The EU General Data Protection Regulation (GDPR) grants individuals the right to find out what personal data an organization (called a data controller) holds about them by submitting a data subject access request (DSAR). This right is detailed in Article 15, “Right of access by the data subject.”
Though the GDPR has been in effect for a while now, many organizations are still uncertain about whether they are in compliance with this requirement of the law. In this article, you will learn answers to the most frequently asked questions about DSAR and get valuable tips for how to handle these requests efficiently.
DSAR: frequently asked questions
What is a data subject access request? A DSAR is a request an individual makes to know what data you have collected about them. Recital 63 of the GDPR states: “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
How must organizations respond to DSARs? An individual who makes a DSAR is entitled to receive a confirmation that you are processing their personal data, a copy of that data, your privacy notice, and supplementary information.
What supplementary data should be provided? In addition to a copy of their personal data, organizations also have to provide individuals with the following information:
- The purposes of the processing
- The categories of personal data collected
- The recipients or categories of recipient that personal data is disclosed to or shared with
- How long the personal data is held
- Advice on additional rights, such as the right to object to processing; the right to request rectification, erasure or restriction; and the right to lodge a complaint with the ICO or another supervisory authority
- Where you got their data if you did not get it directly from the data subject
- The existence of any automated decision-making
- The security measures you provide if you transfer personal data to a third country or international organization
Can an employee send you a DSAR? DSARs are not limited to customers; anyone whose personal data you collect — including employees and contractors — has the right to submit one. However, organizations can refuse to comply with a manifestly unfounded or excessive request. That requires careful case-by-case consideration and confidence in your ability to explain your reasoning to authorities.
Can you charge a fee for a DSAR? Not in most cases. However, if a request is unfounded or excessive, you can charge a “reasonable fee” to cover administrative costs.
How much time do you have to respond? Normally, you must respond to a DSAR within 30 days of receipt. However, if the request is large or complex, you can request an extension of two months, though you must explain the reason for the delay within the original 30-day period.
What happens if you fail to meet the deadlines? Failure to comply with a data access request within 40 days can lead to significant fines and other regulatory penalties, as well as damage to your reputation.
Related data subject rights under the GDPR
In addition granting individuals the right to submit DSARs to businesses, the GDPR provides data subjects with the right to:
- Require an organization to delete the personal data they hold about them (right to erasure)
- Transfer their personal data between service providers (data portability)
- Object to the processing of their data
More broadly, organizations are required to implement appropriate data protection measures over personal information, including both organizational and technical measures, and to promptly report data breaches.
How to ensure you can comply with DSARs
Data subject access requests are becoming increasingly common, so it is critical to ensure you can respond promptly. Your compliance project management team should take the following steps:
Appoint a responsible person. If your organization processes the personal data of EU residents regularly, systematically and on a large scale, you must designate a data protection officer (DPO), either internal or outsourced. This person serves as a point of contact for data subjects and is responsible for overseeing company’s data protection strategies for GDPR compliance.
Develop data handling guidelines. Specify who can access which types of data, where each type of data should be stored and for how long, which documents have to be printed and where those printouts must be kept, which documents can have a digital version, how data must be purged once you no longer need it, and so on.
Identify the legal basis for processing of personal data. Once you know what regulated data you have, you need to determine and document the legal basis for processing it. This is not just an exercise to justify storing all the data you want; you must ensure you have a legitimate reason to keep the data. Note that simply having a data subject’s consent is not sufficient justification for storing and processing their data.
Automate data discovery and classification. You must know precisely what regulated information you have, and that information has to be easily discoverable and accessible. The best way to achieve this is through data discovery and classification. Having a clear understanding of what sensitive data you store is valuable for more than just compliance — it will also help you refine your data collection policies, optimize your storage, improve your data management processes, and drive better user productivity and decision-making.
Perform regular risk assessment. Risk assessment is a security best practice that will strengthen your defenses and help keep your business out of trouble. Performing the risk management will enable you to quickly adapt to the changing regulatory and cyber-threat landscapes and harden the security of your critical information.