Charities often collect and process large amounts of personal data – names, phone numbers, email addresses, financial information, you name it. This is a completely natural and integral part of their day-to-day operations. Sensitive information is collected from individuals across their network, including donors, beneficiaries, volunteers, and employees. That’s a lot of people. Which also means… that’s a lot of data subjects. In case you’re unfamiliar, the UK GDPR grants individuals the right to submit a Data Subject Access Request (DSAR) to any organisation that processes their personal data, primarily for a copy of that data. Although DSARs are a critical component of the legislation, charities face a number of unique challenges in complying with them.
What resource constraints do charities have?
Many charities have tight budgets and small teams, often relying on volunteers. Handling DSARs demands time, expertise, and administrative effort, which can put quite a strain on already limited resources. The law mandates that DSARs are responded to within one month (with extensions for particularly complex requests), meaning that charities must act quickly despite these constraints. This can make it difficult for them to allocate the necessary resources to respond to DSARs promptly and efficiently, pulling staff away from the day-to-day operations and core mission of the charity.
Identifying and retrieving data
As we mentioned at the beginning, charities collect data from a range of people, with information coming from various sources such as online donations on websites, CRM systems, email lists, and volunteer applications. When records are stored in different formats or locations, it can be challenging to accurately identify and retrieve the personal data of a data subject.
Many charities rely on volunteers and external support to carry out their operations, meaning both capacity and capability play a significant role in exposing potential risks associated with responding to a DSAR. Charity teams may not always have the experience or expertise needed to identify and export relevant data or conduct eDiscovery effectively. These factors can create additional hurdles, leading to unwanted delays in fulfilling DSAR requests.
This challenge becomes even more complex when charities receive DSARs from current or former employees. Without adherence to required and sensible retention periods, organisations may be left with vast amounts of historical data to sift through, sometimes spanning years. Extracting this data requires either manual review or the use of an eDiscovery tool to remove duplicates and identify relevant information. However, eDiscovery tools can be costly, making them inaccessible for smaller charities. As a result, staff members may have to manually review large volumes of data, significantly increasing the time and resources required to fulfil the request while also heightening the risk of errors or inadvertent data breaches.
What makes redacting third-party data complicated when handling DSARs?
Redacting third-party data can be particularly challenging for charities, as they often handle information that includes details about multiple individuals, such as group emails or case notes. Many charities also process special category data, which increases the risks associated with errors in DSAR responses. Failing to properly redact third-party information could result in a data breach, leading to serious compliance and reputational risks.
When responding to a request, it is essential to protect the data of all individuals involved while still upholding the requester’s rights. However, charity teams may not always have the necessary expertise or tools to efficiently identify and redact third-party data while maintaining the context of the information. Ensuring that only the requester’s personal data is disclosed, without compromising others’ privacy, can be a delicate and time consuming balancing act.
Legal exemptions and complex requests
Fulfilling a DSAR can be challenging when the request is unclear, overly broad, or difficult to interpret. If a requester is vague about what information they need, charities can ask them to clarify their request. However, if no clarification is provided, the charity must still make every effort to conduct a reasonable and proportionate search for the data. This can be particularly difficult for charities with limited resources or those relying on volunteers.
Additionally, not all requested data can be disclosed. Legal exemptions may apply in cases where information includes third-party data or is subject to legal privilege, to name a few. These exemptions require careful consideration, and charities must ensure that any decision to withhold information under an exemption is supported by documented reasoning.
Balancing these responsibilities while ensuring compliance with legal obligations can make responding to DSARs a complex and time-consuming process.
Keeping up with changing legislation
Data protection legislation and ICO guidance do evolve over time, making it challenging for charities to stay informed and adapt their practices accordingly. Keeping up with these changes is crucial because failure to do so can result in non-compliance, which exposes charities to risks such as fines, reputational damage, loss of donor trust, legal action, and potential harm to the individuals whose data is mishandled.
How should charities handle DSARs?
There are several solutions to these problems that we’d suggest.
- Clear internal policies and procedures: Firstly, we’d recommend promoting a culture of accountability by developing and implementing clear internal policies and procedures specifically for handling DSARs. These should clearly outline roles and responsibilities, response timelines, and escalation procedures to make sure requests are dealt with promptly and effectively.
- Comprehensive data retention periods: We regularly speak with charities that encounter significant challenges when handling employee DSARs due to poor data retention practices. In some cases, the absence of clear email retention policies has resulted in organisations having to sift through vast amounts of data, sometimes as much as 100GB, just to locate relevant information for an ex-employee’s request. This not only creates a massive administrative burden but also increases the risk of unnecessary data exposure. To avoid such issues, it is essential to establish and enforce clearly defined retention periods for emails and other records in line with legal requirements. Data should only be retained for as long as necessary, after which it must be securely deleted. Holding onto excessive, outdated, or unnecessary data not only complicates DSAR responses but can also lead to other compliance risks. Implementing a robust data retention policy ensures that information is managed efficiently, reducing the workload when responding to DSARs while also strengthening data security and compliance.
- Comprehensive staff training: You know what they say: knowledge is power. Ensure all staff and volunteers are properly trained on GDPR compliance, data protection principles, and the correct procedures for identifying and redacting third-party information. Need a provider? Well, search no longer. You can find out more about our training courses here.
- Data management: An organised approach to data management not only streamlines daily operations but also ensures compliance with data protection laws. It allows charity teams to quickly access relevant information when responding to requests, such as DSARs, and ensures that personal data is kept secure and appropriately categorised. This system also supports auditing, reporting, and other essential activities that help charities demonstrate their commitment to good data protection practices. Ultimately, staying organised isn’t just about efficiency, it’s key to maintaining trust with donors and beneficiaries.
- Regular audits and reviews: Make sure you’re checking in regularly, auditing and reviewing your DSAR processes to identify areas for improvement and ensure you’re always meeting your data protection obligations. This way, any risks can be identified and mitigated sooner rather than later.
- Use templates: Use templates as a basis to efficiently respond to DSARs. This will not only speed up the process but also minimises errors and ensures consistency when communicating with the requester. This makes everybody’s life a lot easier!
- Record keeping: Keep accurate records of all DSARs received, including the date of the request, details of the request, communications with the requester, and searches conducted. It’s also wise to document your decision making process in case of any future challenges. A DSAR log is strongly recommended.
- Consult with a data protection professional: When in doubt, ask an expert! Working with a data protection professional to assist and advise on your data protection practices not only ensures that you’re compliant with relevant laws and regulations, but also means your team can remain focused on your organisation’s core mission and activities. Responding to DSARs can be a time consuming process that can divert essential resources away from fundraising, service delivery, and program implementation. By outsourcing to a data protection professional, you can free up valuable time and resources. If you’re looking for experts to help you out, you’re in the right place! You can find out more about our DSAR processing and redaction services here.
- Consult the ICO’s guidance: To ensure that you’re always compliant, consult the ICO’s guidance on exemptions and stay informed by subscribing to ICO updates. This is one of the best ways to be in the loop without having to do lengthy research too often.
At DPAS, we recognise how important the work that charities undertake is. If you need assistance with policies and procedures or need support from a DSAR expert, just get in touch with us. Whatever you need regarding DSARs, you can count on DPAS.
Written by Sophie Costain (Subject Access Requests Officer)
