Under both the UK and EU GDPR, individuals have the right to know what personal data an organisation processes about them and how it is used. This right is exercised through a DSAR (data subject access request).
This guide outlines how to handle DSARs in compliance with current legislation.
Contents
- What are data subject access requests?
- What should be included in a DSAR response?
- Can information be redacted?
- Do individuals have to provide a reason for a DSAR?
- Does a DSAR need to be in writing?
- Can someone submit a DSAR on behalf of someone else?
- How long do organisations have to respond to a DSAR?
- Who is responsible for responding to DSARs?
- Can organisations charge a fee for a DSAR?
- DSAR vs FOI (Freedom of Information) request
- The process for handling a DSAR
- How to ensure data subject access request success
What are data subject access requests?
DSARs arise from the GDPR’s right of access – one of the fundamental data subject rights. When individuals submit a DSAR, organisations must provide them with all relevant personal data held about them.
What should be included in a DSAR response?
Responses must include relevant personal data requested and supplementary information such as processing purposes, retention periods and details of any third parties with whom the data is shared.
Can information be redacted?
Yes, redaction is essential when the requested documents include third-party personal data or sensitive company information that is not relevant to the DSAR. Redacting this data helps prevent potential data breaches.
Do individuals have to provide a reason for a DSAR?
Individuals don’t need to state why they are submitting a DSAR. The only questions an organisation may ask when a DSAR is submitted concern verifying the individual’s identity or helping them locate the requested information.
Does a DSAR need to be in writing?
No. Requests can be verbal, on paper or submitted digitally. Organisations must ensure their staff can identify DSARs even when informal language is used.
Can someone submit a DSAR on behalf of someone else?
Yes. DSARs can be submitted by authorised third parties such as parents, solicitors or those with power of attorney. Organisations must verify this authorisation before responding.
How long do organisations have to respond to a DSAR?
Organisations must respond to DSARs within one calendar month of receipt. In complex cases, the response period can be extended by two additional months, but the individual must be informed within the initial month, along with reasons for the extension.
Who is responsible for responding to DSARs?
Typically, a DPO (data protection officer) oversees DSAR responses. In the absence of a DPO, responsibility falls to someone knowledgeable about GDPR requirements who can coordinate the response.
Can organisations charge a fee for a DSAR?
DSARs must usually be fulfilled free of charge. However, a reasonable administrative fee can be charged for requests that are manifestly unfounded or excessive, as detailed in GDPR Article 12(5). Organisations also have the right to refuse such requests outright if justified.
DSAR vs FOI (Freedom of Information) request
DSARs provide individuals access to their own personal data, whereas FOI requests pertain to general recorded information held by public authorities and exclude personal data.
The process for handling a DSAR
A structured approach to DSAR handling includes:
- Verifying the identity of the requester(s)
- Clarifying the request’s details and scope
- Evaluating the validity and complexity of the request
- Inspecting and collating the relevant data
- Redacting unrelated or sensitive information
- Choosing a secure and appropriate delivery format
- Informing individuals of their further rights, including how to lodge complaints
How to ensure data subject access request success
To manage DSARs effectively, organisations should:
- Implement staff training to recognise DSARs promptly
- Clearly define DSAR responsibilities within teams
- Consult GDPR compliance experts for complex cases
- Create detailed flowcharts and checklists for consistent handling
- Regularly review and update processes to ensure continued compliance
Free PDF download: Data Subject Access Requests (DSARs) – A concise guide
This free guide explains how to manage data subjects’ rights in line with the GDPR and clarifies the new obligations for organisations.
Discover:
- The key changes for organisations responding to DSARs under the GDPR.
- Who is responsible for handling DSARs.
- What data needs to be provided and exceptions to consider.
- A process for responding to DSARs that you can adapt to meet your needs and comply with the law.
A version of this blog was originally published in August 2019.
The post Unlocking Access: How to Respond to a DSAR (Data Subject Access Request) appeared first on IT Governance Blog.
