Subject access requests
Individuals have numerous rights under UK GDPR and the Data Protection Act 2018. Most notably:
- The right to be informed (this information is usually set out in a privacy notice)
- The right to request access to their personal data
- The right to have inaccurate or incomplete data rectified
- The right to be forgotten
- The right to restrict processing
- The right to object to processing
- The right to receive personal data they have provided in a structured, commonly used and machine-readable format and to transmit this without hindrance; and
- Rights related to automated decision making
The most common right exercised is the right of access.
Understanding DSARs
Individuals have a right to request access to their personal data which is held by organisations acting as data controllers. They can do this via a “Data Subject Access Request” (known as DSARs or SARs).
If a DSAR is made, then the data controller must give the individual certain information about the processing of their personal data and must give them access to their personal data (save for in limited circumstances provided for by the legislation).
Given the amount of personal data which can be held across a number of different sources – both electronic (such as emails and computer systems) and physical (such as employee personnel files) – this can be a very intimidating task.
Why You Need a Solicitor
It can be incredibly daunting both making and responding to a DSAR.
Individuals need to be confident about what they can ask for, how they make a request and what they can do if they are not satisfied with the outcome or processing activities.
For organisations search efforts to uncover personal data are often extensive and result in volumes of documents being returned which usually need to be sifted through and carefully redacted taking into account obligations of privacy to third parties and other factors. A response then needs to be provided to the individual who made the request, containing certain prescribed information.
Organisations need to ensure they understand how to carry out the search appropriately, what they can ask for from the data subject, how they should handle the information received and what they should be sending at the end of it all.
Fortunately, we are experts in assisting clients on all aspects of the DSAR process. We also have expertise in making these requests on behalf of individuals.
For Individuals:
Our solicitors can guide you through the DSAR process from beginning to end. We can work with you to understand what information you need and help you draft your DSAR request to the data controller. We can review the response to the DSAR and assist you with next steps, such as making a complaint to the ICO should this be required.
For Businesses:
Our solicitors can help you navigate the entire DSAR process. We can:
- Provide advice and guidance when you first receive a DSAR
- Advise you on your search for personal data including your legal obligations in relation to this
- Review your search results and consider any exemptions that apply
- Undertake the redactions process for you, helping you to comply with your legal obligations to the data subject and to third parties
- Draft letters for you as part of the process, including the letter to the data subject setting out the statutory information you are required to provide
- Assist you in dealing with any complaints raised about your handling of personal data including responding to any complaints made to the ICO.
Dealing with DSARs can be an onerous and time consuming task but our team can take on some of the burden for you and help you comply with your legal obligations.
Why it’s important to get DSARs right?
For individuals it is important to get a DSAR right as you want to ensure you receive the information you are seeking so you can check this is being properly processed.
For organisations, a failure to properly respond to a DSAR can lead to complaints to the ICO or Courts which, in turn, can lead to hefty fines and compensation. There will also be added risks for businesses aside from financial considerations, such as negative publicity.
How we can help your business deal with future requests?
It’s important to be prepared!
We can help you assess your policies and procedures for dealing with DSAR requests and can provide bespoke training, adapted to your business and needs, to ensure you have effective mechanisms in place to deal with DSARs should you receive these in the future.
Contact Our Expert Data Protection Solicitors
If you need any assistance with DSARs, please do get in contact with our data protection team who will be happy to help.
“Very professional, knowledgeable and accessible lawyers.”
Chambers and Partners
FAQs – Subject access requests
Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.
A data subject access request (DSAR) is a request made by an individual to:
- Obtain confirmation from an organisation that it is processing their personal data
- Access their personal data held by an organisation
- Receive other information concerning this data and its processing purposes
Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.
As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.
An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.
Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).
Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation.
A DSAR is a fundamental right under the UK GDPR. The UK GDPR regulates the way organisations handle personal data and it is important for organisations to comply with the UK GDPR’s requirements when responding to DSARs.
