The basics of Data Subject Access Requests (DSARs) and how to respond

by | Mar 14, 2019 | Document Review

You have received a Data Subject Access Request. What should you do next? Don’t panic or put your head in the sand hoping the request will go away. LDM Global can help to make the process as efficient as possible. Read on to learn the basics about DSARs.

What is a DSAR?

A Data Subject Access Request, often known as a DSAR, is a written request from an individual to a data controller (company holding personally identifiable information) asking for the information held about that individual. However, there is no prescribed form. The request should have a reasonable explanation as to why the request is being made.

Are employee DSARs different from “regular” DSARs?

Although employee DSARs are technically the same as any other DSAR, the personal data held by an employer about an employee is often more comprehensive than what another organization might hold about an individual. For instance, information could include employment history, health information, bank details, disciplinary actions, annual review and performance, or more.

How long do I have to respond to a DSAR?

The data controller has 30 days to respond to a DSAR and provide the data requested. The period can be extended by up to two additional months by informing the employee within one month of the request of the need for the extension, and the reasons why.

What should I do next?

When you receive a request, there are a few steps to take immediately. Forward the request to your organization’s Data Protection Officer. He or she should have a protocol in place of how to respond.

Additionally, you need to verify that the person making the request is indeed the person named in the request. You wouldn’t want to mistakenly give out personal information to the wrong person. Some requests may come through third parties, such as solicitors or unions. Here employers will need to be satisfied that the request has been duly authorised by the individual.

You should also check that you have all the information needed to locate the data and respond to a request.

How do I respond to the request?

Once you have verified the source of the DSAR, set a goal of when you would like to respond to ensure you meet the 30-day deadline. Then set up your plan for finding the relevant information and reviewing the information.

Once you have identified all of the documents containing information about the individual, you need to review them to ensure:

  1. The documents do not contain privileged information
  2. The documents do not contain information about third parties

If the documents do contain information that should not be disclosed, that information will need to be redacted before they can be given to the individual or body who made the DSAR.

Can I amend the data?

No, the data should be provided as it was at the date of the request.

How can I make the process easier?

Service providers such as LDM Global can streamline the process and increase efficiency. DSAR Solutions by LDM Global offers collection of your documents, which are then processed into a secure, easy-to-use platform. We use standard workflows built on common request types to help organize the data for you. Your lawyers can then review the documents easily, redacting out privileged or personally identifiable information of third parties before responding. If you would prefer less involvement, LDM Global can also review the documents for you, ensuring streamlined, consistent results.

Interested in Learning More?

Contact form-DSAR and Managed Document Review