An Introduction to Data Subject Access Requests (DSARs)

Under the General Data Protection Regulation (GDPR), all data subjects have a right of access to their personal data (unless the rights and freedoms of others would be adversely affected).  To exercise this right, individuals can make a data subject access request (DSAR) of any data controller that processes their personal data. However, recognising when you have received a DSAR, what your obligations are and what information you need to provide, as well as understanding how to respond to one, can be tricky. As such, this blog will explain the most important aspects of DSARs in order to help you respond to them while maintaining full GDPR compliance. 

What Is the Right of Access?  

All data subjects have the right to obtain confirmation from a data controller that it is processing their personal data, and receive access to their data when this access would not encroach upon other individuals’ rights and freedoms. Data subjects are also entitled to obtain information on the data controller’s processing, including the purpose of the processing, the categories of personal data being processed, the recipients (or categories of recipients) of the personal data, and how long the data is retained for. If the data has not come directly from the data subject, they can also ask what the source of the personal data is, as well as about the use of any automated decision-making procedures and the rights to correction, erasure, restriction, and objection.  

How Do you Recognise a DSAR? 

There is no ‘DSAR template’ that data subjects have to follow, or official language that has to be included in the request, so it’s important that you recognise certain key terms such as ‘I want to see my information’, ‘under freedom of information (FOI), I want..’ or ‘I want a copy of an email sent about me’, as these are all considered DSARs under the GDPR. Requests can be made verbally, either face to face or during a phone call, or in writing, via letter, email, or even social media.  

If an individual makes a clear request to access their own personal data, this is a DSAR. There is no specific format, wording, or reference to the legislation that the data subject needs to use. 

Whose Job Is It to Receive, Log and Process a DSAR?  

The GDPR requires organisations to appoint a data protection officer (DPO) if they are a public authority, public body, or carry out certain processing activities, and it is these individuals who are primarily responsible for handling DSARs. Even if the appointment of a DPO isn’t mandatory for your organisation, we at URM would still recommend that you have someone identified in your organisation who is responsible for dealing with data protection issues and activities, such as DSARs, as you will need someone who is well versed in all aspects of DP to ensure the DSARs you receive are being handled in full compliance with the Regulation.  

While your DPO might not be the person physically searching through data and systems, they will oversee the process to ensure that it is being completed in line with regulatory requirements.  

What Information Can a Data Subject Request In a DSAR? 

Data subjects are entitled to confirmation you are processing data about them, a copy of the data being processed, and information about your (the controller’s) processing, as detailed above. Data subjects can request all of their personal data that you are processing, or just a specific piece of information, such as their name, address, data of birth, employment history, etc.  

Data subjects are only entitled to access their own data, not personal data relating to another individual, although there are a few exceptions to this. If a document containing a data subjects’ personal data contains information that could, directly or indirectly, identify another individual, you will need to redact this information. Aside from this, there are a range of circumstances under which the right of access is restricted, and under which you would be exempt from providing an individual with a copy of their personal data, such as data processed for the prevention or detection of crime.   

How Do you Respond to a DSAR? 

Once you have received and recognised a DSAR, you may need to identify the data subject as you will need to be certain that the requester is who they claim to be, and/or that they have the appropriate permissions to gain access to the data. If you receive the DSAR from an individual who is already known to your organisation, such as an employee, you may not need to see ID.  However, if identification is required, it must always be verified prior to the release of any data.  

Once the DSAR has been validated, you will, generally, have one calendar month to complete the request. Therefore, you should send acknowledgement of the request as soon as it has been validated. If needed, you can ask for clarity about the request to help you locate the data, such as asking them to specify the information or processing activities their request relates to. Next, you will need to identify and gather any data that is held on the data subject, and file this into different categories, such as raw data, withheld data that you are able to apply an exemption to, redacted documents, and documents that can be released without redaction.  After applying the necessary redactions, the information can be released to the data subject.  

Closing Thoughts  

The right of access is one of the key rights that the GDPR provides us with, and data controllers have a responsibility to help uphold this right by providing timely and accurate responses to any DSARs they receive. Beyond this, understanding what DSARs are and how to respond to them will help your organisation avoid financial penalties and reprimands from your local privacy regulator, the Information Commissioner’s Office (ICO) in the UK, as well as the reputational damage and loss of consumer trust associated with GDPR noncompliance.  

How URM Can Help 

If you would like to learn more about how to respond to a DSAR in full compliance with the GDPR, register for URM’s 1-day ‘How to Manage DSARs’ training course. With a 17-year track record of helping organisations comply with DP legislation, we are ideally placed to provide detailed insight and guidance on what the Regulation says about your obligations regarding DSARs and how to respond to them. All of our training courses are led by a practicing DP consultant with extensive experience in dealing with DSARs, which they will leverage throughout the course to ensure you can extract maximum value from their comprehensive knowledge and expertise.