The right people and technology to deliver an efficient end-to-end solutiom
The right people and technology to deliver an efficient end-to-end solution
2. How are DSARs and GDPR related?
3. Who are the beneficiaries of DSARs?
4. Example of a Data Subject Access Request
8. How to respond to Data Subject Access Requests?
10. Charging a fee for the DSAR Response
11. What needs to be included in a DSAR?
12. What are some common DSAR response challenges?
13. Deadline for responding to the DSAR?
14. Refusing to respond to a DSAR?
DSAR stands for data subject access requests and is just one of the eight rights granted by the GDPR.
A DSAR is a right granted in Article 15 of the GDPR and imposes an obligation on organizations to respect and service data subject requests.
The data subject is a direct beneficiary of a DSAR. However, the obligation on organizations to comply with DSAR requests also has benefited through the necessity to implement effective data governance measures, which can manage risk and improve efficiency.
An employee or past employee of an organization could make a DSAR request for their information or a customer of an online retail company could request access to their account details and transactions.
Both the GDPR and CCPA provide this right, which requires organizations to allocate resources and implement measures to manage requests. The CCPA refers to an access request as the 'right to know' where consumers have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
Anyone who is a data subject of an organization, whether they are an employee, customer, member, patient, account holder, etc.
Ensure an effective process for receiving, managing and completing DSARs is developed and implemented, and roles and responsibilities are allocated to individuals working on requests
All requests should be acknowledged without delay, ideally by email if the request has been received by email. Once the request and identity of the data subject has been validated, the data relating to the data subject should prepare in an intelligible manner, without jargon or company acronyms and presented in an easily accessible way, to enable to data subject to receive and access the data they requested.
The responsible individual/s should respond to a DSAR request on behalf of the data controller.
A fee is not applicable - unless any further copies are requested then the controller may charge a reasonable fee based on administrative costs.
All personal data relates to the data subject unless the data subject is only requesting specific data and not all.
Common challenges are the ability to locate and retrieve data from an organization’s IT estate, which could extend to systems, applications, legacy systems, email mailboxes, folders, repositories, system logs, CCTV, and building access records. Also, DSARs can be very time-consuming which impacts resources and their operational duties.
All personal data relates to the data subject unless the data subject is only requesting specific data and not all.
There are possible circumstances where a data subject may not be entitled to certain information which they have requested, where an organization relies on an exemption that is provided in Article 23 of the GDPR and detailed further in the Data Protection Act 2018.
