2 min read

How to handle a Data Subject Access Request (DSAR)

Featured Image

What is a DSAR?

The GDPR explanation:

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

In short:

Anytime a person (also known as a "data subject") submits a DSAR, your organisation must respond by providing a copy of any relevant information you have on the subject.

DSARs are not a new concept and have long been acknowledged as fundamental rights, but the GDPR introduced several changes that make it easier for people to request information and more difficult for organisations to comply.

You can use the handy guide below to help you. Also reach out to our specialist team for more details, by submitting a contact form here

Key steps on how to respond to a DSAR:

 

DSAR RECEIVED

Start the 1-month clock

You have 1 calendar month to provide the individual with the information requested.

Make sure you have established a process to know how to recognise a DSAR.

Down arrow - DSAR

 

 

                                   DSAR arrown left

VERIFY IDENTITY

Request ID if necessary

You can seek further information if you are unsure about the requester's identity (at which point the 1-month clock starts).

Request this information as soon as possible, and only if it is truly essential.

IDENTIFY WHAT THE REQUEST IS

What information does the subject want?

Is it only a request for information, or are other rights being invoked, such the right to be forgotten?

Down arrow - DSAR

                

                                   DSAR arrown left

DIRECT THE REQUEST TO THE APPROPRIATE TEAM

Where is the data stored?

Most likely, the initial point of contact will be your IT staff.

COLLECT DATA

Does the data include information about other subjects?

The DPA 2018 says that you are not obligated to comply with a request if it would require releasing information about another person who can be identified from that information, unless that person has given their consent, or it is appropriate to do so without that person's permission.

 

             Down arrow - DSAR  

 

 

                                DSAR arrown left

PACKAGE DATA

How are you going to share the data with the subject?

The GDPR includes a best practice recommendation that organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63).

ADD SUPPLEMENTARY INFORMATION

Ensure the subject knows their rights

Under GDPR, additional details including the reason for your data processing and their right to file a complaint must also be included.

 

         Down arrow - DSAR

 

PROVIDE THE DATA TO THE SUBJECT

Stop the clock

To demonstrate that you have acted responsibly and in compliance throughout these steps, we advise that you document the process at each stage.


The Monmouth Data Security and Protection Team
Monmouth Partners