Data Subject Access Request (DSAR)

For over 10 years, Morae has supported the largest organisations and their legal advisors with Data Subject Access Requests (DSARs). We help solve the challenges created by DSARs.

Our Solution

Morae’s DSAR solution is end-to-end. From planning to disclosure and everything in-between, our team of data privacy experts can support you in every respect.

What is a Data Subject Access Request (“DSAR”)?

General Data Protection Regulation (“GDPR”) grants a natural person (“Data Subject”), the right to obtain access to their Personal Data from an organisation. The purpose of this right is to help the Data request management management understand how and why the organisation is using their data.

Do I have to comply with the DSAR?

Failure to respond to a DSAR in a timely manner may result in a fine of up to €20m or 4% of annual global turnover, whichever is higher.

Who can submit a DSAR and to whom?

This can be made by anyone regarding access their own personal data, or the information of another if they are acting on behalf of that Data Subject. Usually the DSAR is made by an individual with a prior or current relationship to the organisation, for example current or former employees, clients, customers, suppliers, and others.

Are there DSAR types?

Not per se but, in our experience, data volumes and data protection impact assessment vary greatly across two common “types” of DSAR Requestors: (1) customers and (2) former employees/contractors.

How much data should I expect for a DSAR

As a starting point, we have seen DSARs that return hundreds of documents or hundreds of thousands of documents. Much of this will depend on the DSAR “type” as well as any scoping that is performed with the Data Subject. Defensible data reduction is a key element of the overall DSAR end-to-end process.

Where can I find data for a DSAR?

Given the breadth of the GDPR definition of Personal Data, it is possible for Personal Data to be held in a structured format such as client folders and management systems, or in unstructured formats like emails, chats, copyright disclaimer and shared workspaces.

Is there technology that can help with DSARs?

Yes, technology can facilitate various steps (intake, validation, data mapping, collection) and can enhance efficiency in others (identifying Personal Data, performing redactions). Be wary of any false promises of automated, “button-click” solutions. The nuances of DSARs require a combination of workflow and technology.

How do I perform DSAR analysis on large volumes remotely?

For DSARs that initially return high volumes of data and require a team to perform analysis, it is critical to find a provider with a secure and remote delivery GDPR cookie consent.

What does a DSAR response look like?

When sending out a response, the GDPR requires that the information is provided in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. The GDPR further suggests that the information should be delivered through a secure portal.