GDPR Data Subject Access Request (DSAR) is part of the General Data Protection Regulation (GDPR), the data protection regulation adopted by the European Union. A DSAR is a request from a subject for their personal data. It includes all data processed by a data controller along with an explanation of how data is being used.
DSARs are formal requests beyond simple complaints or general queries. For example, a subject asking why they are receiving certain marketing materials is not a DSAR. Instead, DSARs are requests for all of the data you hold for a subject.
GDPR requests can be sent to any department in an organization and do not need to come from a specific source. For example, subjects can make requests through social media, email, or in person. Addressing requests to the “wrong” person is not a valid reason for dismissal.
In this article, you will learn:
Organizations that are held to GDPR standards are charged with managing requests transparently and fairly. They must provide information in an accessible, concise way, with details in plain, clear language. Organizations can specify preferred methods for subjects to request data from them but they cannot enforce these methods and must handle all requests.
When you receive a DSAR, you can use the following process to process the request:
“response to a Data Subject Access Request must be provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or repetitive in character”
Since requests can come through multiple sources in multiple formats, it’s best to assume that any request for information qualifies as a valid DSAR. This is important for staff who are not responsible for managing requests. You do not want adjacent staff to discard requests because they do not understand what’s valid or not.
Once a request is received, your staff should know who in the organization handles requests and should forward all information promptly. When you receive a request, you have 30 days to deliver data to the subject so timeliness is important. If you cannot deliver the data in this amount of time due to complexity or number of requests you must notify the subject as soon as possible. In these cases, you have 90 days to deliver data.
In general you are not allowed to charge fees for data requests and must provide the data to the subject for free. The exception is if you receive a ‘manifestly unfounded or excessive’ request. In these cases you are allowed to either charge a reasonable fee or to deny the request.
There is no clear definition of what can be considered an unfounded or excessive request so you must take care if making this claim. There is also no clearly defined fee schedule for processing these requests. However, the Information Commissioner’s Office (ICO) guidance recommends it be charged in line with administrative costs incurred during retrieval.
The bulk of your time spent when responding to requests is likely to be during data identification and retrieval. The difficulty retrieving data depends on both the breadth of the subject’s request and how you are storing their data.
For a DSAR, personal data applies to any information that can be identified as belonging to an individual under GDPR. However, this definition is vague and can make it difficult to determine which data applies. In general, you should focus on any data that can be clearly linked to the individual through uniquely identifying metadata or contents.
When working to identify relevant data, you should try to centralize the task with a coordinating staff member, often known as a document management provider. These providers can help you effectively search for data. If you do not have a qualified person on staff to perform this task you can outsource the job to ensure timeliness.
Once the data is gathered, you can prepare it for disclosure. Generally, the expectation is that data is returned in the same format as the request. Therefore, if the request was electronic the data is returned in digital format. However, you can check with the subject to verify how they want data returned.
Additionally, however you return data you need to take measures to ensure that it is kept private. This may be easier for digital responses since you can deliver the data and an encryption key separately.
Throughout the request response process you should document communications and actions taken. This audit trail proves your responsiveness to requests and may be required for compliance auditing later on.
You should record who received the request and how, who was responsible for processing the request or data, and how and when the response was returned. If you charged fees, extended the request, or denied the request, be sure to explain your reasoning and your communications with the subject.
There are a few cases in which you can refuse DSARs. The primary case is when you are not the data controller. For example, if you are working as a contractor for a company that collects and provides access to user data.
In this case, you are not responsible for disclosing data but you are responsible for informing the subject of this. In this response, you need to explain why you cannot deliver data and inform the subject of their ability to complain to the ICO.
The other case is as covered above, when requests are “manifestly unfounded or excessive”. These denials also require a response to the subject with an explanation of why the request is being denied and their ability to complain to ICO.
However, take care that you provide a well-reasoned and verifiable explanation for such denials. If the denial is challenged by the subject with the ICO and they determine your reason is invalid, you may be in breach of compliance.
The contents of a DSAR response are outlined in Article 15 of the GDPR. This article specifies that responses should contain the following:
NetApp Cloud Data Sense leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Data Sense to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the GDPR and the CCPA.