Responding to a GDPR Data Subject Access Request

Responding to a GDPR Data Subject Access Request

Under the GDPR, people in the EU have the right to request a copy of the information that a company holds about them. This right has increased transparency about how companies collect and use information, and empowers people to take more control over their data.

Responding to data subject access requests (DSARs) can be a time-consuming and complicated process for organisations, especially given the 30-calendar day time limit mandated by the GDPR. In this blog post, we will walk you through the steps of responding to a request.

Step 1: Receiving The Request
The first challenge in responding to a DSAR is being able to tell if you have actually received one! DSARs can be made through various channels – in writing, by email, through social media, over the phone, basically, any way you have for individuals to contact your organisation can be used to make a DSAR.

Training is therefore a crucial part of this process – staff must know what to look for to identify a DSAR. Some requests may come in the form of, “I would like to make an access request for all the information you hold about me under Article 15 of the GDPR”, but others may simply say “Can you send me a copy of my account data?”. Making sure that your staff is aware of data subject rights through training and company policies is vital in this step.

It is perfectly acceptable to ask the person if they are asking for a copy of their data, or if there is any information in particular that they would like to receive. For example, the person may only be interested in emails over a particular time period and this will limit the amount of information you need to sort through to respond to the request.

Step 2: Verifying The Identity Of The Requestor

Before you can think about providing information, you must make sure that you are actually sending it to the right person.

In some cases, you might have a personal relationship with the requestor making the verification process simple and straightforward, but in the majority of cases, you will need to verify their details.

It’s important to note here that this does not mean that you need to collect excessive information. For example, asking someone to provide a copy of their birth certificate and passport would be excessive in almost all cases.

In many cases, verifying their email address and account number will suffice.

The identity verification process should be quick and easy to complete – remember that you only have 30 calendar days to respond, and the clock doesn’t stop because you’re waiting for the person to send you their ID verification information!

Step 3: Are They Only Making An Access Request, Or Is There More To This Story?

The right of access is one right that individuals have, but there is also the right to erasure, object, rectification, restriction, and portability, and the right to object to automated decision-making. For example, are they asking for a copy of their data to give it to another company, thus making it a portability request? Do they want you to erase their data after receiving a copy of it?

If you are a public authority, you may also need to consider if the person is making a Freedom of Information Act (FOIA) request. FOIA does not give people access to their own personal data,  but it does cover all recorded information held by a public authority, so it’s important that you know what kind of information the person is requesting.

Step 4: Is The Request Valid?

There are certain circumstances where you cannot facilitate a DSAR, for example, if you don’t actually have any data on that person. In this case, you must let the person know within 30 days of receiving the request.

It is possible to extend the 30-day time limit by two months in certain cases. This may be the case if a request is complex, such as an employee who has been with the company for a number of years requests a copy of all of their information. In this case, you will need to review all of the information to ensure that you do not disclose information relating to another employee or legally privileged information, which may simply not be possible to complete within one month. In this case, you can request a two-month extension, but you must notify the person within the first 30 days.

If you have never received a DSAR, you may not know how to assess if a request is complex enough to require an extension. To make sure you don’t get caught out, we would recommend doing a practice response.

Step 5: Collect Data

Now it’s time to start to put together the data to be sent to the requestor. This will require an analysis of where data is located in your organisation – CRMs, email accounts, filing cabinets – anywhere that data is kept should be searched.

If you have a Records of Processing Activities created, this will act as a guide for identifying where your data may be stored.

When you are reviewing the documents, you may find information that is inaccurate, such as the wrong start date for an employee on their personnel file. If you wish to amend the inaccurate information, make sure that you notify the person about the inaccuracy in your response and let them know of any changes you have made.

Step 6: Do Any Exemptions Apply?

When you’re compiling the information to be provided to respond to the DSAR, you may find that personal information about other individuals is included. These other people you have identified have a right to privacy, meaning that you cannot disclose their information without their knowledge and consent. You may find that in these cases, it may be unreasonable to ask every single person, and instead may choose to redact this information.

This information may not be limited to the person’s name – for example, if John is the only Project Manager in a company, their job title may be enough to identify them. In this case, redacting their job title is required to protect their identity. As you can see here, it’s important then to consider the context of the information when deciding what information to provide.

Another exemption that may apply, such as if the data is covered by legal professional privilege or may lead to self-incrimination.

Step 7: Informing The Requestor About Their Rights And How Their Data Is Used

Under Article 15 of the GDPR, the data subject must be provided with certain information, as well as the personal data they have requested. This includes the purposes of your data processing, the categories of data processed, who you have shared your data with, and the rights that the person has over their data.

This information is included in your privacy policy, and this gives the data subject a chance to check the information you have provided with your privacy policy to ensure that you are processing their data in the ways that they were informed about. As such, it’s important that you keep your privacy policy up to date to make sure you don’t get caught out.

Step 8: Provide The Data To The Data Subject

Once you have collected the data, it is a good idea to contact the requestor and ask how they would like you to deliver the data. For example, they may want you to download the information to a CD and hand it to them, they may want you to email it to them, or they may ask you to print out the information and post it to them.

You should keep in mind that there is a risk of data breaches at this point – you may send it to the wrong address, postal, or email, or you may lose physical copies of the data. If you are emailing the information, it is good practice to password protect the folder and send the person the password in a separate communication.

Step 9: Document The Process

In line with the Principle of Accountability, you must keep a record of data subject requests, including the date they were received and fulfilled, the information that was provided, and any other relevant information. If your company was to be audited by a Data Protection Authority, they are likely to request this register.

If you have a Data Protection Officer, it will fall under their responsibility to maintain this register, otherwise, it is important to make sure that you have designated someone in your company to complete this task.

Concluding Remarks

After reading this, you may realize that responding to DSARs requires a lot of time and resources, especially when you are (usually) limited to 30 days to respond to them. If you have yet to receive a DSAR, now is the time to practice to make sure that you don’t get caught out.

If you have any questions about responding to a DSAR, please listen to our podcast where we describe these steps here: Episode 105, Episode 106.

And if you need any further assistance, don’t forget to book your first free consultation with us!

AUTHOR – PAULA MAHONEY

 

JUNIOR DPO AT APEX PRIVACY

Related Posts