Data Subject Access Requests: Guide for Organisations and Individuals
As our lives become more and more intertwined with the online world, it means our data does too – and now we have a right to know how it’s used or processed.
Data Subject Access Requests (DSARs) are not a new concept, but as the General Data Protection Regulation (GDPR) has made it easier for individuals to request information, it’s now harder for organisations to respond.
In this post, we’ll cover both sides of a data subject access request – the subject making the request, and the organisation complying and responding. Best of both worlds!
What is a Data Subject Access Request (DSAR)?
A data subject access request (DSAR) is a written or verbal request for personal data held by an organisation which they are entitled to ask for under UK GDPR. When a subject submits a request for personal data, organisations must send a copy unless there are exemptions.
Contents:
Part 1: Subject Making the Request
- Who can make a request?
- What information can you request
- How to make a DSAR
- What happens after the request is sent
Part 2: Organisation Complying and Responding
- How to recognise a DSAR
- Who should respond?
- 5 key steps to complying and responding
- How to locate the right data
Part 1: Subject Making the Request
Who Can Make a Request?
Everyone in the UK has the legal right to make a DSARs request, which you can exercise for free in most circumstances following changes to data protection rules from The Data Protection Act (DPA 2018).
For example, if you think an organisation is processing your data unlawfully or if you want to know what personal data an organisation knows about you, you have the right to make a DSAR to review or verify the processing of your own data. DSARs are not limited to customers either, if you’re a contractor, employee or sales prospect, you are also allowed to submit a request if you think the organisation is storing personal data about you.
You can also make a request on behalf of someone else, but this would mean that you act on behalf of this person for the whole process.
What Information Can You Request?
You can use DSARs to find out:
- Personal information an organisation holds about yourself
- Who they share it with
- Where they got it from
- How they are using / processing it
Requests for personal information and data have a one-month deadline.
How to Make a Data Subject Access Request
When it comes to Data Subject Access Requests (DSARs) in general, there is no specific form to complete or format of submitting a request. You can simply write to (letter), email, contact on social media or telephone the organisation to ask for the information you are looking for.
Before you send an email or make a call to the first piece of information you find on the company, try to find out the right department or address to ensure your request doesn’t go missing in their inbox or voicemail. Ensure its clear what information you are looking to receive and all the relevant details they need to get in touch with you to deliver it.
Here’s a quick checklist of things to include:
- Include your contact details – e.g. full name, phone number or information used by the organisation to distinguish you from someone else with the same name like account number
- Reference the one-month deadline that applies to DSARs
- A clear list of what personal data you would like to access
- Any extra details that will help the organisation identify your needs and data
- How you would like to receive the information – this could be emailed or printed
When writing your request, it’s important to note that you do not have to explain your reason for making the request or what you intend to do with the data you receive.
How many requests can one submit?
An individual can submit as many requests as they like, but be aware that there are exemptions in place, especially for vexatious subject access requests. To assess whether a request is vexatious, the DPA permits organisations to consider the context, previous contact history and identity of the individual.
What Happens After the Request is Sent?
The organisation should be in contact with you within one month of receiving the DSAR, but if the request is complex and requires more time, the organisation are allowed to extend this period by another two months with an explanation as to why.
Be sure to keep a copy of your request and how you sent it in case you need to later complaint to The Information Commissioner’s Office (ICO) about the information received if it is not what you asked.
Note: If an organisation tries to charge you a fee, inform them that as of 25 May 2018, it is law in the UK that any kind of subject access requests can be made for free.
Part 2: Organisation Complying or Responding
If you’re an employee looking to learn how to deal with DSARs in your organisation, here’s what you need to know:
How do we Recognise a Data Subject Access Request?
When it comes to identifying DSARs, it might not be as obvious as one might think. According to ICO, there are no formal requirements that make up a “valid” request.
A request, say if it was via email, does not have to include the phrase ‘subject access request’ or ‘right of access’ – which can make it even harder for employees to identify quickly. As long as the individual is clearly asking to access their own personal data, that is enough to be a SARs request.
Want to get more from your data? Take a look at our top 4 Data and Digital training courses that will help you make more sense of your data.
Who Should Respond to a DSAR in the Organisation?
As a DSAR can be sent to any employee in your organisation, everyone has a legal responsibility to handle the request correctly. That’s why you should consider which members of staff are most likely to come into contact with these requests – e.g. employees that interact with the general public.
Most organisations have a designated Data Protection Officer (DPO) who responds to DSARs, but if you receive a large amount, it might be worth having a policy for all employees in place to systematically record the details of the requests you receive – whether it’s verbally or written.
Read: 6 reasons why everyone should learn data skills – not just Project Managers
Key Steps to Complying with Subject Access Requests (SARs and DSARs)
Depending on your organisation's size and processes, essential steps to responding and complying to a DSARs might be slightly different. But for now, here are five essential steps that should play a part in your DSAR process:
Step 1: Organisation
Capture, authenticate and record the request from data subjects. Can the request be completed in the month timeframe? Is further information required to complete the request?
Step 2: Processing
Direct request to appropriate functions using an encrypted messaging portal workflows and assigning subtasks. Are there any exemptions that apply to this request? View the full list of SARs exemptions here.
Step 3: Locate Data
Use the details to collect the data and fulfil the request. Review and approve the data. Think about: Does the data need to be amended? Or do you need to protect other data subjects?
Step 4: Respond
Structure, package and deliver copy of the data to the subject securely. Ensure the data subject knows their rights – including the right to complain to the ICO.
Step 5: Record
Close the request. Record, set up tracking of DSAR request for compliance and generate reports
How to Locate the Right Data
As technology is always expanding and requiring us to move more of our personal data into the online space, data is everywhere.
At a quick glance, responding to a DSAR might seem as simple as 1,2,3, but as data collection is growing, your organisation needs to focus more on data governance and record management. If the data you store is unorganised and misplaced, there’s more chance of it ending up in the wrong hands and it will take you longer to locate any data that’s required.
Learn How to Use Data for Good with Our Training Courses
Whether you want to gain hands-on experience in responding to DSARs, learn effective data visualisation tips from experts or master your organisation’s digital communications, we’ve got a course for you. View our upcoming Data Compliance courses to find out more.
2+ years in SEO and content marketing. Striving to help public sector professionals develop their skills and learn something new through high-quality content.