period;
  • The default position is that you cannot charge the requester a fee for undertaking your response. You may charge a reasonable administrative fee if, for example, multiple copies of the response are requested; and
  • Providing a response should not adversley affect the ‘rights and freedoms’ of others including trade secrets or intellectual property.
Avoiding the shock – how to make your life easier

It is unlikely that you will want to employ a full-time staff member just to handle these requests especially as, for the moment at least, they are infrequent. However, when a request is received, someone’s time is going to be diverted from their day job to deal with it. Just one request can be hugely resource intensive and very distracting. 

It follows that if you are prepared, the disruption to your business is going to be reduced, hopefully to a manageable level. Below, you can find a list of points to consider ahead of receiving your first request:

  • Review your fair processing notice (privacy policy/ statement) and improve it. Having a mature notice will do much to instil a sense of confidence that you are doing things properly. This may even discourage someone from making a DSAR in the first place;
  • Make sure you know where your data is and follow your own retention rules. If you can lawfully reduce the amount of personal data you are storing, then you are reducing your liability as well as the effort of trying to retrieve it; 
  • Make sure you understand what comprises personal data. Sometimes it is not as straight forward as you may think especially when you consider the context in which it is being processed; 
  • Devise a means for receiving DSARs in formats that are convenient for you. For instance, provide a downloadable form on your website – but note, you cannot insist it is used;
  • Make sure your staff are trained to recognise DSARs and that they know to whom the requests should be directed so no time is lost internally. Bear in mind that DSARs can be sent by a requester’s representative so even more checks will be needed;
  • Develop a strategy for confirming the requester’s identity, for example, to ask for photo ID. If more personal data is being asked for then you currently hold, consider creating an associated privacy notice just to deal with this very scenario.
  • Apportion responsibilities for the process including who it is in your organisation that makes the decision to release personal data, for instance, or even to decline a request;
  • Create an action plan or flow chart based on a variety of scenarios which identifies the staff members who will be involved in providing the response;
  • Conduct a series of dummy requests that involve the relevant staff members, so they are familiar with the process when requests are received; and
  • Create simple spreadsheets to track the progress of DSARs and adopt a systematic approach to their completion. 
What should you do when you receive a DSAR?

Put your plan into action and:

  • Determine the scope of the request and, if necessary, try to narrow it down by asking the requester for more information; this may save you a lot of time and work;
  • Check to see whether exemptions apply. This could save you a lot of time and effort, but you will need to know where to look for these (basically the GDPR and the Data Protection Act 2018). If they do apply you will still need to inform the requester of your findings within the time limits laid down; and
  • Keep a record of all correspondence, emails, calls with the requester as well as the actions taken by you, from the start of the process to its conclusion. 

Fraud Warning: You need to be sure that, before releasing any information, you are dealing with the right person because there are bad people trying to exploit this ‘right’. One common approach is to disguise themselves as a valid person by simply altering the format of the email address. For instance, changing an ‘o’ to a zero or inserting full stops into names. This means that training your staff to double check the source of a request is essential. Giving someone’s personal data to the wrong person is a data breach in itself!!

Understanding what you need to do when faced with someone exercising their rights is not an option because you have legal responsibilities. DSARs are much easier to make than to respond to. Having measures in place before requests arrive is, without doubt, the best approach. Time saved through preparation is time that your staff can use to run your business more productively – now that must be a good thing!

Phil Brown – Norfolk’s Data Protection Mardler

Share this

Gold Patrons