Data Subject Access Requests – more commonly known as DSARS – are becoming increasingly common, and unfortunately, they’re not getting any easier to handle. One thing that makes DSARs such a challenge is that there is no formalised process for submitting them. This can make it difficult for organisations to define a suitable protocol for handling them when they arise.
If this sounds like you fear not! This short, digestible checklist should be more than enough to get you started. Read on for the step-by-step checklist for managing a Data Subject Access Request. (You can also download our free DSARs checklist for a more in-depth discussion!)
Step #1: Identify the data subject:
Once you’ve received a Data Subject Access Request, the clock starts ticking, and you have one calendar month to fulfil the request. In some cases, identifying the requester is simple. For example, if they make the request in an email with their full name in their signature, or if they make the request via your organisation’s intranet portal, from which you can ascertain their identity. But in many cases, DSARs are made anonymously, or by third parties on the requester’s behalf. In these situations, you will need to determine their identity before you can begin to fulfil the request.
The difficulty here is determining the requester’s ID without using methods that could be deemed ‘disproportionate’ by data protection regulations.
Guidance from the Information Commissioner’s Office (or ICO) states that “you must be reasonable and proportionate” when asking for any personally identifiable information. You should not request more information if the requester’s identity is obvious, and you should not request formal ID documents (e.g. passport or driver’s license) unless absolutely necessary.