Data Subject Access Requests (DSARs)
A DSAR is intended to provide transparency to people in respect of their “personal data” held by an organisation. Personal data can be retained by a person’s current or former employer, retailers, academic institutions, charities, and government bodies. Article 15 of the GDPR states that a data subject has the right to confirmation from a data controller whether or not their data has been processed and if so:
- Where the information on the data subject has been sourced from if it was not collected from the data subject
- The existence of automated decision-making, including profiling
- The reason for the processing
- The categories of personal data processed
- Who the data has been disclosed to
- How long the data will be stored for
Data Subject Access Requests (DSARs) are becoming more common. Many data protection authorities are tasked with raising the public’s awareness of their rights regarding knowing what personal data an organisation has, how they obtained it, and in what way it is used. Following the Cambridge Analytica data harvesting scandal, whether out of concern for their privacy or as a means of seeking an edge in litigation, people are now more robust in exercising their DSAR rights.
At Lineal we understand that the nature and frequency of DSAR’s can pose a financial burden on an organisation. With that in mind, we have developed cost-effective packages for varying data sizes with all-inclusive services for a pre-set price. This allows your organisation to confidently respond to requests, as you can understand and therefore mitigate the risk of financial exposure in advance.
Have You Received a DSAR?
Find out How to Ensure Compliance & Save Costs
If your organisation has been served with a DSAR, you will want to ensure that your response is not only compliant (i.e. it discloses everything that is required under the GDPR and no more), but also defensible (i.e. your methodology is justifiable in the event of a legal challenge). When dealing with electronic data, the most practical and cost-effective way to achieve these aims is to use an eDiscovery platform. Our team can assist you with the process of eDiscovery, ensuring every step is compliant with the GDPR and Civil Procedure Rules.
Take the strain away from your resources
Pressure on resources is a significant challenge for most organisations handling DSARs. Get in touch with one of our consultants to find out how Lineal can take the strain away with the minimum of overhead, and within the timescales mandated.
Why Use Lineal For DSAR Support
Lineal has successfully helped many clients with DSARs. We understand the implication of DSARs and can help to ensure you are ready to respond with full compliance, defensibility, and reduced financial exposure within the timescales mandated.
We tailor our service to your requirements. We will not only advise you about the best way to process the DSAR but will draw on our experience to provide you with practical and effective solutions to your particular situation.
Our project managers are highly trained specialists, having dealt with numerous DSARs. The application of project management rigour ensures the quality of the DSAR outcomes we achieve for our clients.
Take the strain away from your resources
Our review workspace is specifically tailored to DSAR reviews; meaning you only view what you need to see, with no unnecessary add-ons; thereby keeping costs low. Our workflow is streamlined to efficiently sort, review, redact, and produce documents in short periods. With real-time reporting dashboards, our clients can monitor how a review is progressing and ensure they’re on track to meet the DSAR deadline.
You can rely on Lineal to take away the strain on your resources with our DSAR support service which offers;
- Predictable Package Pricing
- Customised Review Template / Simplified Workflow
- Expedited Managed Document Review
- Unparalleled Customer Service
At Lineal we understand that the nature and frequency of DSARs can pose a financial burden on an organisation. With that in mind, we have developed cost-effective packages for varying data sizes with all-inclusive services for a pre-set price.
Contact us now to request our DSAR package Information
Handling a DSAR within the regulations
What steps should I take in refusing a DSAR?
Identifying data which can be kept from presentation
Data Subject Access Request FAQ
If your business holds personal data on EU citizens, you need to know how to action a Data Subject Access Request (DSAR). The ability of a person to access the personal data you have on them and demand to know the reason you are holding it is a powerful tool. However, the right to access personal data is not a mandatory one. Fulfilling DSARs can be costly in both time and human resource; therefore, it is essential to understand not only where your compliance requirements begin but also where they end.
Below are answers to the most frequently asked questions on DSARs.
Under Article 15 of the General Data Protection Regulations (GDPR), a person has a right to request whether an organisation:
- holds any of their personal data
- where this data is stored, and
- what the data is used for
The full text of Article 15 states:
- Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46relating to the transfer.
- 1The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
A person can only request their personal data. They cannot request data relating to other people. For example, a wife cannot request access to personal data belonging to her husband unless he has provided express permission for her to do so.
A DSAR can be made verbally or in writing. Most requests will come via email. Not every DSAR will be obvious; therefore, it is important to train customer service and IT staff to identify the many forms a DSAR can take.
Staff should be able to refer to clear policies and procedures related to dealing with DSAR. These should state how to spot a fraudulent request which may lead to a data breach, advice for meeting timescales, and understanding when to refuse a DSAR.
The Information Commissioner’s Office (ICO) guidance states that a DSAR may be refused if:
- the time and cost of dealing with a DSAR is excessive
- the request is vexatious
- the request is merely a repetition from the same person
There are several exemptions from having to comply with a DSAR. For example, if granting the request would breach government policy or prejudice a criminal investigation, you may have grounds to refuse the request.
One of our recent articles discusses refusing DSAR in detail.
In most cases you cannot charge a fee for a DSAR. However, if the DSAR is ‘manifestly unfounded or excessive’, you can charge a reasonable fee to deal with the request or you can decline to action the request altogether.
Unfortunately, there is no guidance on what constitutes ‘manifestly unfounded or excessive’ or ‘reasonable fee’. The ICO limits its guidance on the matter to suggesting the fee must be based on the administrative costs of getting the information.
If you plan to refuse a DSAR, it is best to seek professional advice before doing so. Otherwise, you risk having a complaint brought against you.
A proper DSAR response will include the following information:
- the legal basis for processing the personal data and how the data is used
- details of the data held
- details of any third parties who have access to the data
- the right of the requester to demand their personal data is deleted
- how much time personal data is stored for
- where the requester’s personal data came from
The GDPR states that the information provided to the requester is concise, transparent, and easily understood (no IT speak, acronyms, or corporate jargon).
To best protect your interests, make sure that every step taken in meeting a DSAR request is recorded in writing.
Lineal is a global leader in providing eDiscovery and DSAR support. To find out more about our services, please call us on +44 (0)20 7940 4799 or email firstname.lastname@example.org
Get in touch to find out how we can support you with DSARs