Handling of personal data has become a pivotal responsibility for organisations, irrespective of their size. As we venture into the digital age, the management of personal data is both a privilege and an obligation. Among the many responsibilities that come with this, one stands out prominently: responding to Data Subject Access Requests (DSARs).
This article will guide you through the essentials of a DSAR from a UK law perspective, tailored for the needs of small businesses, as we firmly believe in making business law more accessible for entrepreneurs and startups.
What is a Data Subject Access Request?
A Data Subject Access Request (DSAR), also known simply as a Subject Access Request (SAR), is a fundamental right granted to individuals under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). It allows individuals to ask organisations whether they are processing personal data about them and, if so, request access to that information.
What is included in a Subject Access Request?
When responding to a DSAR, you must go beyond merely sending copies of the requested information. UK data protection law requires you to provide a comprehensive response that includes the following details:
- Purpose and processing – explain what you’re doing with the data and the reasons behind it (this provides transparency to the data subject)
- Legal basis – state the legal basis for storing personal data (different purposes may require different legal bases and this information is crucial for compliance)
- Types of personal data – specify the categories of personal data used (understanding the nature of data being processed is essential for transparency)
- Data Recipients – disclose who the personal data has been shared with, including any recipients or categories of recipients, especially if they are located in third countries or international organisations
- Data retention – clarify how long their information will be held (if providing a specific time frame is not possible, explain the criteria used to determine this period)
- Data subject rights – inform the data subject about their rights to request additional information or take action regarding their personal data
Speak to a lawyer about your DSAR processes
Responding to a Data Subject Access Request
Responding to a SAR/DSAR can be a challenging task, but it’s important for legal compliance to handle it correctly. Here is a step-by-step guide to ensure that you respond to a DSAR in compliance with UK law:
1. Check the requestor's identity
When you receive a request, verifying the identity of the individual making it is essential. You must confirm that the person is who they claim to be and that they have the legal right to access their information before you comply with the request. This step helps protect sensitive data from falling into the wrong hands.
2. Clarify the request
Sometimes, DSARs may be vague or unclear. If you're uncertain about what information the requester is seeking, it's perfectly acceptable to reach out to them for clarification. This not only ensures that you understand their request correctly but also reassures the requestor that you’re taking their request seriously.
3. Identify all personal data
Once the request is clear and the identity is confirmed, you'll need to initiate a comprehensive search within your organisation to identify all forms of personal data related to the data subject. This data could exist in various formats, including digital records, paper documents and more. A thorough search ensures that no relevant information is left out.
4. Assess exemptions
Data protection law provides certain exemptions, allowing you to withhold specific information from the DSAR response. For instance, data related to safeguarding or national defence might be exempt. You should be aware of these exemptions and apply them appropriately to avoid disclosing sensitive or confidential data.
5. Secure data disclosure
When you're ready to send the requested information to the data subject, you must do so securely, especially when electronic means are involved. Data security is vital to prevent any unauthorised access, breaches or data leaks. Encryption, secure email services or password protection can be effective measures.
6. Record keeping
You must maintain detailed records of the decision-making process and the information provided. This documentation serves multiple purposes. It demonstrates your compliance with data protection regulations, helps you track responses to multiple requests, and can be invaluable in case of any disputes or challenges in the future. Clear and organised records are your best defence in ensuring that your DSAR process adheres to the law.
Data Subject Access Request time limit
Under UK GDPR, you typically have one month to respond to a DSAR. However, if the requested information is particularly complex or if you receive numerous DSARs, you can extend the response period to two months. This extension should be accompanied by a clear explanation to the data subject about the delay.
What data is exempt from a Subject Access Request?
While DSARs grant individuals the right to access their personal data, certain exemptions apply. For example, you can withhold information if it pertains to safeguarding or national defence. It's crucial to be aware of these exemptions, as they ensure that sensitive data is not inappropriately disclosed.
Can a data controller refuse a Data Subject Access Request?
Yes, there are circumstances in which a data controller can refuse a DSAR. If the request is manifestly unfounded or excessive, the DPA 2018 allows you to refuse the request.
However, you must provide a clear explanation for the refusal. An example of a manifestly unfounded request might be a request for information already provided to the requester or if it's repetitive without a legitimate purpose.
Is my DSAR process right and how can it be checked?
Making sure your DSAR process is correct and compliant is of paramount importance. For small businesses, having a simple and effective DSAR process can help you handle these requests without overburdening your valuable time and resources. Here are some recommendations to make your DSAR process efficient and compliant:
- Assign responsibility – designate a responsible team or individual for handling DSARs within your organisation (this helps in ensuring accountability)
- Create templates – develop templates for DSAR responses, including the required information (having standardised templates can expedite the response process)
- Regular training – provide ongoing training to your staff regarding data protection regulations and DSAR handling (ensuring that your team is well-informed is important)
- Maintain records – keep meticulous records of each DSAR, the steps taken and the information disclosed (this is critical for compliance and valuable if a dispute with the subject were to occur)
- Continuous improvement – regularly review and update your DSAR process to stay in line with changes in data protection laws
- Seek legal advice – consult with legal experts who specialise in data protection law, such as the data privacy solicitors at LawBite (they can review your process and make necessary adjustments to ensure compliance)
Recent ICO guidance
In a noteworthy development, the Information Commissioner's Office (ICO) has released new guidance for businesses and employers on responding to SARs. This guidance is particularly relevant in light of the 15,848 complaints related to Subject Access received by the ICO from April 2022 to March 2023.
The ICO's guidance underscores the importance of understanding the nature of SARs, emphasising the significance of responding promptly and accurately. Employers often underestimate the various aspects of SARs, such as informal submissions or strict response timelines.
This recent guidance from the ICO is a valuable resource for businesses and employers seeking to navigate the complexities of SARs effectively and ensure compliance with data protection regulations. Given the substantial number of complaints and recent ICO actions against organisations for failing to respond to SARs, it's clear that all employers need to stay informed and compliant.
Get legal assistance from LawBIte
Responding to Data Subject Access Requests is an important aspect of data protection law in the UK and it’s an obligation that all businesses, including small enterprises, must fulfil. While it may seem time-consuming, adhering to the correct procedures not only ensures compliance but also helps in building trust and transparency with your customers.
At LawBite, we’re committed to providing practical and tailored legal solutions to meet the specific needs of small and medium-sized businesses. Our goal is to empower and educate our clients, helping them navigate the legal landscape with confidence. If you’re unsure about responding to a DSAR or need assistance with any aspect of data protection law, our data privacy solicitors are here to help.
Learn more about our data privacy services by booking a free 15 minute consultation with one of our expert lawyers or by calling us on 020 3808 8314.