There are many terms floating around the data protection industry that may look like a completely different language to anybody new to the subject. It’s a complex and complicated industry, so you can be forgiven for feeling a little perplexed by the terminology involved. The topic we’ll be covering here is ‘Data Subject Access Requests’. So if you’re just beginning to encounter these in your role, worry not – this article will plainly lay out just what a Data Subject Access Request is, and what the rules are around these.
What is a Data Subject Access Request?
Simply put, a Data Subject Access Request, or a “DSAR” (sometimes simply called a Subject Access Request or “SAR”) refers to the right of an individual to request full details of the personal data held about them by an organisation.
How do you make a Data Subject Access Request?
There are no strict rules about how a DSAR can be submitted or what it might look like. Individuals can make a request through various channels, including, but not limited to:
- Calling
- Sending an email
- Writing a letter
- Submitting a form on the organisation’s website
- Via social media
While these methods are all valid, another possibility is that an individual may provide a Data Subject Access Request Form. This makes the process much clearer and simpler for both your organisation and the requester and ensures you gather all the information required to process the request efficiently.
A DSAR does not need to explicitly mention the phrase “subject access request” or refer to data protection laws. It simply needs to request personal information about the individual. This means that it can take virtually any shape or form, and as long as it’s a request that fits the aforementioned definition, you’ve got a DSAR on your hands.
Something to note is that a DSAR can also be made by a third party on behalf of an individual, such as a parent, guardian, or legal representative. In such cases, the third party must provide evidence of their authority to act on the individual’s behalf.
How long do you have to respond to a Data Subject Access Request?
An organisation has one month to respond from the moment the request is received, even if this happens to be on a non-working day. There are some instances, however, where an extension of a further two months can be applied.
In order to extend the time limit and push back the deadline, you must be able to demonstrate that the request is complex or that you have received a number of requests from the same individual. If this is the case, you must inform the requester within the original one month timeframe that you are intending to extend the deadline and your reasons for this.
How much can be charged for a DSAR?
In most cases (emphasis on most), fulfilling a Data Subject Access Request must be free of charge. However, if an individual repeatedly requests the same information, or, the request is excessive or manifestly unfounded, you are permitted to charge a ‘reasonable fee’. This fee must only represent the administrative cost of handling the request. You must also explain why you are including the charge.
Can a company refuse to complete a DSAR?
Organisations can only refuse a Data Subject Access Request if it is manifestly unfounded or excessive, or a legal exemption applies. A legal exemption may cover all of the information requested, or only some of it. If you decide to refuse a request on one of these grounds, you must document your decision making and notify the individual of your reasons for refusal.
What is included in a Data Subject Access Request?
There’s unfortunately no short, straightforward answer to this question, as what’s included will heavily depend on the nature of the request. The information you are required to provide in a DSAR can be wide ranging. The volume will depend on the complexity of your relationship with the individual and your data retention policies. For example, if they are on your marketing list, the data you hold will be more limited than if they were an employee, client, patient, or student.
As mentioned earlier, there’s no one way the request will look. And the same applies to what is being requested. The personal data you hold could come in any format including paper documents, emails, video, photographs, voice recordings, text messages or instant messaging.
When responding to an individual, you will also need to confirm:
- That you are processing their data
- What categories of personal data you are processing
- The purpose for processing the data
- Any recipients of the data (third parties to whom the data has been disclosed)
- The data retention time period
You will also need to inform them about:
- Their right to object to the processing of their data, correction requests, right to erasure, and restricting processing
- Information on how the data was obtained (if not obtained from the individual directly)
- Any automated decision making regarding their data
- Their right to complain to the ICO or the relevant supervisory authority
Tips to simplify the process
Managing DSARs can be very time consuming, and therefore, rather expensive, particularly if your organisation holds a large quantity of data on individuals. And it’s even more so if that data includes special category personal data.
As such, you must ensure the personal data you process is well organised and easily accessible. Develop robust policies, procedures, and checklists for dealing with DSARs and all data protection matters.
If you need assistance with policies and procedures for dealing with Data Subject Access Requests then we can help. Whether you need to outsource some of your DSAR redaction responsibilities to an expert team, or if you’re looking for Data Subject Access Request training, just get in touch with us. Whatever you need regarding DSARs, you can count on DPAS.
Written by Jemma Jones (Senior Subject Access Requests Officer)
