With the constant evolution of privacy laws globally, people are more aware of the significance of their personal dataInformation which relates to an identified or identifiable natural person. and are increasingly exercising their rights to access, control and protect it. Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs) allow individuals to inquire about the data collected by an organisation, how it is processed, and what the data is being used for. Individuals have a legal right to know the answers to these questions and companies have a legal obligation to provide the information.
Over the past few years, and especially since the pandemic, there has been a significant rise in the number of people submitting DSARs.
In this blog, we cover some helpful background about DSARs and explore the frequently asked question: What should I include in a DSAR and what can I withhold?
Data Subject Access Requests (DSARs), also known as Subject Access Requests (SARs), are formal inquiries by individuals to organisations, seeking details about their collected and stored personal information.
Under the EU’s General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., individuals have a legal right to access the personal information held about them. An individual can submit a DSAR verbally or in writing (including social media and messaging platforms), and the request doesn’t need to be directed to a specific person.
These are all examples of DSARs:
DSARs promote transparency of data processing practices within organisations and empower individuals to have control over their personal information. However, the burden of managing and responding to DSARs can be challenging. In-house resources are frequently unavailable, with staff and managers often lacking experience in best practice DSAR processes.
But DSARs can bring many benefits. You could view DSARs as a helpful assistant in helping to achieve strong data governance. DSAR processing can lead to improved operations, better staff awareness, and offer a valuable opportunity to enhance customer trust and satisfaction.
Trust – Fulfilling DSARs demonstrates respect for the privacy rights of customers and staff, which builds trust and increases loyalty. For the life sciences, it is especially crucial to gain the trust of clinical trial participants.
Confidence – Promptly addressing DSARs reduces the risk of complaints and disputes is and bolsters business reputation.
Improved internal operations – By reviewing requested data, companies can gain crucial insights and make important improvements to data protection practices.
Each DSAR needs to be tackled on a case-by-case basis and the information to include depends on the specific details of the request.
In general, these are the most common types of DSARs companies need to processA series of actions or steps taken in order to achieve a particular end.:
Data summary – This type of request typically requires a company to provide a complete list of all personal data held about someone. If the data includes other individuals’ personal information, it must be redacted to prevent a breach.
Data processing confirmation – Individuals have the right to seek confirmation regarding the processing of their personal data. Companies must provide this information upon request, including details such as the purposes of the data processing, the categories of data collected, and the retentionIn data protection terms, a defined period of time for which information assets are to be kept. period. These details are similar to those included in a Privacy Policy.
Data correction – Individuals sometimes contact a company to ask for confirmation of their details and then ask for updates such as new address or payment details. For this type of request, the information needs to first be provided and then revised as requested.
Employee requests – These are just as important as customer requests and should be treated with equal urgency. Companies often store sensitive information, such as medical details, which would require additional care in terms of data protection.
You must respond to a DSAR within one calendar month of receiving the request. You can press the pause button if anything needs clarification, but you shouldn’t use this as a delay tactic.
If the request is complex or if the same individual has submitted multiple requests, the response time can be extended by a further two months (giving three months in total).
Complex requests might include:
These are not necessarily deemed complex:
DSAR exemptions have caused significant confusion for organisations, with the misinterpretation of guidelines recently resulting in over 15,000 complaints to the UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) between April 2022 and March 2023.
There are several exemptions that allow organisations to withhold data in response to a DSAR. However, the individual must receive an explanation of why data is being withheld within one month of receiving the request. They also have the right to file a complaint with a supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. and to seek a judicial remedy.
These are some of the main reasons for valid exemptions:
Manifestly unfounded or excessive – This means the request is clearly baseless or unreasonable and is determined case-by-case. Examples of this are requests made with the sole purpose of harassing or disrupting, or an unspecified request so broad and vague it would require a disproportionate amount of time to fulfil.
To safeguard other individuals’ data – There is an exemption for disclosing data that would identify another person, unless the other person has given their permission.
To protect the rights and freedoms of others – This is outlined in Article 15(3) of the GDPR. An exemption applies if disclosing information in response to a request could impinge upon the rights and freedoms of others, for example revealing identities or personal opinions.
Crime prevention – Personal data processed for crime and tax-related purposes is exempt from the right of access and includes the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty. The exemption applies only to the extent that complying with the right of access would likely prejudice these purposes.
Information used for management forecasting or planning – There is an exemption from complying with a DSAR if it relates to personal data being used for management forecasting or planning such as sales projections, staffing plans and financial forecasts. Disclosing this information could prejudice the business and reveal sensitive information about company operations and future plans.
The key to a successful DSAR is good preparation and solid data governance. If you are struggling to respond to a request, it might be a red flag to review your overall data management processes.
Here are some helpful tips for DSAR best practice:
If you need help with your Data Subject Access Requests (DSARs), please contact us. We offer a variety of DSAR services, including DSAR audits.
Also see these helpful resources:
Handling Data Subject Access Requests (DSARs)
Tackling complex Data Subject Access Requests (DSARs)
FOR MORE UPDATES AND NEWS, FOLLOW US ON LINKEDIN
Fill in your details below and we’ll get back to you as soon as possible