DSAR Response Support
We provide expert support for Data Subject Access Requests ("DSARs") response such as assistance in scoping, data mapping, recommended approaches and end-to-end guidance.
Menu
Data protection services at affordable and competitive rates
Named consultant for on-demand guidance & support
Bespoke packages based on your unique requirements
Commercially aware and experienced GDPR specialists
Many organisations lack the necessary in-house expertise or resources to confidently process and respond to DSARs in a timely manner. Depending on the nature of your organisation and whether you only receive SARs occasionally, or receive more complex requests, they can become a distraction.
By outsourcing your DSARs to Evalian’s expert Data Protection team, your dedicated consultant will free up valuable internal resources, giving you time to focus on other areas important to your business and enable you to respond appropriately, within the time frame stipulated.
Let our team of highly qualified, experienced DPOs give you full DSAR support and help to manage your data protection obligations, working as an extended member of your team.
We promise open communication and real-world advice with no hard sell. Contact us now for a friendly chat about your organisation’s data protection compliance needs.
Once a DSAR is received, the relevant person within your organisation is notified. The clock starts ticking on the day the request is received. Your Evalian consultant will work closely with you to respond to the DSAR and deal with any issues that arise.
Your Evalian consultant will then support you in determining the scope of the SAR and will set to work identifying all the necessary data involved and whether any further information is required. You will work with your internal team to locate the information requested.
Once all the information has been located, your Evalian consultant will help you to review the information located and identify any sensitive data that needs to be redacted before the personal data requested is handed over to the data subject within the legal time frame.
In part 1 of this series on understanding subject access requests (SARs), we look at how to comply with present-day requirements.
In part 2 of this series on SARs we look at some of the situations in which an organisation may lawfully refuse to provide the personal data requested.
A data subject access request (DSAR) is a written or verbal request to an organisation from an employer, business, individual or supplier (or any other ‘data subject’) for a copy of the personal data held, which they are entitled to ask for under UK GDPR. When a subject submits a request for personal data, organisations have a legal obligation to send a copy unless there are exemptions.
Article 12 of the UK GDPR requires controllers to respond to a SAR without undue delay and, in any event within one month. This means that the clock starts ticking on the day the request is received and ends on a corresponding day the following month. That said, the clock will only start once the controller is in receipt of ID (if this is required).
In terms of the end date, if the following month does not have a corresponding day because that month has fewer days, the end date is the last day of the month. For example, if a request is received on 30th January, the response would need to be provided by 28th February. In view of this, some organisations prefer to apply a 28-day response time for operational purposes.
No extra time is allowed if the request arrives on a weekend or bank holiday although, if the end date falls on a weekend or bank holiday, the response would not be required until the next working day.
Whilst the deadline is strict, it can be extended in some circumstances.
Your organisation should have a Data Protection Policy that outlines the process of responding to DSARs. If you do not have a policy, you should consider creating one, this is something Evalian can help you with.
It is the responsibility of the controller of the personal data, to respond to the request, not the processor. However, individuals may not realise this and may submit their applications to the processor. Therefore, controllers should ensure that they have appropriate arrangements in place with their processors to ensure that they are notified promptly should this situation arise. In the same vein, processors must ensure they have appropriate controls in place to identify requests and assist controllers with the handling of SARs, without delay. The Information Commissioner’s Office (“ICO”) has issued guidance on controllers and processors.
Individuals making a SAR are entitled to their own ‘personal data’. This is any information from which they can be identified, either directly or indirectly.
In terms of whether an individual can be identified directly from the information in question, this is often quite straightforward. For example, a name is often sufficient to identify someone. That said, just because a document contains someone’s name does not automatically mean that the document will contain that person’s personal data.
Learn more by referring to our blog, Part 1: Understanding Subject Access Requests.
If the individual has submitted the request electronically, the response should be made using a commonly used electronic format (e.g. encrypted email or secure portal). If the request has been made verbally or by letter, the response can be in any commonly used format, electronic or hard copy. It is best practice to ask the individual, at an early stage, how they would like to receive the material.
Whatever method is used, the controller must ensure that the disclosure is secure. For example, controllers may wish to share electronic disclosures via a secure portal with the data being encrypted and send hard copies by recorded delivery.
There may be occasions when organisations have a good reason not to respond to a SAR. Under Article 12(5) of the UK GDPR, organisations can lawfully refuse to process a SAR, if it is deemed to be “manifestly unfounded or excessive”.
A request may be regarded as “manifestly unfounded” if the individual making the request has no genuine desire to exercise their rights but has clearly submitted the SAR with malice or with the intention of causing disruption or harassment to an organisation.
A request may be regarded as “manifestly excessive” if it is clearly unreasonable. Reaching a decision on this would depend on various matters such as whether the request repeats previous requests made only a short while ago or overlaps with previous requests. For example, if an individual submits a SAR once a fortnight but the information being processed by the organisation has not changed since responding to the first SAR, this would be regarded as manifestly excessive.
Learn more about exemptions in our blog, Part 2: Refusing to comply.
Contact us now for a friendly, no-obligation discussion or to request more information about our DSAR services, outsourced DPO or GDPR compliance services. We’re in London, Southampton, the Midlands and North West and support clients across the UK and globally.
Contact
