What is a DSAR?
The GDPR explanation:
“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
Anytime a person (also known as a "data subject") submits a DSAR, your organisation must respond by providing a copy of any relevant information you have on the subject.
DSARs are not a new concept and have long been acknowledged as fundamental rights, but the GDPR introduced several changes that make it easier for people to request information and more difficult for organisations to comply.
You can use the handy guide below to help you. Also reach out to our specialist team for more details, by submitting a contact form here.
Key steps on how to respond to a DSAR:
Start the 1-month clock
You have 1 calendar month to provide the individual with the information requested.
Make sure you have established a process to know how to recognise a DSAR.
Request ID if necessary
You can seek further information if you are unsure about the requester's identity (at which point the 1-month clock starts).
Request this information as soon as possible, and only if it is truly essential.
IDENTIFY WHAT THE REQUEST IS
What information does the subject want?
Is it only a request for information, or are other rights being invoked, such the right to be forgotten?
DIRECT THE REQUEST TO THE APPROPRIATE TEAM
Where is the data stored?
Most likely, the initial point of contact will be your IT staff.
Does the data include information about other subjects?
The DPA 2018 says that you are not obligated to comply with a request if it would require releasing information about another person who can be identified from that information, unless that person has given their consent, or it is appropriate to do so without that person's permission.
How are you going to share the data with the subject?
The GDPR includes a best practice recommendation that organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63).
ADD SUPPLEMENTARY INFORMATION
Ensure the subject knows their rights
Under GDPR, additional details including the reason for your data processing and their right to file a complaint must also be included.
PROVIDE THE DATA TO THE SUBJECT
Stop the clock
To demonstrate that you have acted responsibly and in compliance throughout these steps, we advise that you document the process at each stage.
The Monmouth Data Security and Protection Team