An individual who can be identified or is identifiable from data.... Access Requests (DSARs), the four words that were striking fear into the hearts of even the most prepared and seemingly compliant of organisations ever since the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).... (GDPR) was enacted in 2016 and then came into force in the UK in May 2018, through the Data Protection Act (DPA) 2018.
The GDPR represents the most significant shift in privacy laws for a generation. Individual data subjects, whether they be a member of the public or an employee, now have considerably extended rights under the new DPA and the GDPR.
For most, the deluge of DSARs flooding into inboxes after May 25th didn’t quite happen, but many organisations are reporting a significant increase in DSARs and this is only likely to increase as public awareness grows. Let’s examine six key things that organisations need to consider when implementing or reviewing their DSAR A series of actions or steps taken in order to achieve a particular end....:
1. Response Times: The Organisation must comply with the request ‘without delay’. In practice, this means one month from receiving the DSAR, or one month from verifying proof of identity. There are exceptions to this, which will be discussed below.
2. DSARs can take any written form: As an organisation you cannot insist on a submission method, or demand that the data subject fills out a prescribed form. So long as the request is in writing then this will be deemed sufficient. With this in mind, it must be possible for the data subject to make requests electronically (e.g. by email or online). Where a request is made electronically, it is reasonable to provide the information in a commonly used electronic form (e.g. email/pdf), unless otherwise requested by the individual.
3. DSARs are free: An organisation is no longer able to charge for responding to a request unless the request is ‘manifestly unfounded or excessive’. Under the previous DPA 1998, an organisation could charge a nominal administration fee of £10 per request. An organisation may now only charge a reasonable administrative fee if further copies are requested.
5. Time Limits: The An entity (such as an organisation) which determines the purposes and means of the processing of personal data.... must respond to these requests within a month. However, in exceptional circumstances up to two additional months can be sought, but only if the data subject is made aware of that request within the first month, along with a full explanation of the reasons for the additional time.
6. Refusing DSARs: As a business or institution this one might pique your interest:
Don’t get over excited though, a note of caution. The ICO is very clear on discouraging organisations from introducing barriers or obstructions to complying with DSARs.
So, in reality what does all of this mean for your organisation? The most important thing is ensuring that you have a robust and efficient DSAR process in place, such that your organisation is not merely reactionary but precautionary.
The DPO Centre provides outsourced Data Protection Officers who deal with these types of requests on a daily basis and can therefore work with you to help understand your data and where it is located, design your process, policies & procedures and prepare you for all eventualities.
For further information on DSARs or any other compliance matter, please contact us