GDPR in focus: What is a Data Subject Access Request?

Managing Director

Fav thing about the office

Good banter

As a child I wanted to be a ... when I grew up

Plumber/Electrician

Guilty Pleasure(s)

Strictly come dancing

Favourite Holiday

Crete

If I had a superpower it would be...

Mind Reading

Describe yourself in three words or less

Methodical, Energetic, Reliable

An interesting fact about me

Started “Work” life as an opera singer

Likes

Horse riding, fillet steak and a good curry

Favourite Band

…into Classical Music

Karaoke Jam

Desperado- The Eagles

What I do at Q2Q:

My role is to provide the overall direction and “eye on the compass” as to where we, as a team, are heading.

I’m still very much focused on the customer and will often get involved in customer solution discussions. As a techie at heart, I’m regularly seeking to understand industry developments and directional changes that may affect our customers, so we and our customers can remain on the front foot.

Background and Achievements

I started out in an I.T technical department of what was then British Rail, following which I joined a large construction company to re-organise their I.T infrastructure.

I then spent a couple of years as a business systems analyst at P&O Nedlloyd designing, developing and implementing systems within their Bulk and Tank Carrier companies.

In 1999 I was appointed as I.T Manager of SockShop and subsequently as of Head of I.T. at the Tulchan Group, comprising then of 300 stores. Due to a Year 2000 compliance issue, we were required to seek an alternative system, which we were able to more cost effectively write ourselves. This product subsequently became known as RAWHIDE and we later sold this product into a number of other businesses. At the time it was quite cutting edge as all the warehouse function was undertaken using handheld, wireless scanners, rather than the batch scanners that were dominant at the time.

In 2003 The Tulchan Group was acquired by Harris Watson. We were then asked to take responsibility for the I.T. of Viyella Ladies wear and in 2004 the demands of two MD’s and two FD’s (Tulchan Group + Viyella), resulted in the sensible decision to break out of the group and Q2Q was born. This then enabled us to also get involved with a number of other group companies (Harris Watson owned companies) as well as other non-group parties.  At one stage we were managing the I.T for almost 500 stores across a number of businesses.

Today Q2Q retains some of the group customers that we acquired along the way, as well as a substantial number of new and diverse customers in almost all industries including accounting, business development organisations, legal marketing, medical, retail and wholesale.

Hobbies and Interests

Horse riding, running (Jogging), motorbikes, reading any of the Detective Rebus stories.

Under the rules of the GDPR, any individual whose data is being held by an organisation can make a Data Subject Access Request (DSAR). In simple terms, this is an appeal in writing for any information held by the company that relates to the data subject.

It’s important to note that a DSAR does not need to be made directly by an individual – it can also be be submitted by a representative. Plus, the term ‘in writing’ includes e-mail and social media as well as other conventional means such as a written letter.

Security

Before any data is handed out in response to a DSAR, it’s vital to confirm the identity of the individual making the request. This can be done through photo ID or address, or in the event that a third party (such as a solicitor) is acting on behalf of the data subject, then other forms may be applicable.

What does the DSAR relate to?

The type of data request depends on the nature of the information that the subject wants disclosing. Requests can fall into one of two categories:

1.       Simple

a.       Data is stored in a single location/system

b.       No third parties are involved

c.       The DPO may be required to sanction the disclosure.

2.       Complex

a.       Data is stored in multiple locations/systems

b.       Contentious information is requested (e.g. where disclosing data of other subjects is involved)

c.       Multiple requests have been generated from the same person

d.       More complex involvement of the DPO is required and potentially others.

Third party data

In the event that releasing data to an individual means third party information will also be disclosed, these additional subjects must be contacted for permission – otherwise, they could argue that a breach has taken place! However, if this isn’t possible, then it’s the DPO’s responsibility to consider the grounds for release and any impact it could have on the parties concerned.

It’s also possible to release data with third party information redacted, as long as the person making the request is informed of this decision. However, they can choose to make a follow-up request to the supervisory authority for full access if they wish – this is the Information Commissioners Office (ICO) for the UK.

What data can be requested?

In most cases, all information held on an individual is available to request, including archived data – this is why it’s so important that retention policies are clearly defined and documented.

The 6 principles of the GDPR are crucial here, as organisations must be clear with subjects about the need, type, purpose and retention timescales for their data being used. It is important to ensure the individual’s expectations of the request align with the organisation’s ability to deliver, it is also crucial to know what the data subject was advised when they initially offered up their data.

For these reasons, DSARs are a very good deterrent to businesses keeping data for an excessive period of time – even if a company can justify the need, a DSAR will require them to disclose whatever information is being stored on an individual, however inconvenient!

Codified data

Where possible, any information provided in response to a DSAR should be in an understandable format. For example, data that contains operational codes or indicators needs to be disclosed to the subject in ‘Plain English’, or with an explanation of what these codes mean at the very least.

Handwritten notes

Notes or letters written by hand also count as ‘data’. Therefore, it’s important to be mindful of the content and location of anything that’s put into writing, as this may also need to be released under a DSAR.

Compliance timescales

The maximum timescale for fulfilling an individual’s DSAR is one month – including weekends! In the event of multiple or complex requests, this can be extended to two months, but the person making the request must be informed of the extension and the reasons why.

Again, it’s important to be aware that the individual requesting the data can submit a complaint to the supervisory authority if they believe their DSAR is not being dealt with properly. It is therefore good practice to always ensure that communications are clear, precise and timely – this will act in the organisation’s favour if the authority ends up being involved.

This sounds like a lot of work – can I charge for it?

While there is a standard £10 rate in place under existing Data Protection rules, this has been removed from the GDPR – so, as rule of thumb a charge cannot be made to reasonable requests. However, repeat or excessive requests may be levied with a ‘reasonable’ fee based on the cost of the administrative burden.

Refusal

Aside from disclosing third party data, there may be instances where the amount of work required to fulfil a DSAR is disproportionate or expensive. In such cases, the organisation is permitted to refuse the request, but extreme caution should be taken when refusing a DSAR – arguing to the supervisory authority that ‘disproportionate' effort would be required without enough evidence, can result in hefty penalties.

DSAR register

As with any process relating to personal data, it’s crucial to keep up-to-date and precise records of any DSARs. This is especially important if the request falls into the ‘complex’ category or a complaint is made –  in such cases, the supervisory authority is likely to analyse the thought processes and reasoning behind decisions, so clear documentation is vital. And, as always with personal data processing, appropriate measures to protect the register’s security and privacy must be taken.

Did you know you can enlist the help of a Virtual DPO to take care of DSARs for you? To find out more about this and the other GDPR services we offer, get in touch!