Whether you own a large multinational company, or a small local bakery, the General Data Protection Regulation (GDPR) applies to you regardless of size, sector, or area. Even though the UK has left the EU, the UK has decided that the GDPR is to be retained in the UK, so British businesses still fall within its purview.

What is a Data Subject Access Request? 

As well as understanding what the data protection rules entail, it is also important to know how to deal with a Data Subject Access Request (DSAR). This type of request, otherwise referred to as the ‘right of access’, is one of the 8 rights contained in the GDPR.

A DSAR can be submitted by anyone whose personal information is processed by a company (a data subject). The company is required to respond to such a request within one calendar month, or there is a risk of fines and regulatory consequences.

These types of requests can prove to be burdensome for a company, especially if the organisation holds large amounts of personal data which are not easy to collect.

How do I respond to a DSAR? 

1. I) Verify the identity of the person making the request: 

You can ask for information, such as identification, to verify the requester’s identity. This avoids the risk of sending personal information to the wrong person, leading to a data breach. The timescale for responding to a DSAR does not begin until you have received the requested information.

1. II) Identify what exactly the person is requesting: 

According to the Information Commissioner’s Office (ICO), if you process a large amount of information about an individual, you may be able to ask them to specify the kind of information that their request relates to, if it is not clear.

The subject could be requesting their data, enquiring about how their data is processed, or the request could refer to the right of rectification or erasure (amending or deleting personal details).

Examples of what you may need to collect are:

1. a) the subject’s personal file
2. b) emails between the subject and the company
3. c) any records relating to the subject
4. d) CCTV footage of the subject, and / or
5. e) financial statements related to the subject.

Please note that this list is not exhaustive, and that the provision of additional information, such as the data’s retention period, and the source of the data, is also required after receiving a DSAR.

III) Evaluate the request 

It is possible that, due to the amount of material covered by the request, it is difficult to adhere to the original, one-month limit. If this is the case, The ICO might deem it necessary to extend the data collection period for up to 2 more months. The business may also be entitled charge a fee.

1. IV) Collect and review the data 

After collecting all the relevant data, it is crucial that any data relating to other people’s personal information is redacted to avoid breaches. Additionally, private information relating to the company, such as internal notes, should also be redacted, as they are not covered under a DSAR request.

Finally, it is important to note that the ICO states clearly “You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.”

1. V) Provide the requested data in an accessible form 

There is no required format for providing your subject with their personal data. However, companies should ensure that they provide the requester with an easily accessible file. In fact, it is good practice to establish the individual’s preferred format prior to fulfilling their request.

1. VI) Inform the data subject of their rights 

Explain to the subject what exactly their rights are, including their right to make a complaint to the Information Commissioner’s Office (ICO), if they deem it necessary.

Some useful tips:   

• Ensure your business has appropriate procedures in place for storing data and dealing with DSARs. It’s preferable to do this when you’re setting up your business.
• Be aware of what personal data you process, and ensure you only hold what is necessary. Consider using GDPR compliance software to assist with this.
• Ensure that all your employees are trained in GDPR regulations, and are aware of your company’s internal data collection processes. It is the employees who are most likely to be on the receiving end of a DSAR, and as a customer may not specifically say “DSAR” when requesting their information, it is the responsibility of the employee to identify a request and ensure that it is taken into account. It is also the employees who must identify possible data breaches, so training is of the utmost importance in ensuring compliance.
• In addition to this, make sure that your business has a Data Protection Officer (DPO) – someone within your business is fully aware of GDPR regulations. When a DSAR is received, ensure that the DPO knows immediately.
• Be aware of the timeframe for resolving a DSAR request (30 calendar days).
• Review your compiled data before sending it, including any potential redactions.
• Familiarise yourself with any exemptions in the GDPR.
• Ensure that emails to data subjects are sent securely.