DSAR

A Data Subject Access Request (DSAR) is the means by which individuals request that your enterprise discloses what personal data it holds on them and how you use or intend to use it.

Achieve DSAR compliance with DSAR as a Service

We can support you throughout this complex process with DSAR as a Service. DSARs are processed by a team with extensive experience dealing with such requests.

Dedicated DSAR support for the process from GRCI Law covers all areas of the DSAR process:

• Reviewing and assessing the nature and validity of the DSAR.
• Verifying the requester’s identity.
• Liaising with the single point of contact within your organisation to locate the relevant data and to acquire all the personal information relating to the individual.
• Screening the collated data.
• Obtaining cookie consent from third-party individuals where their personal information is contained within the search results, and, where it is unobtainable, applying redactions.
• Applying lawful exemptions, if applicable.
• Formally disclosing the information to the requester.
• Documenting the facts relating to the DSAR.
• Liaising and interacting directly with the relevant regulatory authority.

This service is available either on an annual subscription basis, which is perfect for organisations that want DSAR help year-round, or as smaller prepaid blocks of hours, which could help organisations with a particularly difficult DSAR or cover staff absence.

A data subject access request (DSAR) is a request made by an individual to an organization for access to a copy of their personal information or related materials, and should be observed as an expression of the individual’s “right of access” as described in the General Data Protection Regulation (GDPR). Such requests may be communicated to an organization by written or verbal means, via all verifiable platforms, and may also be made by a third-party on the individual’s behalf. Unless a valid exemption or restriction applies, or a request is demonstrably incoherent or unreasonable, the organization must provide the information requested in the DSAR within a specified timeframe in order to remain in compliance with the GDPR Policy Template.

The purpose of a DSAR, in most cases, is to satisfy an individual’s right to access their personal data. There are a variety of specific reasons an individual might file the request, but it is generally in the interest of transparency, and a means of understanding and keeping track of how, and for what purposes, an organization is using their information. The request can be made in any terms, and individuals are not required to use any specific language or formal references, as long as it is an obvious request for their personal data. While it is possible a DSAR might be made by a third-party on behalf of an individual, it is the responsibility of the third-party to prove their entitlement to do so, and the organization should feel confident about the evidence provided before giving access to personal data protection impact assessment. Even children have the right to request a copy of their data, and can be responded to directly if an organization has reason to believe they are competent enough to understand their rights.

It is important that an organization is always prepared to respond to a DSAR, provided it is lawful and reasonable, and to be able to do so in a timely manner, typically no more than one month after receiving the request. Extensions may be allowed in cases where a request is complicated or contains various items. If a DSAR is unspecific, an organization can ask for the individual to specify the request, and will not be obligated to provide information until clarification is received. Formal identification can, and should, be asked for by the organization upon receiving a DSAR, and all usual security precautions related to personal data should be applied. Data may be supplied to the requester in whatever format they prefer, wherever it can be done securely, and the organization should verify the requester’s preference upon receiving a request.

It is possible for an organization to refuse, or partially refuse, to comply with a DSAR where legal restrictions may apply. Roadblocks to compliance might include criminal liability, confidentiality preservation, and a number of other regulatory exemptions as detailed in the GDPR Training. If an organization has any legitimate reason to refuse to provide personal data in response to a DSAR, it must inform the individual of the specific exemption, as well as of their right to seek legal or disciplinary recourse. Organizations should consult all relevant legal resources regarding exemptions and restrictions before responding to a request.

KEY POINTS

• We have used DSARs as part of a few PI projects and learned many things along the way. This is a collection of tips based on our experience.
• While the issues detailed here are not exhaustive and PI is not in a position to advise you individually on your request, we hope that these tips might provide you with as much information upfront as possible on some of the most commonly experienced issues.
• Although this was primarily designed with the GDPR, the EU representative data protection law, in mind, we hope it may be helpful for other jurisdictions too. We are always interested in finding out about similar efforts.
• A template for DSAR is available at the bottom of this page