The Challenges Associated with DSARs

One of the key rights which is granted to data subjects and protected by the General Data Protection Regulation (GDPR) is the right of access to their personal data, which can be exercised by data subjects making a data subject access request (DSAR) of a data controller.  Under the GDPR, data controllers (i.e. people or organisations which determine what the personal data is used for and how it is used) are, in most circumstances, obligated to respond to these requests by providing the data subject with all of their personal data (and only theirs – no other living individual can be identified) that the controller has processed.   

Unfortunately, responding to these requests in full GDPR compliance is often neither simple nor straightforward; your privacy team may need to spend hours wading through files, redacting documents, and gathering information before the data can be provided to the data subject.  It can be a time and resource-intensive activity, and the 30-day time limit within which you are usually required to fulfil the request adds a further element of pressure.  Meanwhile, the fact that you aren’t allowed to charge a fee means you cannot recover any of the associated costs.   

The Importance of Human Intervention 

Although responding to DSARs can present a significant challenge, it is of vital importance that they are managed properly.  For example, relying human oversight of the DSAR response rather than electronic methods, such as using Artificial Intelligence (AI), is always a better approach to collating and redacting the data.  As we have mentioned above, the GDPR mandates that DSARs can only be used by data subjects to access their own personal data – no other data subjects can be identified in your response, either directly, by name, or indirectly, by other information that would make them identifiable.  Therefore, simply entering a third party’s name into redaction software would potentially be noncompliant, and reliance on human judgement is the only way to ensure you avoid this.    

Certain elements of the data you process will also need to be redacted in line with the legal exemptions outlined in Schedule 2 of the Data Protection Act 2018 (DPA 2018), which provides a list of circumstances in which you are not required to provide a data subject with their personal data.  Again, this can only be completed accurately by a person (in particular, a person who is knowledgeable about the Regulation and the exemptions it provides), rather than software.  

Fairness and Impartiality 

The individuals that handle the DSAR must be able to do so with complete fairness, independence, and impartiality.  Maintaining these principles may seem simple enough, and, in many cases it will be.  However, if the request will require you to process personal data that has been provided in confidence and/or could impact the data subject’s standing within your organisation if seen by certain individuals (e.g. a grievance, HR request, or formal complaint), you will need to think carefully about which individuals you select to process the response.  If you receive an internal request, you may find your choice of personnel who can handle the DSAR with the necessary independence is considerably narrowed – HR representatives could not meet impartiality requirements when processing an employee’s request, for example.  

Other Considerations 

Beyond this, there are other important factors to keep in mind which may impact your response to a DSAR and the information you are able to provide.  Has the DSAR been made on behalf of someone else?  If so, you will need to be completely satisfied that the individual making the request has the authority to act on behalf of the data subject in question before disclosure.  Is the request particularly complex and/or have you received numerous requests from the data subject?  In these scenarios, you may be able to extend the deadline for your response by a further 2 months, if you can satisfy certain conditions for what constitutes ‘complexity’.  What about requests that concern children?  Or requests which could be considered manifestly unfounded or excessive, and therefore do not require a response?  As the Information Commissioner’s Office (ICO) guidance dictates, you must understand and review the context of the DSAR, always formulating your response and redacting documents with this in mind.  

Enhancing Your Understanding of DSAR Requirements 

Understanding how to compliantly respond to DSARs can be extremely difficult and complicated due to the sheer number of highly specific, nuanced situations that can arise from these requests.  We at URM would always recommend you make sure to read and understand the ICO guidelines around DSARs in full, as they can provide some clarity around what your obligations are, when you should and should not provide information to an individual making a request, how to apply redactions, etc.   

However, while a comprehensive understanding of the ICO guidance is incredibly important, you may also benefit from more personal and interactive support in the form of a training course.  As such, we would also recommend URM’s practical 1-day course on ‘How to Manage DSARs Course’, which addresses every aspect of DSARs.  Following an explanation of what DSARs are and their background, the trainer will take you through each stage of the DSAR response process, ultimately providing you with the skills and understanding to be able to respond to these requests effectively and compliantly.  The course includes coverage of how to recognise a DSAR and determine whether it is valid or not, clarifying the request and requesting identity verification, the timescales for responding, applying redactions, what data is disclosable and the exemptions that may apply, completing the DSAR, and what to do if the data subject complains to the ICO – all of which is looked at in granular detail.  All of our DSAR courses are led by a qualified, practicing data protection consultant who teach with the goal of maximising the transfer of knowledge across the group, providing you with an opportunity to discuss and ask questions which would be unavailable to you by reading the ICO guidelines in isolation.