Every data subject has the right to be informed if their personal data is being processed by your business . They also have the right to access their personal data and to obtain further information as set out in Article 15 of the GDPR. This is known as a Data Subject Access Request (DSAR).
Failure to respond to a DSAR will probably lead to a complaint to the ICO who will investigate your failure to respond. The fines and sanctions that the ICO can impose are serious!
When receiving a DSAR from a current or former employee, there is often a sigh of fear and frustration! Dealing with DSARs is often very time consuming and labour intensive. I have seen a significant rise in DSARs being made and it is important that you are ready and able to respond in the event that you get one. There are certain circumstances where you are not required to respond, I do not propose to go into these circumstances in this insight but please feel free to get in touch if you would like further information. This blog assumes that you have a DSAR that needs to be responded to.
I would recommend that all organisations have a policy and process in place to deal with DSARs. We can provide one. This ensures consistency in handling with the request, and if your Data Protection Lead is not available it means you can deal with the request confidently in their absence.
The first things to look at when a DSAR is sent to you:
1. You have one month in which to respond to the request. As soon as you have received it, put the date in your diary and highlight it
2. Who in the organisation will be handling the request and who else will be involved in the search?
3. Carry out an initial assessment of the request – do you even process data concerning the individual?
4. Request ID to confirm who the person is
5. If the DSAR is simply ‘give me everything that you hold on me’, request that the data subject narrows the scope of their search, i.e. specific events, specific dates, specific people, location of data – you are entitled to do this and it is important that you understand what the individual is looking for. If the request is from a former employee who has been employed by you for 20 years, there will be a huge amount of information in personnel files and email servers, the ‘give me everything’ request therefore may be excessive. If the scope of the request is substantial and complex, consider extending the time to respond. The one month response period can be extended by a further two months and it is important that you notify the data subject of this extension and reasons that you require it.
6. Write to the data subject and acknowledge receipt, setting out when you will respond by, the approximate number of documents and ask to clarify the scope of their request (if required).
7. Once the data subject has narrowed the search, let the search commence. The duty is to make a genuine and extensive search which is ‘reasonable and proportionate’. Search mailboxes, personnel files, back-ups, deleted data and any other storage systems you have.
8. Are there any applicable exemptions to the subject access rules?
9. Redact third party data, redact information which is not relevant or is not personal data at all or is confidential.
10. Prepare a response in line with Article 15 GDPR
Sampson Hall has a proven track record of working successfully throughout an organisation and can advise and bring together all the functions of the business in order to ensure overall GDPR compliance.
Our offer includes:
Staff awareness sessions
Data mapping and data flow
Data protection impact assessments
Annual GDPR audits
Data protection officer services
We offer a free strategic GDPR audit, please get in touch for further information.
Tom Ziemski (Data Protection Officer): firstname.lastname@example.org