Subject Request Management

A DSAR is a request from someone you store data on (called a data subject Request Management) to your organization. They can submit this request at any time. You are obligated to respond with a copy of any relevant information you have on the subject. DSARs aren’t new. Organizations and governments have used them for years.

In order to be compliant with GDPR, and to be able to evidence such compliance, organisations should complete a register of all of their information assets. This register should identify where the data is held, the format it is held in, where it originated, who is responsible for it, and other basic details. Clearly much of this information will be held in systems other than Safe4 — a variety of business applications and indeed paper records may constitute the entirety of records about an individual. The Regulation grants data subjects the right to request this information at any time.

GDPR Policy Template was adopted into UK law through the Data Protection Act 2018, which ascended the 1998 law of the same name. Under the previous legislation, organisations could be punished with a maximum fine of £500,000 by the Information Commissioner’s Office (ICO) the UK’s data protection watchdog. GDPR has significantly raised the stakes in this regard and brings with it the possibility of huge, debilitating fines for businesses that misuse an individual’s personal data. In worst-case scenarios, fines of up to £20 million, or 4% of the company’s annual turnover can be issued, whichever is higher.

Why was the GDPR drafted?

Before GDPR was conceived, data protection rules in the UK came in the form of the Data Protection Act 1998, which itself was based on the EU Representative Data Protection Directive. Given these rules and principles date back to 1995, they were seen as being vastly out of date when stacked up against the nature of the way businesses use data today. Technology has undoubtedly changed dramatically in the last 20 years, and so too have the ways in which data is monetised, not to mention the explosion in revenues tech companies can derive from data.

Who does the GDPR apply to?

If you don’t think you need to respect the GDPR legislation, you’re likely to find yourself in hot water sooner or later. Whether your business operates with clients in the EU or outside it, it’s vital you respect the rules and make sure you’re compliant with regulations.

How can I process data under the GDPR?

GDPR states that controllers must make sure it’s the case that personal data is processed lawfully, transparently, and for a specific purpose.

That means people must understand why their data is being processed, and how it is being processed, while that processing must abide by GDPR Training rules.

What if they want to move their data elsewhere?

Then you have to let them and swiftly: the legislation means citizens can expect you to honour such a request within four weeks. Controllers must ensure people’s data is in an open, common format like CSV, meaning that when it moves to another provider it can still be read.

How to report a data breach under GDPR

Under GDPR, a data breach constitutes any breach of security that leads to the accidental or unlawful loss, destruction, alteration, disclosure of, or unauthorised access to personal data.

Do we need a data protection officer?

Any public body carrying out data processing needs to employ a data protection officer, as do companies whose core activities involve data processing that requires they regularly monitor individuals “on a large scale”, according to the GDPR data protection policy Template, though public bodies are at an advantage, in that several can share the same data protection officer. Organisations should give the contact details of this person to their data protection authority.