Data Subject Access Request (DSAR) Guide

 

What is a DSAR?

Both the EU and UK GDPR grant individuals the right to access their personal data from data controllers to ensure lawful processing.

A request to access personal data is known as a DSAR (data subject access request).

Subject access requests are not new, but the GDPR introduced some changes that make responding to them more challenging.

For instance, organisations may no longer charge a fee, except in certain circumstances, and now have less time to respond.

Failure to respond to DSARs can leave organisations open to the higher level of administrative fines under the GDPR: £17.5 million or up to 4% of annual global turnover – whichever is greater.

UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.

What is the right of access?

Article 15 of the GDPR requires data controllers to confirm to data subjects whether they are processing the subject’s personal data.

If so, controllers must provide the data subjects with a copy of that personal data (providing it does not adversely affect the rights and freedoms of others), as well as certain other information.

In most cases, controllers must provide this information free of charge, but may charge a reasonable administrative fee for additional copies requested by the data subject, or if requests are manifestly unfounded or excessive.

Where data is transferred to a third country or international organisation, data subjects also have the right to be informed of the appropriate safeguards relating to the transfer.

DSAR free pdf download

Free download: A Guide to Data Subject Access Requests 

This free guide explains how to manage data subjects’ rights in line with the GDPR and clarifies the new obligations for organisations.   

Download now

How to respond to a DSAR

Verify the applicant’s identity

Before taking any action, controllers must verify the identity of the DSAR applicant, as disclosing personal information to the wrong recipient is itself a breach of the GDPR.

If controllers can demonstrate that they are not able to identify the data subject, they can refuse to act on a DSAR.

As with so many aspects of GDPR compliance, the word ‘demonstrate’ is important here. Controllers must maintain appropriate records of any decision not to respond so that they can justify their actions to the relevant supervisory authority (the ICO (Information Commissioner’s Office) in the UK) if necessary.

It is also important to note that controllers may not retain personal data solely to be able to react to potential DSARs.

If a controller has reasonable doubts concerning the identity of the person making the DSAR, they can request additional information.


Gathering the information

The most time-consuming part of responding to DSARs is locating all the relevant information. It is therefore useful to have a procedure that enables you to check the data you process and where it is stored. A data flow map and data inventory will help.

Find out more about data flow mapping and why it's essential for assessing your organisation's privacy risks


How to communicate with the applicant

Article 12(1) states that controllers must provide communication “in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means”.

Recital 63 provides further information: “Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”

The ICO’s guidance explains that “This will not be appropriate for all organisations, but there are some sectors where this may work well.”


When to respond to a DSAR

Data controllers have one calendar month to respond to a DSAR.

However, Article 12(3) grants that this period “may be extended by two further months where necessary, taking into account the complexity and number of the requests”.

Data controllers must still contact the DSAR applicant within one month and inform them of any extension, explaining the reason(s) for the delay.


Information to include when responding to a DSAR

When responding to a DSAR, data controllers must provide data subjects with the following information:

  • The purposes of the processing.
  • The categories of personal data involved.
  • The recipients (or categories of recipients) the personal data has been or will be disclosed to.
  • The length of time the personal data will be retained (or, if this is not possible, the criteria for determining the retention period).
  • The existence of the data subject’s right to request that the controller rectify or erase the personal data or restrict processing, or to object to processing.
  • The data subject’s right to lodge a complaint with a supervisory authority.
  • Where the personal data has not been collected direct from the data subject, any available information about its source.
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.

Information to withhold - DPA 2018 exemptions

The DPA 2018 sets out the UK’s exemptions and derogations from the GDPR.

Section 45(4) of the DPA 2018 states that controllers may restrict the right of access, wholly or partly, to:

  • Avoid obstructing an official or legal inquiry, investigation or procedure.
  • Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
  • Protect public security.
  • Protect national security; or
  • Protect the rights and freedoms of others.

For most data controllers, the last of these points will be the most relevant. You do not have to comply with a DSAR if it would mean disclosing another data subject’s personal data unless:

  • The other data subject has consented to the disclosure; or
  • It is reasonable to comply with the DSAR.

The ICO explains that, when determining whether it is ‘reasonable’ to disclose the information, controllers should “take into account all of the relevant circumstances”.

If you decide not to disclose personal data, you will have to record your reason for not doing so and communicate this to the DSAR applicant within the appropriate timeframe.

Other exemptions under the DPA 2018 relate to certain forms of data processing relating to:

  • Healthcare
  • Taxation
  • Crime prevention
  • Legal professional privilege
  • Specific enactments relating to:
    • Human fertilisation and embryology
    • Adoption
    • Special educational needs
    • Parental orders
    • Children’s hearings
  • Immigration control
  • Scientific or historical research
  • Statistical purposes
  • Archiving in the public interest
  • Social work data
  • Education data
  • Child abuse data
  • Corporate finance
  • Management forecasts
  • Negotiations
  • Confidential references
  • Exam scripts and marks

Information about all of these can be found on the ICO’s website.


Excessive requests and reasonable administrative fees

Where DSARs are “manifestly unfounded or excessive, in particular because of their repetitive character”, controllers may either charge a reasonable fee or refuse to act on the request.

It is up to the controller to demonstrate whether requests are manifestly unfounded or excessive, so appropriate record-keeping is, again, essential.

The size of the fee should be based on the administrative cost of providing the relevant information.

DSAR response challenges

Some of the key challenges businesses experience when responding to DSARs include:

  • Handling volume and complexity of requests: The number of DSARs received by businesses has significantly increased in recent years. This increase in volume can be challenging for businesses to manage, particularly if they have limited resources and outdated systems.
  • Managing costs: Fulfilling DSARs can be resource-intensive, both in terms of time and money. To manage costs effectively, businesses may need to invest in new technology and tools to streamline the DSAR process.
  • Identifying and locating relevant data: DSARs require businesses to identify and locate all the relevant information associated with a particular request. This can be a complex and time-consuming process, particularly if data is stored in multiple systems or locations.

Creating a DSAR procedure

Data subjects must be able to exercise their right of access easily and at reasonable intervals, and do not have to make their requests in writing. Moreover, they can make a request to anyone in the organisation, so it is important for all staff to be able to recognise a DSAR when they receive one.

It is therefore essential to have a proper procedure in place that everyone in the organisation can follow.

The image to the right is an example of a customisable DSAR procedure template, taken from our GDPR Toolkit

The GDPR Documentation Toolkit contains all the GDPR policies and procedures you need to demonstrate compliance.

Learn how the GDPR Documentation Toolkit can help you accelerate your compliance project

DSAR procedure example

How we can help you meet your GDPR compliance requirements

IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our wide range of GDPR compliance products and services to support your project.

This website uses cookies. View our cookie policy
SAVE 10%
ON SELECTED
TRAINING