A data subject access request (DSAR) is one of a number of data subjects rights which allow individuals to obtain a copy of their personal data processed by an organisation. In this article we explore some of the ways that DSAR disrupt business and their normal operations, using real-life examples. We will also provide some tips on how to handle DSARs effectively and efficiently.
DSAR are one of the key rights under the UK Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR). They can be a useful tool for individuals to exercise control over their personal data and to hold organisations accountable for how they process it. However, they can also pose significant challenges and risks for businesses that receive them.
Weaponisation of the DSAR
It is reasonable to suggest that whilst a DSAR is a tool by which a data subject will request access to personal data for genuine purposes, there have been many examples of their use to support a grievance. An example might be a disgruntled ex-employee who seeks a broad request of their personal data whilst they were employed. This could cause significant challenges for data controllers, who need to identify the data, review the data to apply exemptions and redactions and prepare the data for issuance all within 30 days.
DSARs are not meant to be used as a litigation tool or a form of protest, but as a way to protect individuals’ data rights and privacy. Data controllers have the right to challenge a request if it is ‘manifestly unfounded or excessive’, which might include abusive or vexatious requests. However, in applying such an exemption requires the organisation to consider the data subjects rights and as with many aspects of data protection regulation, proportionality is key to good management. Where a challenge is made the assessment and rationale for rejection should be evidenced.
How can a DSAR disrupt business operations?
DSARs have a negative impact on business operations in various ways:
- Consuming time and resources: DSARs can be complex and time-consuming to handle, especially if they involve large amounts of data or multiple systems. Businesses have to respond to DSARs within one month, unless they can justify an extension. This can divert staff and resources away from other core tasks and projects.
- Exposing sensitive information: DSARs can reveal sensitive or confidential information that businesses may not want to disclose to the data subject or to third parties. It may be possible to withhold personal data if disclosing it would prejudice the data controllers purpose, i.e. it would have a damaging or detrimental effect on what you are doing.
- Triggering legal disputes: DSARs can lead to legal disputes or complaints if businesses fail to comply with them or if data subjects are dissatisfied with the response. For example, there is evidence that an employee brought a DSAR to gather evidence for an Employment Tribunal claim or simply to increase pressure on an employer with the aim of securing a favourable exit package.
- Damaging customer trust and loyalty: DSARs can damage customer trust and loyalty if businesses are perceived as being unresponsive, uncooperative or careless with personal data.
- Increased costs: Seeking out data protection expertise in order to deal with a DSAR could increase operational costs as consultancy or temporary resource costs for tasks such as redaction could be high.
How can an organisation handle DSARs effectively and efficiently?
DSARs are not only a legal obligation but also an opportunity for businesses to demonstrate their commitment to data protection and customer service.
Prepare
- Policy, Procedure and Education: In order to ensure that an organisation can handle DSAR effectively it should have a basic operating model in place which is supported by a data protection policy and a data subjects rights procedure. These should be distributed routinely so that staff are aware of their obligations.
- Understanding where data is held: In order to identify the personal data requested an organisation must have a view of where personal data is held. An assessment of activities (ROPA) or information asset register will provide a good deal of insight.
- Have a clear and accessible policy and procedure for handling DSARs: Businesses should inform data subjects about their right to make a DSAR and how to do so on their website, privacy notice or other communication channels. They might also have a dedicated team or person responsible for handling DSARs and a standard process for verifying the identity of the requester, locating and retrieving the relevant data, reviewing and redacting it if necessary, and providing it in a secure and user-friendly format.
- Use technology and automation tools: Businesses should leverage technology and automation tools to streamline and simplify the process of handling DSARs. For example, they can use software solutions that can scan multiple systems and databases for personal data, generate reports and logs of data processing activities, anonymise or pseudonymise data where appropriate, and create templates and formats for responding to DSARs.
- Train staff and raise awareness: Train staff on how to recognise and respond to DSARs in accordance with the law and policy. Raise staff awareness about the importance of data protection and the potential consequences of mishandling personal data or failing to comply with DSARs.
Process
- Confirm identity: If there is any doubt as to the identity of the individual making the request, then seek confirmation of identification. It makes sense to begin the discovery phase whilst waiting for identity evidence but personal data should not be sent until identity is clear.
- Be specific: Do not be afraid to request more details about the data requested. Most individuals will be glad of the confirmation as it is likely they have a specific reason for the request and most likely do not want to be drowned in information.
- Ensure that the DSAR is logged and managed: Maintain a log containing each DSAR in order that progress can be evidenced and that incidents are handled correctly and within the appropriate timescales.
- Apply exemptions where relevant: It is entirely possible that a DSAR can be refused either in full or in part, however if applying an exception the justification should be clear and evidenced. The DSAR log should evidence communications and which exemptions were applied (ICO DSAR Exemptions).
- Redact: It is key that personal data relating to an individual other than the data subject is not disclosed. It is therefore important that names, initials and other identifying information is redacted from the data provided to the data subject.
Learn
- Monitor and review performance: Businesses should monitor and review their performance in handling DSARs on a regular basis. They should track metrics such as the number, type and source of DSARs received, the time taken to respond, the quality and completeness of the response, the feedback from data subjects, and any issues or complaints arising from DSARs.
- Manage risks: If patterns can be identified in the areas DSAR are requested, it would indicate an area for improvement. Recognise the risks and mitigate them, in the long run it will reduce the disruption that a DSAR can bring.
It is likely that all organisations which process personal data will experience a DSAR at some point and since it is clear that DSAR disrupt business it is wise for an organisation to be prepared.
Copyright ProvePrivacy: The information and opinions expressed in this article should not be considered legal advice.
