Data Subject Access Requests (DSARs) Services
Your data subjects have the right to know that your organisation is processing their personal data, and may request a copy of such personal data in the form of a Data Subject Access Request (DSAR). Our outsourced DSAR services can help you recognise, handle, and respond to the DSARs you receive.
Why you should outsource your DSARs
Your organisation can benefit from outsourced DSAR services if you lack the necessary in-house knowledge to confidently process and respond to DSARs, or you simply don’t have the resource available to respond. You may only get requests occasionally or get complex data access requests as well. Our experts will be able to manage even those more complicated DSARs within the one-calendar month response deadline. We also offer our services on a pay-as-you-go basis, so there’s no long-term or fixed financial commitments.
Pay-as-you-go basis DSAR response services are ideal for businesses that receive up to around 20 requests per year, however, we can also provide a retained resource to act as your only resource, or to extend an existing in-house team, such that you have a dedicated resource to respond as and when required.
DSAR Response as a Service
In principle, DSARs seem straightforward. However, you may have several questions come up as you try to process and respond to requests, such as what should you do if the requested records contain the personal data of a third party in addition to the data subject? How should you handle time-consuming requests or DSARs submitted on behalf of someone else?
Handling DSARs can quickly become a hassle and distraction, occupying your valuable time and resources. When you outsource to The DPO Centre’s DSAR team, our experts will provide the experience, knowledge and tools to respond to requests within the stipulated time frames.
“The DPO Centre’s help in dealing with a particularly complex DSAR that we received was invaluable. The support and advice that they provided throughout the entire process was extremely helpful… Overall, working with The DPO Centre greatly reduced the significant challenge of dealing with this DSAR, and the guidance provided will no doubt prove useful in dealing with any others that we may receive in the future.”
HOW DOES OUR DSAR SERVICE WORK?
We offer a DSAR service that is delivered on an ad hoc ‘pay as you go’ or retainer basis, where you outsource all, some, or just occasional DSARs to us as required. We can take care of the full ‘A-Z’ of the DSAR response process, provide just an advisory and oversight service, or perform only certain aspects, such as redaction.
- Enable you to respond appropriately and in a timely manner
- Remove the burden and distraction associated with DSAR responses
- Significantly reduce the risk of compliance failure and Regulator scrutiny
- Assist in improving data subject trust and de-escalating contentious situations
- Provide model template responses for communicating with data subjects
- Provide guidance around scope defining and conducting database searches
- Conduct full de-scoping and redaction exercises
- Complete delivery of response to data subjects
- Handle all correspondence with the relevant supervisory authority
- Immediate access to external Subject Matter Experts on an entirely confidential basis
- Peace of mind that you are working with one of the largest, most established data protection providers available
- Removal of the distractions and costs associated with training and managing internal resources to respond
- Implementation of established and verified response processes and standards
- Substantial reduction in regulatory and reputational risk
By engaging with our DSAR response service, you will have the peace of mind that an expert team is there to support you. If you would like to know more about how we can help, please contact us.
Benefits of DSARs Outsourcing
Allowing The DPO Centre team to process and respond to your DSARs can save you the hassle and distraction to your internal resources. Our DSAR service is used by organisations that receive only occasionally DSAR requests, those that are struggling to comply with the required response time frames, and those that are at a high risk of scrutiny due to previous infringements. If you expect to see an increase in the number of requests due to employee issues or you are looking for an “overflow” resource for your in-house team, our DSAR service will be of significant benefit to you.
Data Subject Access Requests for Sectors
Every sector that collects and processes personal data is subject to the requirement to respond to DSAR requests. However, the nature of requests vary based on your particular sector. The DPO Centre can provide a specialist in your sector, with the relevant experience and knowledge to handle the DSARs your organisation receives.
Fill in your details below and we’ll get back to you with 24 Hours
Frequently Asked Questions
We’ve compiled a series of FAQs below but if you can’t find the answer here please contact us to find out more.
A Data Subject Access Request (DSAR) is a request to an organisation from a customer, employee, supplier or any other person that you process personal data on (known as a data subject)for a copy of the personal data you’ve collected on them. Receiving a response to that request is a right all data subjects have under data protection law.
There is no official or specific form for submitting Data Subject Access Requests (DSARs). Data subjects can submit them in writing or verbally, and do not need to cite any specific data protection legislation.
Your company should have a Data Protection Policy that outlines how to handle DSARs. If you do not have such a policy, you should consider defining one.
You have one calendar month to respond to a DSAR, starting from the date you received it. However, you must reply to the data subject asking for more info or if the request is complex, indicating that it will take you longer to complete. Under ICO guidance, you have up to an additional two months to respond to the DSAR.
The cost of an outsourced DSAR service will depend on the size and complexity of the requested response. The DPO Centre can support you to respond to the smallest, to the very largest (sometimes running to tens of thousands of pages) of DSAR responses.
Only personal data can be included in a DSAR. The information must be related to the person making the application and not anybody else without their authorisation. For example, the personal data relating to a work colleague can only be included if they provide their permission.
DSARs are usually free of charge. However, if you wish to respond to a DSAR that is unfounded or excessive in nature, you have the option to charge a reasonable fee for dealing with the request. Unfortunately, there is no guidance on what constitutes a ‘reasonable fee’, although basing it on associated administrative costs is a good start point.
A DSAR request can be refused if the information is believed to be excessive or repetitive. In the majority of cases, you will have to respond and state your intention not to provide the information. There are also some exemptions to DSAR requests, which we can provide guidance on where appropriate.
In most cases a DSAR is made via email, but it can be received by post, in person or over the phone. Customer facing staff should be provided training on how to identify a DSAR so requests are handled appropriately and not missed or overlooked. Clear procedures and policies should also be in place to provide guidance for staff when dealing with a request.
When responding you should inform the person about the details of the data, how it is used and the legal basis for processing it. Also include details of any third parties that access the data, how long it is stored for and where the request came from. The response should be easy to read without use of any technological language.
DATA PROTECTION SERVICES FOR SECTORS
Director at Unbar Rothon
“The DPO Centre’s help in dealing with a particularly complex DSAR that we received was invaluable. The support and advice that they provided throughout the entire process was extremely helpful, in particular, the training sessions were delivered clearly and professionally in a way that made the information easy to understand.”