White Paper: Handling Data Subject Access Requests (DSARs)
Under EU and UK data protection law, Data Subjects have the right to know if your organisation is processing their personal data, and if so, to be provided with a copy of such personal data, along with other supplementary information regarding the nature and scope of the processing. Whilst the latter of which should form part of your Privacy Policies/Notices, the provision of copies of personal data can pose a range of challenging issues.
It is important that such requests are handled fairly, ensuring that the application of these rights do not undermine other obligations on you, such as preserving the data protection or privacy rights of third parties, preserving any confidential duties, ensuring compliance with law enforcement activity, social work etc. and so on.
The provision of copies of data subjects’ personal data can often create further challenges and questions, such as:
- What if their personal data was provided to you in confidence, such as from a confidential informant?
- What if their request is going to be time consuming or particularly voluminous?
- What if someone else is requesting it on behalf of them?
- What if it concerns a child?
- What if it contains the names of other staff or staff from other stakeholders?
These, amongst others, are considerations that need to addressed as part of your DSAR response.
The DPO Centre provides a specific DSAR response service that enables you to outsource all, or selected, DSAR requests, freeing up your time, removing the distraction and resolving internal resource allocation challenges. If you require immediate access to this type of support, please contact us.
This detailed downloadable guide will walk you through the journey of completing a Data Subject Access Request (‘DSAR’). Whilst it is not exhaustive or specifically tailored to your organisation, it is indicative of the general considerations you will be expected to address when dealing with a DSAR response, such as validating a requestor, how to acknowledge a request and how to physically redact information. The guide also includes a handy walkthrough checklist to assist you to complete each DSAR, as well as a series of templates to help you construct appropriate responses.
DSARs can be complex by their nature. It is not uncommon for professionals to have a variety of different views on how to approach DSARs (such as when redactions should apply). If you remain unsure, it is important that you seek further advise or guidance from a Data Protection Officer (DPO) or advice from a privacy specialist.
If you would like immediate assistance with a DSAR response, or any other data protection related issue you are facing, please contact us.
Download the white paper: