Data Subject Access Requests (DSARs) are requests made by individuals, known as data subjects, to access personal data that an organisation holds about them. The steps that organisations should take to respond to DSARs include:
Verify the identity of the data subject: Verify the identity of the data subject to ensure that the request is legitimate and that the personal data is being released to the correct person. Where the request is being raised on someone else's behalf, ensure they have the authorisation to raise the request and receive the information.
Retrieve and review the data: Retrieve and review the data that is being requested to ensure that it is accurate, up-to-date and complete. You must also consider any other regulations, or exemptions, that may restrict you from sharing parts of the information.
Consider any redaction requirements: Consider any redaction requirements, such as removing third-party personal data, trade secrets or other sensitive information, before providing the requested data.
Provide the data in a format that is easy to understand: Provide the data in a format that is easy to understand, such as a hard copy or an electronic copy, depending on the data subject’s preference.
Provide the data within the required time frame: Provide the data within the required time frame, as specified by the applicable data protection laws. Under GDPR/UK DPA you have one month as standard, being able to extend by two months in specific circumstances.
Inform the data subject of their rights: Inform the data subject of their rights, such as the right to correct or delete their personal data, and how to exercise these rights.
Keep a record of the request: Keep a record of the request and the data provided, in case of any further queries or complaints.
Be transparent: Be transparent with data subjects about the data you hold, how it will be used, and who it will be shared with.
Train staff: Train your staff to recognise a DSAR, or other right being exercised by a Data Subject. It is important they know what to do with a request so you may stay compliant with the regulations.
It's important to note that organisations must comply with all data protection laws and regulations, such as GDPR and UK DPA when responding to DSARs. It's also important for an organisation to have a process in place for handling DSARs and to ensure that all employees are aware of the process and their responsibilities.
Talk to us today. We can help!