Your privacy is important to us.
A data subject access request (DSAR) from a customer, ex-employee or another party can be tricky to navigate and is a headache for your business. It will inevitably distract you from your day-to-day business and you will have to divert valuable business resources and costs to manage it. However, there is no hiding from the statutory obligations to comply and failure to meet those obligations can potentially expose your company to reputational damage as well as financial penalties.
A DSAR is the right of an individual to obtain records relating to their personal information held by a company or organisation. DSARs can be received from anyone if you hold their personal data. This obliges the company to provide all relevant personal data that you hold on the person in question within one month of receipt.
Cleaver Fulton Rankin can assist your company when dealing with these requests. We are experienced in supporting clients when responding to DSARs with a combination of legal expertise from our employment law and data protection team, an experienced legal review team, industry-leading technology and project management expertise.
We have set out below some top tips when responding to a DSAR request:
Prepare in advance
Preparing a best practice response in advance of receiving a DSAR can be the key to success. For example, having a data retention policy and routinely deleting data that is no longer required will reduce the volume of data to be collected and reviewed. Ensure that you know where information is stored on your systems and maintain a data inventory. This will allow you to quickly target the data when a request comes in.
Next, focus on how you are going to deal with it and who will be responsible within the company. Who will manage the request, who will collect the documents and who will review them before they are sent to the data subject? Put together a process which covers the key steps at each stage, the timeline and the key individuals responsible. This will reduce the response time enabling you to comply with the deadline and ensure that the process is conducted efficiently.
Recognise and acknowledge the request
A DSAR can be written or verbal, and it can be made to any part of your organisation. Basic training should be provided to all employees within your company in order that they can recognise a DSAR and pass it on to the relevant person who will acknowledge the request and handle it. Training your staff on the process is as important as putting it in place. This should avoid the request sitting on someone’s desk whilst the clock is ticking.
Stick to the time limits
The legislation requires that you respond to the request within one month of receipt. This time starts when you receive the request. Therefore, it is important that it is passed to the appropriate person to be dealt with urgently. You can extend the time limit within the legislation if the request is complex or if the data subject has made previous requests but they must be informed within the 30 day period.
Assess the request
Ensure an assessment of the scope is made at an early stage. Perhaps the scope of the request is not clear, does not give a specified date range or if it is unduly broad. n these circumstances you may wish to contact the data subject to seek clarification. In addition, you may need to check the identity of the data subject and it is open to a data controller to request verifying documentation from the data subject to prove identity where it has reasonable doubts about identity. One advantage in doing this is that it stops the one month clock from ticking until you receive a satisfactory response. The data subject may agree to use search terms or date ranges if they are looking for something specific and if the response will be quicker. Your IT team can then exclude certain documents when collecting the data for review which will save costs and time.
Another important step is to assess the complexity of the request. For example, is the request from an employee and is there potential for litigation in the future? Is the data requested commercially or otherwise sensitive? There are several exemptions when it comes to a DSAR response. For example, privileged material should be withheld as well as third party personal data. The quality of the final response is vitally important. It is essential to ensure that redactions are applied consistently and that no third party data or privileged material is inadvertently disclosed to the data subject.
Don’t hang about!
Don’t lose sight of the end game. Once documents are gathered, what is the process for review? Small volume DSARs can perhaps be dealt with by printing documents, reviewing and redacting manually but this won’t work for larger scale or complex DSARs. Inevitably there will be inconsistencies in approach which will reduce the overall quality of output and difficulties complying with the time limits. There are many technology solutions but if they are not already in place within your company, it will take time to put these processes in place. You will need to establish and train a team to use the software, review the documents and track progress.
How we can help
You may not always require assistance when dealing with a DSAR. Especially if you are well prepared, the scope of the exercise is small, you have a dedicated team and your employees are well trained. However, there are times when specialist help may be required. See below for some top tips on when to seek out our assistance:
Our specialist employment law and data protection experts at Cleaver Fulton Rankin can help. They work with our Legal Technology Group, comprised of highly qualified and experienced legal professionals, to deal with your DSAR requests and allow your employees to focus on their day to day duties.
We provide a significant advantage over completing a DSAR request internally by using specialist legal review tools and trusted workflows. We ensure that the DSAR process is completed as efficiently as possible, the scope is reduced where possible and keep costs to a minimum. We ensure that progress is tracked and requests are completed within the specified time limits to avoid risk of potential penalties. Our experience of regularly dealing with these types of requests and our legal technology expertise, enables us to provide our clients with a high quality, cost-effective solution to DSAR requests.
This article has been produced for general information purposes, and further advice should be sought from a professional advisor. For advice or information, please contact the Legal Technology team at Cleaver Fulton Rankin.