Best Tips on How To Respond to a Data Subject Access Request
If your company receives a data subject access request (DSAR), it is important to respond promptly and correctly. Failing to do so can result in penalties from the Information Commissioner’s Office (ICO). In this blog post, we will provide you with tips on how to respond to DSARs in a timely and efficient manner.
What is a Data Subject Access Request (DSAR)?
DSAR is a request from an individual for information about themselves held by an organization. This could include their name, contact details, or any other personal data the organization has on file. The GDPR provides individuals the right to make a DSAR, and organizations must respond within one month.
If an individual makes a DSAR verbally, the organization must provide them with written confirmation within five days. There are some exceptions to the right to make a DSAR, including national security or criminal investigations. However, in most cases, individuals have the right to access their data. If you have any questions about making a DSAR, contact your local Data Protection Authority.
Key Tips for Responding to a DSAR
Here are ten tips to help you respond effectively:
- Read the DSAR Carefully: When you receive a DSAR, take the time to read it carefully. This will help you understand what information the individual is requesting and whether or not you can provide it.
- Check The Requestor’s Identity: Before fulfilling any DSAR, you should check the requestor’s identity to ensure they are who they say they are. This can be done by asking for a government-issued ID or confirming their identity through another method.
- Determine If The Request Is Valid: Once you have verified the requestor’s identity, you will need to determine if the request is valid. This means ensuring that the individual has a right to access the requested information under data protection law.
- Collect The Requested Information: If you determine that the DSAR is valid, you will need to collect the requested information. This may require working with other departments or individuals within your organization who have access to the relevant data.
- Prepare The Response: Once you have collected all the requested information, you will need to prepare your response. This should include a cover letter outlining the information provided and any supporting documentation.
- Review The Response: Before sending your response, you should review it to ensure that all of the requested information is included and accurate. You should also check to ensure that nothing in the response could potentially harm the individual or their data.
- Send The Response: Once you have reviewed and finalized your response, you will need to send it to the requestor. This can be done by mail, email, or another method specified in the DSAR.
- Keep A Record Of The Request And Response: It is important to keep a record of both the DSAR and your response in case of any questions or issues. This will also help you track all the DSARs you have received and responded to.
- Seek Help If You Need It: If you are unsure how to respond to a DSAR or have any other questions, you should seek help from qualified data protection professional. They will be able to advise you on the best way to proceed and ensure that your response is compliant with data protection law.
- Keep it simple and clear: The individual has a right to know what personal data is being held about them, why it is being held, and how it is being used. You should provide this information clearly and concisely.
- Be transparent: Be upfront about the process and what the individual can expect from you. Let them know if there will be any delays in getting their request fulfilled and why.
- Don’t try to hide anything: The individual has a right to all the information you hold on them, so don’t try to withhold anything. This will only damage your relationship with the individual and could lead to legal action.
- Keep it confidential: All information provided in response to a data subject access request must be confidential. This includes both the request itself and the information you provide in response.
- Respond within the time limit: You must respond to a data subject access request within one month of receiving it. If you can’t meet this deadline, let the individual know and explain why.
- Provide the information in a format that is easy to understand: The individual has a right to receive their data in a format that is easily readable and understandable. Avoid jargon or technical language wherever possible.
- Don’t make assumptions: Every data subject access request is different. Don’t make assumptions about what the individual wants or needs or how they will use the information you provide.
What Information Should be Included in a DSAR Response
A Data Subject Access Request (DSAR) response should include all personal data held on an individual. This data should include any information that could be used to identify an individual, such as their name, address, date of birth, or contact details.
In addition, the response should include any information collected about an individual, such as their browsing history or purchase history. Finally, the response should also explain what steps have been taken to protect an individual’s data from being accessed by unauthorized individuals.
By providing this information, a DSAR response helps ensure that an individual’s data is protected and shrouded in transparency.
Tips for Compiling and Reviewing Data Subject Access Requests
The GDPR imposes strict obligations on organizations to handle personal data, including subject access requests (SARs). Here are our top tips for compiling and reviewing SARs:
- Ensure you have a dedicated team or individual responsible for handling SARs. This will help to ensure that requests are dealt with promptly and per the GDPR.
- Put procedures in place for dealing with SARs, including a clear process for identifying the data subject, verifying their identity, and locating the relevant information.
- Respond to SARs within one month unless there is a good reason for extending this period. If you need to extend the timeframe, you must notify the data subject within one month of receipt of their request.
- Make sure you have a system in place for keeping track of requests and ensuring that they are dealt with promptly.
- Be as specific as possible when responding to SARs, particularly with the information you are providing and the reasons for any decisions you have made.
- If you intend to withhold information from a data subject, be aware that you must have a valid legal basis for doing so.
- Keep records of all SARs received, including details of how they were handled and the outcome. This will help you identify areas where your processes could be improved.
- Review your procedures regularly to ensure that they are fit for purpose and compliant with the GDPR.
- Be prepared to deal with complex SARs, which may require you to search through a large volume of data. This can be time-consuming and resource-intensive, so planning is important.
- Seek legal advice if you are unsure about how to handle a SAR or if you believe that the request is unfounded or excessive.
Dangers of Not Responding to Data Subject Access Request
If you choose not to respond to a data subject access request, you may breach the GDPR. This could result in a fine of up to €20 million or four percent of your global annual revenue, whichever is greater. Additionally, you may be required to pay damages to the individual who submitted the request.
Not responding to a data subject access request also puts your organization at risk of reputational damage. If word gets out that you are not complying with the GDPR, individuals may lose trust in your organization and choose to take their business elsewhere. This could have a significant impact on your bottom line.
Additionally, failing to respond to a data subject access request could hinder your ability to comply with other GDPR requirements, such as data minimization and data accuracy. If you do not have the information requested, you will not be able to comply with these principles. This could lead to additional fines from the supervisory authority.
Finally, if you receive a data subject access request from an individual who is also a customer or employee of your organization, not responding could jeopardize that relationship. The individual may feel you do not value their privacy and choose to end their association with your organization.
As you can see, many risks are associated with failing to respond to a data subject access request. If you receive such a request, it is important to consult with legal counsel to ensure that you are taking the appropriate steps to comply.
Responding to a data subject access request can be daunting, but it’s important to comply with the law. By following these tips, you’ll be able to respond to customer requests. Have you ever dealt with a data subject access request? What was your experience? Let us know!
Cosmas is a technologist enthusiast who advocates for safe internet browsing and interactions. He is also a technical writer with 4 years of experience in the technology industry helping SAAS businesses. During his free time, Cosmas is on the lookout for technology trends to cover in his next writing quest.