Data Subject Access Requests – more commonly known as DSARS – are becoming increasingly common, and unfortunately, they’re not getting any easier to handle. One thing that makes DSARs such a challenge is that there is no formalised process for submitting them. This can make it difficult for organisations to define a suitable protocol for handling them when they arise.
If this sounds like you fear not! This short, digestible checklist should be more than enough to get you started. Read on for the step-by-step checklist to managing a Data Subject Access Request. (You can also download our free DSARs checklist for a more in-depth discussion!)
Step #1: Identify the data subject:
Once you’ve received a Data Subject Access Request, the clock starts ticking, and you have one calendar month to fulfil the request. In some cases, identifying the requester is simple. For example, if they make the request in an email with their full name in their signature, or if they make the request via your organisation’s intranet portal, from which you can ascertain their identity. But in many cases, DSARs are made anonymously, or by third parties on the requester’s behalf. In these situations, you will need to determine their identity before you can begin to fulfil the request.
The difficulty here is determining the requester’s ID without using methods that could be deemed ‘disproportionate’ by data protection regulations.
Guidance from the Information Commissioner’s Office (or ICO) states that “you must be reasonable and proportionate” when asking for any personally identifiable information. You should not request more information if the requester’s identity is obvious, and you should not request formal ID documents (e.g. passport or driver’s license) unless absolutely necessary.
Step #2: Determine the scope of the request:
While it is the duty of any organisation faced with a DSAR to be thorough and proper in its response, collating more information than necessary is a common mistake. Not only does this cost you over the odds in terms of the time, money and resources required to fulfil the request, but it can also overwhelm or confuse the data subject.
The ramifications of this can be serious, even resulting in hefty non-compliance fines. The way to avoid these difficulties is simple – clearly define the scope of the request before you get started. This will ensure everyone involved can be as focused and time-efficient in their approach as possible.
At this stage, you should also clarify the format in which the requester wishes to receive the data in question (we’ll come back to this.)
Step #3: Start collecting the data:
Now you know who the request is regarding, and the scope of the data you need to collate on behalf of the data subject, it’s time to get to work. The onus is on you to ensure that no stone is left unturned in your search. There may be several different employees within an organisation who possess data that relates to the data subject and their request. If so, it’s your job to ensure that such things are found and included in your response.
During the data collection process, you must also ensure that the personal information of any other data subjects remains protected. This may require you to redact or otherwise amend sensitive or personally identifiable information from any communications and documents you send to the data subject. For example, if a colleague’s name is mentioned in an email that is relevant to the request.
Step 4: Format the data as requested:
This is where we come back to the matter of formatting that we raised in Step 2.
You need to ensure that when you send the requested data across, it is sent according to the preferences of the requester. The reason for bringing this up earlier on in the process is that certain data formats can take considerably more time to prepare than others. Therefore the time and resources required to do so must be strategically factored into your response.
Being prepared and proactive here will always prove worthwhile, particularly if the requester wants their data to be printed out and sent in the post.
Step #5: Reiterate the requester’s rights:
Before you send your data across, be sure to inform the data subject of their rights – even if these points have been covered in your correspondence leading up to this point. These rights include (but are not limited to) the requester’s right to object to the processing of their personally identifiable information, the right to request that these processes be erased, rectified or otherwise restricted, and the right to make a formal complaint.
For more comprehensive information on an individual’s data protection rights, head to this page on the ICO website.