Introduction
In the wake of the General Data Protection Regulation (GDPR), individuals have more control than ever over the personal data companies hold about them. For businesses, this means increased responsibility to make data accessible, with significant penalties for failing to comply. Data Subject Access Requests (DSARs) are a primary way for individuals to exercise this right, but they also present compliance challenges.
When GDPR came into force, many organisations believed that achieving initial compliance — by updating consent policies, enhancing cybersecurity, and training staff — was sufficient. However, GDPR compliance is an ongoing commitment, demanding readiness to respond effectively to various data-related events, from breaches to requests for data erasure and DSARs.
The reality is that GDPR’s DSAR regulations have introduced stricter requirements, making it easier for individuals to access their data and imposing higher standards on businesses. So, what changes does your organisation need to make to meet GDPR’s DSAR requirements smoothly?
What’s Changed for DSARs Under GDPR?
If your business handled data access requests under previous legislation, you may recall a 40-day response window and the option to charge an administrative fee. GDPR has revised these rules:
-
Response Time: The Information Commissioner’s Office (ICO) now mandates a quicker response — businesses must respond to DSARs within one month, “without undue delay.”
-
Fees: Charging a fee for DSARs is no longer permitted, except under exceptional circumstances, such as repeated or excessive requests.
-
Electronic Requests: GDPR encourages electronic means for DSAR submissions where data is processed electronically, meaning businesses must offer accessible, user-friendly channels for submitting requests, like web forms or dedicated email addresses.
These requirements mean businesses need to ensure swift responses and seamless accessibility. Importantly, individuals can submit DSARs through any communication channel, whether it’s verbally to front-line staff, via social media, or through a website form. Consequently, every team member must be prepared to recognise and appropriately handle DSARs.
What Constitutes a DSAR?
A DSAR allows individuals to request access to their data held by an organisation. Under GDPR, individuals can submit DSARs through any channel, and they don’t need to use specific terminology like “DSAR” or “Article 15.” This flexibility means that a verbal request is as valid as a written form, so training employees who interact with the public is essential. Ensure they understand how to handle DSARs and refer them to your organisation’s designated compliance team.
What Information Must Be Provided in Response to a DSAR?
Under Article 15 of GDPR, individuals have the right to obtain:
- Confirmation that their personal data is being processed.
- Access to their personal data.
- Information on the purposes of processing, data categories, and recipients.
- The period of data retention or the criteria used to determine this.
- Their rights regarding rectification, erasure, or restriction of data processing.
- Details of any automated decision-making involved, including the logic and potential impact on the individual.
If data has been transferred to a third country or international organisation, individuals also have the right to know the safeguards in place for such transfers.
In simple terms, if an individual makes a DSAR, you’re required to provide both their data and an overview of its use and retention.
What Should a DSAR Response Include?
The response must be presented in a clear, accessible format. If your data categories use internal codes, these must be explained to ensure clarity. Where possible, GDPR suggests offering remote access to data, but organisations must balance this with security considerations, ensuring third-party rights and intellectual property remain protected.
Once a DSAR is received, your organisation has one month to respond, with the clock starting the day after receipt — even if this falls on a non-working day.
Can the Response Time Be Extended?
Extensions are limited under GDPR. While you may extend the response time by up to two additional months for complex requests or multiple concurrent requests, it’s rare for the ICO to consider an extension reasonable. Some exceptions apply for cases deemed “manifestly unfounded or excessive,” but this is difficult to demonstrate and should be approached with caution.
Refusing Data Subject Access Requests
You may refuse Data Subject Access Requests only if it’s “manifestly unfounded or excessive.” For example, repetitive requests may justify refusal, but GDPR requires a high standard of proof for this claim. Thus, most organisations find it more practical to respond to requests rather than to contest them.
Streamlining Data Subject Access Requests Compliance
As awareness of data rights grows, businesses should expect an increase in DSARs. While this might seem daunting, compliance doesn’t have to disrupt operations. AtFormiti Data International UK we provide tailored DSAR services that simplify response processes, ensuring GDPR compliance without hindering day-to-day activities. Our solutions empower businesses to manage DSARs with ease, keeping you focused on growth.
To discover how we can support your DSAR compliance, contact us online today for an affordable, efficient DSAR management solution.
Discover the easy, affordable way to manage DSAR responses by contacting us online today,