Is your business prepped and ready to handle a Data Subject Access Request (DSAR)? Do you know that mishandling a DSAR can lead to hefty fines under the GDPR?
You will receive a DSAR if an individual exercises their right of access. You are then legally required to provide them with a copy of all the personal data you hold and process about them, alongside some supplementary information.
Whether handling a DSAR for the first time, or since the General Data Protection Regulation (GDPR) was enforced, organisations need to handle requests using the appropriate formal guidelines as they are a legal requirement. There are important steps to understand and comply with, as well as timeframes to adhere to.
DSARs can come from anyone you process personal information about including employees, customers, suppliers and sub-contractors. They may submit a DSAR in order to understand what personal information you’re processing and to check that you are doing so lawfully.
The GDPR dictates the steps an organisation must take to lawfully process a DSAR, and the supplementary information that must be included. This handy guide will help bring you up to speed.
How to handle a DSAR
Understanding how to handle a DSAR protects both your organisation, the individual and their rights. Here we look at how to handle a DSAR, step-by-step, so that you can understand, protect and comply.
An individual may make a DSAR either verbally or in writing. You will need a company policy for how you record any verbal requests you receive. Requests don’t have to be to an individual. They could be made to any part of your organisation, including social media. The request does not have to use the words ‘subject access request,’ it just has to be clear that they wish to access their personal data.
An individual only has the right to access their own personal data, confirmation that you are processing their data and any supplementary information. Supplementary information includes the purpose of your processing and who you disclose the personal information to. To view the Information Commissioner’s Office (ICO) list of supplementary information please click here.
The GDPR recommends providing means for requests to be made electronically, especially where the personal data is processed electronically. Designing a form that individuals can complete is useful, but remember – a DSAR could be communicated via any method. You will need to train staff who interact with data subjects on the appropriate action to take, and who they inform.
When handling a verbal request, it is good practice to check with the individual that you have understood, repeat information back and log details of the request. This may avoid disputes further down the line.
How should the data be provided?
The GDPR recommends that organisations provide remote access to a secure self-service system which gives the individual direct access to his/her information. This direct access must not affect the rights and freedom of others – including trade secrets or intellectual property.
Under the Data Protection Act 2018 (DPA 2018) it is an offence to make any amendment to data with the intention of preventing its disclosure. It is the ICO’s view that a subject access request relates to the data held at the time the request was received. However, routine use of data can naturally result in its amendment or deletion. It would be reasonable for you to supply the data you hold when you respond to the request.
Do you need to explain the contents of the information you send to the individual?
The GDPR requires that the information you provide is in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Aside from the supplementary information you should provide, the data should be capable of being understood by the average person or child.
Can you charge a fee?
Organisations could previously charge a fee for the administrative costs of dealing with a DSAR, however the GDPR has dictated some important changes. In most cases you cannot charge a fee to comply with a DSAR. However, if you can prove that the request is “manifestly unfounded or excessive” you may charge a “reasonable fee” for the administrative costs of dealing with the request.
How long do you have to comply?
You must act on the DSAR without undue delay, and without fail, within one month of receipt of the request.
For example, if you receive a request on the 1st June 2019, the clock starts the next day (2nd) and you must have responded by the 2nd July 2019.
If this isn’t possible because the following month is shorter and there is no corresponding calendar date, then the response date is the last day of the following month. If the corresponding date falls on a public holiday or weekend, then you have until the next working day to respond.
NB – It may be helpful to adopt a 28-day response period to ensure you are always inside one calendar month.
In situations where you receive a complex request or a number of requests from the individual, you may extend the response time by a further two months. Ensure you let the individual know within the one-month response time and your reason for the extension.
Be warned – it is the ICO’s view that it is unreasonable to extend the response time if:
- You are requesting proof of identification before considering the request
- It is unfounded or excessive
- An exemption applies
Should you have any concerns relating to the identity of the individual making the request, you should ask (only) for the information necessary to confirm identification and ask for this as soon as possible. Once you receive this additional information which confirms the individual’s identification – the period for responding to the request begins.
What about requests from third parties?
The GDPR does not prevent a third party making a request on behalf of an individual. For example, a solicitor may make a request on behalf of a client. In this instance, you need to be satisfied that the third party making the request is entitled to do so on behalf of the individual.
The third party is responsible for evidencing this entitlement. Written authority or a general power of attorney are two such examples.
You may send the information directly to the individual rather than the third party who has made the request if you believe the individual may not understand what information would be disclosed to the third party.
When dealing with a request on behalf of a child, it is the child who has the right of access to their personal data and supplementary information, rather than the parent or guardian.
If you require specific information on how to handle a DSAR from, or made on behalf of a child, please click here.
What if the data includes information about other people?
The Data Protection Act 2018 says that you do not have to comply to a request if it discloses information about another individual who can be identified from the information, except if:
- The other individual has consented
- It is reasonable to comply without that individual’s consent
When determining if it is reasonable to disclose the information, you must consider:
- The type of information you would disclose
- Any duty of confidentiality to the other individual
- Steps you should take to seek consent
- Is the other individual capable of giving consent?
- Any express refusal of consent from the other individual
You must decide whether it is appropriate to disclose information relating to a third party. This decision must balance the data subject’s right of access against the other individual’s rights.
Ultimately, who has the responsibility for handling the DSAR?
Responsibility for complying with a data subject access request (DSAR) lies with the organisation, also known as the controller.
Even though a data processor may handle and process the personal data, they do so on behalf of the controller, hence the controller is ultimately responsible. However, data processors are duty bound to assist the controller with the DSAR if their input is needed to fully satisfy the request.
The data processor is an external organisation, for example an accountant or IT support company. For this reason, it is best practice to have data processing agreements in place. A data processing agreement places a contractual obligation on the data processor to respond within the correct timeframe and protects the controller who is responsible for the DSAR.
For more information on the liabilities between the controller and processor, click here.
Can You Refuse to Comply with a DSAR?
If a request is repetitive in nature, manifestly unfounded or excessive, you may refuse to comply. You could request a reasonable fee which might enable you to deal with the request but either way you need to justify your decision. There are some exemptions to a DSAR, which can be accessed here.
What to do if you refuse to comply:
- Inform the individual without delay and no later than one month from receipt of the request
- Your reasons for refusal
- Inform the individual of their right to complain to the ICO or another supervisory authority
- Inform the individual of their ability to seek to enforce this right through a judicial remedy
It is a legal obligation to respond to a subject access request, handle personal data responsibly and comply with the GDPR. 2019 has launched with the ICO administering hefty fines to non-compliant organisations.
Is it time to call in the experts?
Smarter Data Protection are specialists in data protection and compliance. We are ISO and IBITGQ accredited and provide concise, accurate guidance that you can implement straight away to protect your business.
We are passionate about privacy and make your compliance process simple and transparent.
If you need help handling a subject access request, GDPR compliance or any aspect of data protection get in touch.
Protect your business. Protect your data. Choose Smarter Data Protection.
You can read the Information Commissioner’s Office guidelines here.