In our constantly evolving data-driven world, we are more aware of the significance of Information which relates to an identified or identifiable natural person. than ever. How are companies processing data, how long is data stored, what is it being used for? Individuals have a legal right to know the answers to these questions and companies have a legal obligation to provide the information.
Over the past few years, and especially since the pandemic, there has been a significant rise in the number of people submitting An individual who can be identified or is identifiable from data. Access Requests (DSARs).
This blog will cover some helpful background about DSARs and explore the frequently asked question: what should be included in a DSAR and what can be withheld?
Data Subject Access Requests (DSARs), also known as Subject Access Requests (SARs), are formal inquiries by individuals to organisations, seeking details about their collected and stored personal information.
Under the European Economic Area’s Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) and The UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., individuals have a legal right to access the personal information held about them. A DSAR can be made verbally or in writing (including social media and messaging platforms), and doesn’t need to be directed to a specific person within an organisation.
These are all examples of DSARs:
DSARs promote transparency of data processing practices within organisations and empower individuals to have control over their personal information. However, DSARs are often seen as a burden. In-house resources are frequently unavailable, with staff and managers lacking experience in best practice DSAR processes.
DSARs can bring many benefits and should be seen as a helpful assistant for achieving strong data governance. DSAR processing can lead to improved operations, better staff awareness, and offer a valuable opportunity to enhance customer trust and satisfaction.
Trust – Fulfilling DSARs demonstrates respect for the privacy rights of customers and staff, which builds trust and increases loyalty. For the life sciences, it is crucial to gain the trust of clinical trial participants.
Confidence – Promptly addressing DSARs reduces the risk of complaints and disputes is and bolsters business reputation.
Improved internal operations – By reviewing requested data, companies can gain crucial insights and make important improvements to data protection practices.
Each DSAR needs to be tackled on a case-by-case basis and the information to be included depends on the specific details of the request.
In general, these are the most common types of DSARs companies need to A series of actions or steps taken in order to achieve a particular end.:
Data summary – This type of request typically requires a company to provide a complete list of all personal data held about someone. If the data includes other individuals’ personal information, it must be redacted to prevent a breach.
Data correction – Individuals sometimes contact a company to ask for confirmation of their details and then ask for updates such as new address or payment details. For this type of request, the information needs to first be provided and then revised as requested.
Employee requests – These are just as important as customer requests and should be treated with equal urgency. Companies often store sensitive information, such as medical details, which would require additional care in terms of data protection.
A DSAR must be responded to within one month of receiving the request. The pause button can be pressed if anything requires clarification, but this cannot be used as a delay tactic.
The response time can be extended by a further two months (giving three months in total), but only if the request is deemed complex or if multiple requests have been submitted by the same individual.
Complex requests might include:
These are not necessarily deemed complex:
DSAR exemptions have caused significant confusion for organisations, with the misinterpretation of guidelines recently resulting in over 15,000 complaints to the UK’s The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (The United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) between April 2022 and March 2023.
There are several exemptions that allow organisations to withhold data in response to a DSAR. However, the individual must receive an explanation why data is being withheld within one month of receiving the request. Additionally, they have the right to file a complaint with a An authority established by its member state to supervise the compliance of data protection regulation. and to seek a judicial remedy.
These are some of the main reasons for valid exemptions:
Manifestly unfounded or excessive – This means the request is clearly baseless or unreasonable and is determined case-by-case. Examples of this are requests made with the sole purpose of harassing or disrupting, or an unspecified request so broad and vague it would require a disproportionate amount of time to fulfil.
To safeguard other individuals’ data – There is an exemption for disclosing data that would identify another person, unless the other person has given their permission.
To protect the rights and freedoms of others – This is outlined in Article 15(3) of the GDPR. An exemption applies if disclosing information in response to a request could impinge upon the rights and freedoms of others, for example revealing identities or personal opinions.
Crime prevention – Personal data processed for crime and tax-related purposes is exempt from the right of access and includes the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty. The exemption applies only to the extent that complying with the right of access would likely prejudice these purposes.
Information used for management forecasting or planning – There is an exemption from complying with a DSAR if it relates to personal data being used for management forecasting or planning such as sales projections, staffing plans and financial forecasts. Disclosing this information could prejudice the business and reveal sensitive information about company operations and future plans.
The key to a successful DSAR is good preparation and solid data governance. If you are struggling to respond to a request, it might be a red flag to review your overall data management processes.
Here are some helpful tips for DSAR best practice:
If you need help with your Data Subject Access Requests (DSARs), please contact us. We offer a variety of DSAR services, including DSAR audits.
Also see these helpful resources:
FOR MORE UPDATES AND NEWS, FOLLOW US ON LINKEDIN
Fill in your details below and we’ll get back to you as soon as possible