Handling a Data Subject Access Request

Gal Ringel
6
min read

The number of data subject access requests filed each year continues to rise, and there’s no reason to think it will decrease in the near future. Although this shows great awareness about data ownership with consumers, it seems that businesses could use some assistance in responding to DSARs. <hl>Here are some of the steps worth considering when handling a DSAR.<hl>

How to Handle a GDPR Subject Access Request

Disclaimer: the following guide is not to be used for any legal purposes and was not created by legal professionals.

Verifying the subject’s identity

This step is important because it protects people’s data privacy and prevents further unauthorized use of personal data. If companies send private information to the wrong person or grant access without ensuring that the requestor has legal ownership, they would wreak havoc. 

As part of the verifying process, requestors may be asked to provide a photo ID, answer questions, or verify an email. The authentication efforts mustn’t create an unnecessary burden that prevents people from going through with their requests.

The subject access request process under the GDPR states that these measures must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” In one case, a company asked subjects to provide their national ID card when an email would have sufficed, and the Data Protection Commission considered it an infringement of the law. 

Reviewing the DSAR

Before the data collection and processing procedure begins, companies should review the request to map the data mentioned by the subject and determine how to approach the task. Typically, the company’s Data Protection Officer would be in charge of this step, considering any issues that may prevent the company from completing all aspects or some of the DSAR. The review will also map the relevant departments to be involved in the following steps, issue a suitable response template, and ensure it can be completed within the time limit stated by the applicable law. 

Gathering and packaging the data

This part of the DSAR process is considered one of the most challenging ones for companies, as most companies state that locating unstructured personal data is the biggest issue they face in responding to DSARs. The more complex data structures are, the harder it might be for companies to ensure that all relevant data is located and collected from both internal and external databases. 

Data packaging includes transforming the data to a specific format while ensuring that the file type is common and easy to access by the average user. Under some laws, the format must be similar to the one used when submitting the request. In some cases, remote and secure access to company systems may be granted to subjects. 

How to Handle a GDPR Subject Access Request

Disclosing the data in a secure manner 

Once again, companies should pay extra attention not to harm privacy rights when they wish to fulfill them. If the data requested by the subject includes private information that belongs to other users, it should not be disclosed, and an adequate explanation must be provided instead. This is one exemption mentioned specifically in data subject access request procedures under the GDPR and other laws. If the involved third parties gave their consent, their information may be included in the response. 

Keeping a record of the process and response 

There are several good reasons to document and file the response and the process leading up to it. First, the organization must be prepared for a data compliance audit or possible legal actions. Second, it can offer insights and relevant references for future requests. Document each of the above steps, keep track of all communications and file the documents in a designated place accessible only by authorized employees. 

Refusing to complete a DSAR

Data privacy laws state-specific cases in which companies have the right and sometimes the obligation to refuse DSARs. Each law is different, but certain scenarios tend to repeat themselves under several regulations. We’ve mentioned the issue of third-party data, which prevents companies from offering certain information to requestors.

In addition, protecting public or national security or avoiding obstruction of official legal investigations provide sufficient cause for refusal. If the requested data is simply not under the organization’s control, they should not be expected to deliver it but must inform the subject regarding the cause. Finally, unfounded or excessive requests meant to harass the company may offer reason to deny subjects of their requested data. Subjects can challenge the refusal, and the legal authority responsible will look into the matter and decide. 

In addition to refusal, companies can ask to extend the response time or charge a fee in some cases. Under the GDPR, companies must complete their response to DSARs or data removal requests within 30 days but may extend the period to up to three months when complex or multiple submissions are involved. The same goes for time limits related to data removal. If the request is deemed unfounded or excessive, they may also charge a reasonable fee if they choose to address the request instead of denying it. 

Simplify DSARs with Mine for Business

The DSAR response process includes more steps and considerations than those mentioned here, making it particularly challenging for companies. Mine for Business simplifies the process by enabling companies to handle data privacy requests quickly and easily and efficiently manage each step. The users’ identity can be verified instantly, with easy monitoring and documentation of requests, contributing to happy end-users that are granted more control over their data. Give it a go and see for yourself.