Ten top tips for handling data subject access requests
Published on 23rd May 2022
Are you handling each DSAR you receive in a way that appropriately balances risk and cost?
Increased awareness of individuals' data rights is making data subject access requests (DSARs) more frequent. There continues to be an increase in the routine use of DSARs by disputes lawyers acting for employees, shareholders and other individuals in an attempt to either obtain early disclosure of documents, or leverage in settlement discussions.
Responding to DSARs can be costly and time-consuming, so we have set out 10 tips to follow when dealing with these requests.
Check it is a DSAR
If the request is for documents and does not mention personal data or the General Data Protection Regulation (GDPR), there may be an opportunity to treat the request in a business-as-usual manner.
Clarify the scope
Often data subjects are looking for something in particular. If you ask them to clarify the scope of the request, they stand a better chance of seeing that data, and you are likely to have to do less work to respond to the DSAR, or be asked to repeat the exercise when the data subject does not get what they want.
Extend the time
Consider extending the time for the response. If the request is complex, you have the right to extend the time to respond from one month to three months.
Whether a request is complex depends on the specific circumstances involved, but if you are a smaller organisation or have limited resources, it is more likely that any given request could be classed as complex.
Personal data, not documents
You are required to provide personal data, not documents (although you may choose to provide the personal data within documents to save time). If a document does not contain any personal data, you are not required to provide it in response to a DSAR.
You are not required to provide a copy of every email an employee has sent or received.
Business-as-usual emails, where the data subject is just going about their role as an employee, will likely contain no more personal data than the data subject's name, phone number and email address. You are allowed to disclose this personal data once, and are not required to provide the data subject with every instance of it appearing in documents that you hold.
Make reasonable efforts
You are not required to locate every document that may contain personal data.
While you are required to make reasonable efforts to find and retrieve the requested data, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing a data subject with access to the personal data.
Plan the review
Before you start reviewing documents, decide on a clear set of criteria for how you are going to classify and redact documents. For example, are you going to redact all information that is not personal data, or only redact the personal data of others and data that is privileged?
Send a response on time
This sounds obvious, but it is essential. Even if it is a holding response, explaining when you expect to provide the full response, send something to the data subject within the deadline. A failure to respond is the easiest way to invite a complaint to the Information Commissioner's Office (ICO).
Keep an audit trail
Make a record of the decisions you take during the process. For example: where you searched for data, what keywords you used, what date range you used, why you excluded some data. Also record the reasons why you made these decisions. This sort of audit trail will be invaluable if the data subject makes a complaint, either to you or the ICO.
Avoid data breaches
It is too easy to fall at the last hurdle, just when you think all the hard work is done. To avoid turning a data subject access request into a data breach, always:
- check that the data that you send in response does not contain the personal data of others (unless in the circumstances it is reasonable to provide it);
- check that the address you are sending the data to is correct; and
- use a secure method of delivery.
Osborne Clarke comment
While it may not qualify as a "top tip", it also worth checking the format you use to provide a copy of the personal data in response to a DSAR. If a DSAR is made electronically, you must provide the response electronically (unless a reasonable request is made for it to be provided in another format). If a DSAR is made in any other way (for example, by letter or verbally), you can provide the response in any commonly used format (unless a reasonable request is made for it to be provided in a particular format), including hard copy or electronically.
If you would like any assistance or advice on handling DSARs, Osborne Clarke offers a comprehensive and cost-efficient DSAR service which helps data controllers manage and meet their obligations. Feel free to get in touch with one of our experts, listed below.