Data subject access requests (or DSARs) are just one of the legal rights that individuals have under data protection law, but they are probably the request most known for causing the biggest headaches. If you have never had to deal with a data subject access request, their bad reputation comes from the fact that they can be a resource nightmare – sucking up time, money and effort.

There is added pressure because you are not allowed to charge a fee (so you cannot recoup the costs) and you have a time limit of 30 days to respond (so it might be that you have to drop other projects to prioritise the request).

Of course, it’s not all doom and gloom. DSARs are a fantastic way of ensuring businesses engaging in data processing do so responsibly. DSARs can also act as a way of embedding good working practices. If something embarrassing comes out of the woodwork as part of a DSAR disclosure, it is an opportunity to reflect on whether your people policies or retention policies are actually working. Perhaps, more so than scary fines imposed by a regulator, DSARs are something that keeps businesses on track for data protection and compliance.

In this article, we tackle how to respond to a DSAR, from upholding UK GDPR compliance, to the ins and outs of a DSAR submission. You'll come away with a clear understanding of how to handle data privacy, how to deal with a data subject access request, and how to abide by data protection law. 

How to respond to a DSAR

First thing's first: if someone submits a DSAR, you’re going to need to respond – regardless of the size of your business. Here are a few tips to ensure legal compliance with a data subject access request.

1) Make sure you know what a DSAR is

Although the right to access your information is everyone’s legal right, that doesn’t mean it needs to be worded in a legal way. This means that your business might receive a DSAR in a letter or email, over the phone, via your social media channels or even by using your website chat box.

Some examples of messages or requests which would be considered a DSAR include:

• “What information do you hold on me?”
• “I want to know what personal data you have stored about me.”‍
• “Can you please tell me what personal data you hold on me and why?”
• “I’d like to know what personal data of mine you have.”‍
• “Please send me all the information you hold on me.”

The last thing you want to happen is to miss a DSAR and the first you hear about it is from the ICO (The Information Commissioners Office, the UK regulator for data protection) because the person complains that you have not responded to them. So it’s important you and your team are trained to recognise one.

You can make things a little bit easier for yourself by outlining on your website how someone can make a DSAR submission (e.g. by having a link to a designated e-mail) in clear and plain language – although, it is still up to the person making the request (known as a Data Subject ) if they want to make the request some other way.

2) Use technology (combined with good old-fashioned housekeeping!) to help you through the DSAR process

When someone asks you to give them a copy of the information you hold about them, the first step is to check through your systems, emails, internal chats, hardcopy documents etc to pull together the big pile of “Information About Them” into one place.

You probably already use a lot of tech to help support your business (you might even have created it yourself!). The downside of being able to conveniently share, save and download is that it can mean that documents are duplicated and stored across lots of different systems, folders and even (shock horror) on local drives. Thinking of the futuristic set-up you’ve got going on, with multiple systems, you might begin to understand why some people think DSARS are a nightmare to deal with. But don’t worry, here is how your tech can help you:

• Change your settings to enable the “retention” functionality. The standard default position is that your systems will keep storing information forever, but most of the big platforms (think Google and Microsoft ) will let you change that and pick a retention period. This means that the system will automatically delete emails, instant messages or whatever you use that platform for after a certain period. This will significantly reduce the amount of information you have to sift through (which even has a bonus of reducing overheads, because digital storage gets expensive!). But be warned, you may want to have a separate folder to save certain documents or emails that you want to keep for longer (e.g., a signed contract or legal advice) and you’ll need to remember to do this manually (unless someone out there has a handy tip on how to set this up as well? We’d love to hear!)

• ‍ Use the search bar. You explain to individuals which search terms you’ll use to carry out the search. You might use their full name, initials, their email address or even their job title. Lots of systems include a search bar functionality. An extra tip is that if you include quotation marks, that will look for that entire phrase.

• Share links to documents instead of attachments (and update the editing permissions). This reduces the risk of having lots of versions of the same document saved on your system and can prevent people from saving local copies to their device. It is likely you are paying a fee to use that platform or product so get your money’s worth by using its different functionality!

• Extract data into searchable formats, for example, transferring data in excel spreadsheets to databases.

• Use descriptive file names for documents. Be careful not to omit the client name as it can be easily missed when searching for documents if they are generic.

• Map out your systems visually to show where data is stored, use a charting tool and keep it up to date.

• Practice good data hygiene and archive and delete files (within your regulatory requirements).

• Avoid duplicating data and work from single sources of truth where possible.

3) People are only entitled to their personal data

There are a couple of things to think about when it comes to personal information and the privacy rights of data subjects. The first is personal data (which is any information which can or could be used to identify a living person). The second is that the "Data Subject" is only entitled to their relevant personal data.

This means that you need to carefully check the information your search pulled up to make sure you are not sharing anything you shouldn’t be. This is especially tricky when it comes to responding to DSARs made by employees, because their personal data will be on lots of different things (for example, their name might appear on their email signature). In this example, you would not need to send every email that ever had their name on it – because a lot of that would be purely business information, or in the main text of that email might be about somebody else.

Not everyone realises that you only need to provide copies of the actual personal data, not copies of the documents which contains that personal data. It can be useful, and sometimes more appropriate, to send out the document but that can become disproportionate when there are thousands of emails. Here, our advice would be to specify the repeated information in a table.

Only provide copies of the emails where the main text of that email contains personal data. Of course, you need to redact (which means block out or remove) any information which is not about the Data Subject. You definitely would not want to be sending out confidential business information or someone else’s personal data to them!

It can get a bit tricky to decide what counts as personal data. For example, instant messages and emails often contain personal views of and about other people. Whether that should be disclosed to the Data Subject depends on the circumstances and what has been said, but you should know that sometimes it must be disclosed. Even if what was written makes you full body cringe, you might have to put it out there and (going back to the glass-half-full approach at the start of this blog) use it as a lesson to remind people what work systems should and should not be used for.

The ICO has guidance on its website on what it expects you to do and how to approach DSARs, but know that we’re here to help out as well. Stephenson Law is here to make DSARs less “DSARGHHHH” and more “DSAHHHHH” (that’s a sigh of relief by the way!).

Has your organisation been asked to delve into the personal information you collect on data subjects? We’re data protection law experts, highly experienced in getting data on your good side. From dealing with a data breach, to squeaky-clean UK GDPR compliance, we work tirelessly to ensure our clients are on the right side of data privacy laws. 

Discover how we can support you with DSAR compliance, whether that's tackling the ins and outs of a DSAR submission, or compiling a DSAR response. Find out more about how we can support you here.