Under the rules of the GDPR, any individual whose data is being held by an organisation can make a Data Subject Access Request (DSAR). In simple terms, this is an appeal in writing for any information held by the company that relates to the data subject.
It’s important to note that a DSAR does not need to be made directly by an individual – it can also be be submitted by a representative. Plus, the term ‘in writing’ includes e-mail and social media as well as other conventional means such as a written letter.
Before any data is handed out in response to a DSAR, it’s vital to confirm the identity of the individual making the request. This can be done through photo ID or address, or in the event that a third party (such as a solicitor) is acting on behalf of the data subject, then other forms may be applicable.
What does the DSAR relate to?
The type of data request depends on the nature of the information that the subject wants disclosing. Requests can fall into one of two categories:
- Data is stored in a single location/system
- No third parties are involved
- The DPO may be required to sanction the disclosure.
- Data is stored in multiple locations/systems
- Contentious information is requested (e.g. where disclosing data of other subjects is involved)
- Multiple requests have been generated from the same person
- More complex involvement of the DPO is required and potentially others.
Third party data
In the event that releasing data to an individual means third party information will also be disclosed, these additional subjects must be contacted for permission – otherwise, they could argue that a breach has taken place! However, if this isn’t possible, then it’s the DPO’s responsibility to consider the grounds for release and any impact it could have on the parties concerned.
It’s also possible to release data with third party information redacted, as long as the person making the request is informed of this decision. However, they can choose to make a follow-up request to the supervisory authority for full access if they wish – this is the Information Commissioners Office (ICO) for the UK.
What data can be requested?
In most cases, all information held on an individual is available to request, including archived data – this is why it’s so important that retention policies are clearly defined and documented.
The 6 principles of the GDPR are crucial here, as organisations must be clear with subjects about the need, type, purpose and retention timescales for their data being used. It is important to ensure the individual’s expectations of the request align with the organisation’s ability to deliver, it is also crucial to know what the data subject was advised when they initially offered up their data.
For these reasons, DSARs are a very good deterrent to businesses keeping data for an excessive period of time – even if a company can justify the need, a DSAR will require them to disclose whatever information is being stored on an individual, however inconvenient!
Where possible, any information provided in response to a DSAR should be in an understandable format. For example, data that contains operational codes or indicators needs to be disclosed to the subject in ‘Plain English’, or with an explanation of what these codes mean at the very least.
Notes or letters written by hand also count as ‘data’. Therefore, it’s important to be mindful of the content and location of anything that’s put into writing, as this may also need to be released under a DSAR.
The maximum timescale for fulfilling an individual’s DSAR is one month – including weekends! In the event of multiple or complex requests, this can be extended to two months, but the person making the request must be informed of the extension and the reasons why.
Again, it’s important to be aware that the individual requesting the data can submit a complaint to the supervisory authority if they believe their DSAR is not being dealt with properly. It is therefore good practice to always ensure that communications are clear, precise and timely – this will act in the organisation’s favour if the authority ends up being involved.
This sounds like a lot of work – can I charge for it?
While there is a standard £10 rate in place under existing Data Protection rules, this has been removed from the GDPR – so, as rule of thumb a charge cannot be made to reasonable requests. However, repeat or excessive requests may be levied with a ‘reasonable’ fee based on the cost of the administrative burden.
Aside from disclosing third party data, there may be instances where the amount of work required to fulfil a DSAR is disproportionate or expensive. In such cases, the organisation is permitted to refuse the request, but extreme caution should be taken when refusing a DSAR – arguing to the supervisory authority that ‘disproportionate’ effort would be required without enough evidence, can result in hefty penalties.
As with any process relating to personal data, it’s crucial to keep up-to-date and precise records of any DSARs. This is especially important if the request falls into the ‘complex’ category or a complaint is made – in such cases, the supervisory authority is likely to analyse the thought processes and reasoning behind decisions, so clear documentation is vital. And, as always with personal data processing, appropriate measures to protect the register’s security and privacy must be taken.
Did you know you can enlist the help of a Virtual DPO to take care of DSARs for you? To find out more about this and the other GDPR services we offer, get in touch!