How Well Is Your Organisation Handling Data Subject Access Requests (DSAR)?

All organisations must be prepared and able to respond to Data Subject Access Requests (DSARs); how prepared are you? 

It is vital for all businesses and organisations, whether private or public, to understand all data subjects have robust rights to access personal information held on them, due to the existence of art.15 of the General Data Protection Regulations (GDPR).  Referred to as Data Subject Access Requests (DSAR), individuals can make requests either verbally or in writing, and in turn, they are legally entitled to a prompt and comprehensive response.  In this article, we will explain the implication of DSARs as they relate to data protection regulations, and how businesses can ensure they are ready to respond to any such request.

Precisely what does Article 15 of the GDPR state?

Article 15 of the GDPR outlines the right of access by data subjects.  Specifically, it says:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”.

The article also states that in addition to a copy of the data held on them, the data subject is entitled to information (referred to as ‘Supplementary Information’) on the purpose of data processing, categories of data concerned, recipients, period of storage, existence of rights for correction, limitation of processing, deletion, objection, the right to make a complaint, the source of the information, and the existence of automated decision making (e.g. profiling).

In addition, if the data will be transferred to a third country or international organisation, the individual has the right to know the safeguards being put in place in relation to the transfer.

Handling a DSAR within the regulations

Putting in place a managed and comprehensive written policy for handling access requests will ensure your organisation consistently handles any DSAR requests to the letter of the law applicable at the time.  This starts from the moment a request is first received.  It is important to understand that a DSAR is distinct from a complaint or enquiry; a DSAR is specifically designed to request a copy of personal data being held by a Data Controller.  However, the request does not need to state the words ‘data subject access request’ or ‘subject access request’ to constitute a formal application for personal data; therefore, you must ensure employees recognise requests as such, whether received in writing, electronically or verbally.

If the request is received verbally, it is important to consider how this should be captured and recorded, and the details of the request clarified with the requestor.

Once a DSAR has been recognised, it is important the request then follows a standardised process as per your organisation’s policy.  This must include:

  1. a) Identifying the requestor as genuine (to avoid any circumstances of personal information theft and fraud)
  2. b) Knowing under which circumstances a request should be refused
  3. c) Confirmation of receipt of a request
  4. d) Requesting more details if needed to complete the access request process
  5. e) The personal data and any supplementary information (see list above) to be provided in response to a request
  6. f) The timescales for the response (one month from the date of request) and the circumstances for any extension
  7. g) Standards for clarity of language to be used (especially when responding to a child)
  8. h) How to handle requests about others

Once you have proof of identity and all other information necessary to carry out the request, it is then necessary to gather all relevant personal data held by your organisation, whether electronic or paper.  Should any information found on the requestor contain details of others, a decision must be made whether it should be redacted or if it is safe to disclose (this should be explained in the internal DSAR policy).

The formal response to the requestor must be made within the specified time-frame of one month, in a clear, jargon-free manner.  In other words, any information provided must be understandable to the average person (taking into consideration the needs of children).

It is possible to extend the timescale for formal response where necessary (to a maximum of an additional two months), however, the explanation and reasons for doing so must be provided within one month of the request being received.

For some organisations, it may be more efficient to create a secure ‘self-service’ portal, which would allow, where appropriate, individuals to find the information they are seeking themselves.

What if your organisation uses an external data processor?

There is often confusion as to who must carry out a DSAR request where an external data processor is used.  The law is resolute on this matter; regardless of whether you contract out a processing function, it is the Data Controller who requested the processing to be undertaken, who is responsible for responding to a DSAR.  The Information Commissioner’s Office (ICO) clearly states that a Controller must have a sufficiently detailed contract in place with their Processor to ensure any subject access requests are handled and responded to appropriately.  In other words, contracting out does not absolve an organisation of their obligations under the GDPR when it comes to access requests.

In conclusion

Handling DSARs can place any organisation under tangible resource pressure.  By creating a clear policy document which outlines the end to end process by which all DSARs can be recognised, processed, and responded to, you can ensure your organisation handles each in a consistent manner, with the minimum of overhead, and within the timescales mandated.  If you are in doubt about your business’s ability to respond to a DSAR, by engaging specialists in the field of information disclosure and GDPR, you can rapidly put in place a system which will meet your needs for years to come and protect you from any unnecessary potential complaints or legal action due to poorly managed requests.  When it comes to DSAR, preparation, training, and regular review of your ongoing legal obligations are the keys to success.

Lineal is a global leader in providing eDiscovery and DSAR support.  To find out more about our services, please call us on +44 (0)20 7940 4799 or email