A key component of the General Data Protection Regulation (GDPR) is the ‘Right of Access’. This is your right, and mine, to obtain a copy of all personal data a company or organisation processes and stores.
Individuals have the right to obtain the following:
- Confirmation that you (a company or organisation) are processing their personal data,
- A copy of their personal data, and
- Other supplementary information such as the purpose of your data processing (scroll down for a list of supplementary information).
When an individual wants to request this information, it’s known as Data Subject Access Request or DSAR. You may also see it referred to as a SAR, dropping the ‘data’ although that’s the important bit!
Why would an individual want to request their data?
It’s helpful to understand why the right to access is part of GDPR and data privacy legislation, as this can help you explain to business leaders why they need to take DSARs seriously.
GDPR and the Data Protection Act 2018 (the UK’s implementation of GDPR) updates our data protection legislation for a digital age. It’s very difficult to live in a digital age without sharing your personal information and leaving a data trail wherever you go - both on and offline.
With so much PII (Personable Identifiable Information) in other people’s hands, it’s only right that individuals have a way to get visibility on what information organisations, businesses and government has on them, and get reassurance that it’s being protected appropriately.
Since GDPR came in force, awareness has increased amongst the general public too. The Cambridge Analytica scandal has also highlighted what some organisations are doing with this data, as well as other stories that have made the headlines such as the recent EasyJet data breach. As a result, DSARs are on the increase as individuals know what their rights are and are justifiably concerned about data privacy. We’re also seeing a spike in DSARs during the current crisis which could be because people have more time to initiate a subject access request.
Individuals don’t need to give a reason to submit a DSAR. And the only questions an organisation may ask when a DSAR is submitted are to verify the individual’s identity or for information that will help locate the requested data.
What do DSARs look like?
There are no formal guidelines on how an individual instigates a DSAR. They can ask you verbally or in writing. Even if you have developed a DSAR process for individuals, they don’t have to adhere to it. Therefore, you could receive a DSAR via social media, email, messaging app, phone call or by letter. It doesn’t have to be sent to a specific person within the organisation either, such as your DPO. So, an individual could in theory make this request to a member of staff in a store, or your IT support team could receive a DSAR via a chatbot or as a support ticket.
Companies must comply with a request without undue delay and at the latest within one month of receipt of the request; or (if later) within one month of receipt of receiving any information requested to confirm the subject’s identity, or (in exceptional circumstances) a fee. For this reason, it really is essential that all customer-facing staff understand what a DSAR is and who to escalate a request to so it can be responded to within this strict timeframe.
Many companies include a form on their website for an individual to complete to submit a DSAR. This can make it easier for you to recognise a DSAR and for the individual to provide the information you need to identify their PII. Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’.
However, providing a form does not override the individual’s right to initiate a data subject access request by other means, and you must make it clear that completing the form is not compulsory or use it as a way to delay your response.
Fees and Data Subject Access Requests
In normal circumstances you cannot charge a fee for complying with a DSAR. However, if the request falls under one of these 2 factors a ‘reasonable’ fee to cover administrative costs can be charged:
- The DSAR is manifestly unfounded or excessive; or
- An individual requests further copies of their data following a request.
In these situations, the 1 month clock starts when you receive payment. Although you must respond promptly to the initial request to inform the individual of the fee.
8 steps to comply with a DSAR
The following graphic takes you through the steps from DSAR to handing over the information requested:
As well as a copy of their personal data, companies and organisations must also provide individuals with the following information:
- The purposes of your processing,
- The categories of personal data concerned,
- The recipients or categories of recipient you disclose the personal data to,
- Your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it,
- The existence of their right to request rectification, erasure or restriction or to object to such processing,
- The right to lodge a complaint with the ICO or another supervisory authority,
- Information about the source of the data, where it was not obtained directly from the individual,
- The existence of automated decision-making (including profiling),
- The safeguards you provide if you transfer personal data to a third country or international organisation.
Much of this information may already be included in your privacy notice.
Is your organisation in good shape to respond appropriately to DSARs?
For many organisations a DSAR is more of a threat to business than the ICO’s much publicised fines for non-compliance.
The cost of responding within one month to a DSAR can run into the tens of thousands of pounds if you’re not prepared. Data discovery, especially if you need the support of a consultancy firm, is expensive and time consuming – taking your IT team away from projects and support roles in the race to comply in the one month timeframe.
There is also an alarming trend in DSARs being ‘weaponsied’ by disgruntled employees to disrupt business, damage companies’ reputations and hit former employers in the pocket. Cases of employment lawyers advising their clients to initiate a DSAR are not unheard of.
Companies that have the tools and processes in place to respond to DSARs quickly and with the minimum of disruption, and cost, to normal business are at an advantage. No more so than in this challenging time where business as normal looks very different with many employees working remotely and handling PII from their own desktops and devices.
For advice on achieving effective data privacy compliance, download our free guide below. If you want to discuss any of the subjects touched on in this article with reference to your own IT estate, please get in touch.