Understanding DSARs – What are Data Subject Access Requests and how to handle them
Have you got a question?
What is DSAR?
In today’s digital era, the protection of personal data has become an essential concern for individuals and organisations alike. Data Subject Access Requests (DSARs) play a vital role in upholding privacy rights and empowering individuals to have control over their personal information held by organisations. This article aims to provide a comprehensive understanding of DSARs, their significance, and effective strategies for handling them.
A DSAR is a legal right granted to individuals under data protection regulations, allowing them to obtain information about the personal data an organisation holds on them. It enables individuals to be aware of how their data is being processed and exercise their data protection rights effectively.
Allowing individuals to make such requests is a fundamental component of data protection legislation, such as the European Union’s General Data Protection Regulation (GDPR) and similar laws worldwide. They promote transparency, accountability, and empower individuals to understand and control the use of their personal data. DSARs enable individuals to verify the lawfulness of data processing, rectify inaccuracies, and ensure the fair treatment of their information.
How do I effectively handle a DSAR?
DSARs can take various forms, including requests for access to personal data, information on the purposes of processing, details of third-party recipients, data rectification, data erasure (right to be forgotten), data portability, and objections to processing. It is crucial for organisations to familiarise themselves with these different types to respond appropriately.
An organisation should consider the following points to effectively handle DSARs:
- Establish DSAR procedures: Develop a clear and efficient process for handling DSARs, including designated personnel responsible for managing requests. Document the steps to be taken, timelines, and communication channels to ensure a consistent and structured approach.
- Confirm the identity: Before disclosing any personal information, verify the identity of the requester to prevent unauthorised access or disclosure of sensitive data. Request additional information if necessary to establish their identity securely.
- Gather and review data: Collect and review all relevant data associated with the individual making the request. Retrieve data from various sources, including databases, backup systems, and third-party processors, to ensure a comprehensive response.
- Assess exemptions and limitations: Determine if any exemptions or limitations apply to the disclosure of certain information. Evaluate factors such as the rights of third parties, national security, legal privilege, and commercial sensitivity.
- Provide a timely response: Respond to DSARs promptly within the specified time frame required by data protection regulations. Acknowledge the request, inform the individual of any necessary extensions, and provide the requested information or explanations clearly and concisely.
- Data security and confidentiality: Safeguard the personal data throughout the DSAR process. Implement appropriate security measures to protect against unauthorised access, loss, or disclosure of personal information.
- Keep records: Maintain a record of DSARs received, actions taken, and any decisions made throughout the process. This documentation helps demonstrate compliance with legal obligations and facilitates future audits.
The Court of Justice of the European Union (CJEU) provided some guidance on what is required under a DSAR in its recent judgment in case C-487/21, handed down on 4 May 2023. Following a DSAR request, the defendant had provided a list of the subject’s personal data in summary form. The CJEU held that the right to obtain a “copy” of personal data means the right to obtain copies of extracts from documents or even entire documents, or extracts from databases, when such copies are essential to enable the data subject to effectively exercise the rights conferred on him or her by the GDPR.
What if I ignore a DSAR?
DSARs come with legal obligations, and employers who fail to comply with these obligations may face significant liabilities. Non-compliance with data protection laws, such as the GDPR, can result in severe penalties, including fines and legal actions. In the UK, it is the Information Commissioner’s Office (ICO) that is mainly responsible for ensuring compliance with DSAR requests. The consequences can vary based on the jurisdiction and the specific regulations in place.
Again, on 4 May 2023, the CJEU in case C-300/21 considered the question of compensation for non-material damage resulting from a breach of the GDPR. It held that a mere infringement of the GDPR does not confer an automatic right to compensation, as material or non-material damage is required. Despite this, there is no requirement for the non-material damage suffered due to a breach to reach a certain threshold of seriousness to give rise to a right to compensation.
Regulatory authorities have the power to impose substantial fines for non-compliance with DSAR requirements. Under the GDPR, for example, organisations can be fined up to 4% of their global annual turnover or €20 million (whichever is higher) for serious infringements, including failure to respond to DSARs appropriately.
Failing to handle DSARs effectively can lead to reputational damage for an employer. News of non-compliance or mishandling of personal data can quickly spread, eroding customer trust and damaging the organisation’s brand. Reputational damage can have long-lasting effects on customer relationships, business partnerships, and the overall success of the company.
Individuals have the right to escalate their complaints if an employer fails to respond or handle a DSAR appropriately. This can result in legal proceedings being brought against the organisation, seeking compensation for any harm or damages suffered due to the mishandling of their personal data. Legal proceedings can be time-consuming, expensive, and further damage the organisation’s reputation.
Non-compliance with DSAR obligations can trigger regulatory investigations and audits. Regulatory authorities have the power to conduct inspections, request documentation, and assess an organisation’s data protection practices. Failing to demonstrate compliance with DSAR requirements can lead to further legal consequences and potential sanctions.
In addition to legal and financial repercussions, mishandling DSARs can result in the loss of business opportunities. Clients, partners, and customers may choose to discontinue their relationships with an organisation that does not prioritise data protection or fails to handle DSARs effectively. Losing business opportunities can impact the organisation’s growth, revenue, and long-term sustainability.
It is essential for employers to recognise the liabilities associated with DSARs and proactively establish robust processes to handle them efficiently. By complying with data protection regulations, respecting individuals’ rights, and responding promptly and accurately to DSARs, employers can mitigate risks, protect their reputation, and build trust with stakeholders.
Data Subject Access Requests play a crucial role in ensuring transparency and empowering individuals to exercise their data protection rights. Organisations must handle DSARs effectively by implementing clear procedures, verifying identities, gathering and reviewing data comprehensively, assessing exemptions, providing timely responses, ensuring data security, and maintaining thorough records. By embracing DSARs as an opportunity to foster trust and accountability, organisations can enhance their data protection practices and build stronger relationships with individuals.
How we can help
If you have any questions on how to implement an effective DSAR strategy or need help dealing with a recent DSAR you’ve received, get in touch and one of our experienced solicitors will be able to help. We can assist with responding to DSAR requests, guide you through the discovery process, advise on any exemptions and limitations, and redact information before it can be released.
Got a question?
Please complete this form to send an enquiry. Your message will be sent to one member of our team.
France is currently experiencing nationwide strikes, this included a strike by air traffic controllers (ATC), that caused significant disruptions to air travel.
While the European Parliament is making significant strides in formulating comprehensive regulations for artificial intelligence through the proposed Artificial Intelligence Act (AI Act), the implications for businesses are becoming increasingly evident.