Finding yourself in the middle of a data subject access request (DSAR) and unprepared can be pretty jarring. Most businesses aren’t even GDPR compliant and will not know how to handle a DSAR.
However, you should keep in mind that the DSAR is not only easy to handle, but it is a way to show your customers that you care about their privacy and securing their data. This article will show what it is and how to handle one.
What Is A GDPR Data Subject Access Request?
The GDPR stresses the importance of the rights and freedoms of the natural person. So much so that if your compliance strategy was solely to cater and protect these rights, you would be miles ahead of the competition.
One such right under the GDPR is the “right of access by the data subject.” Essentially, this right allows any data subject the option to request access to the personal data your organization holds on them.
But it is not only limited to this. Data subjects may also request how the data is processed and if any third-parties are involved in the processing.
A pro-tip here is to include this into your privacy policy, required by law. But it could save you a lot of time if you are as transparent as possible with your data subjects.
Providing general information about how you process the data and how you safeguard it could satisfy the needs of those sitting on the fence about exercising this right. Saving you time and resources and keeping your customers happy.
Who Can Request Data Access?
Any EU data subject can exercise the right to request data access. If your organization processes the data of an EU data subject, then they may request access. If you don’t process any of their data, you will not have to act upon a data subject access request, but as a matter of courtesy, you should at least respond with an email stating so.
However, this excludes data subjects that reside outside of the EU. The GDPR does not cover Non-EU residents. But some larger organizations, like Google, offer data subject access requests to all their users regardless of residency. If you wish to extend this service to all your customers, that is your prerogative, but it is mandatory only if you process the personal data of EU data subjects.
Assess your GDPR compliance
What To Expect From a Data Subject
If you do end up receiving a data subject access request, there are some things you can expect from the data subject making the request.
What the data subject will say in the email or phone call is more unpredictable. The European Union is a collection of many countries with different languages. Clarify that you will accept a DSAR in English. Still, if you are a non-European company, you should relay that information to your GDPR representative (Article 27), where they can advise you better.
Generally speaking, the data subject will inform you of their rights and request access to their data. They may also exercise other rights of which you may be unaware.
Lastly, you should supply contact details, either a phone number or email address, where the data subject can make a formal request. It will make it easy to recognize a DSAR if it is coming from one specific channel.
Rights of the Natural Person
Following a DSAR, the data subject might choose to exercise any of the following rights:
-
- Right to be informed: This right will form part of the privacy policy. The rule regards the right for data subjects to know the categories of data that is collected.
- Right of rectification: After a DSAR, the data subject may find an error on the data you hold on them. The right to rectification means you must correct the wrong information.
- Right to erasure (also known as the right to be forgotten): The data subject may ask your organization to delete all data held on them. If they no longer use your services, you must oblige as there is no longer any legitimate interest.
- Right to restrict processing: Similar to the right of rectification, if inaccurate data is processed, the data subject may request a delay in processing until the information is corrected. The right to restrict processing is most often applied when the data subject does not want to delete data but seeks to have it corrected.
- Right to object to processing: The data subject may also request that the organization stop all processing entirely. However, this right is dependant on the conditions; you can find the whole article here.
Gaining a better understanding of the individual’s rights means you will respond to a DSAR better.
Responding to data subject requests
Having the facilities in place for a DSAR is essential, but a correct response is crucial. The GDPR gives organizations a month to respond to a DSAR. If your organization has prepared adequately, it should not take you a month to respond to a DSAR, so the time frame is rather generous.
However, it could take a month time period for back-and-forth communication with the data subject.
Step 1: Acknowledge The Request
The first thing you need to do is to acknowledge the contact from the data subject. Acknowledgment of the request will begin the process and reassure the data subject that you are actively dealing with their request. Keep in mind that a DSAR can be sent to anyone in the organization.
Ensure that you enact a policy requiring that all DSARs redirect to the right person within the organization. Secondly, you must halt any deletion of the personal data regarding the individual making the request.
Altering or deleting data in an attempt to complicate a DSAR is a criminal offense.
Step 2: Verify The Individual
After acknowledging the request, you will want to ensure that you verify the individual’s identity making the request. You are allowed to request identification to compare to what you already process as a means of verification.
For example, if you process passport information as part of the business operation, you can request that they send you a copy to verify it with your records. An individual can request via a representative, like a solicitor. Do your due diligence and ensure that the individual has authorized this request via a representative.
Step 3: Act Quickly and Clarify
When you are satisfied that the individual is genuine, it is time to act on the access request. If the data subject’s request is broad or unclear, please reach out to the individual and ask for clarification. Ask if they are requesting any specific category of data. The individual is in no way obligated to tell you why they are asking for the data, but this process may help establish the parameters of the data.
Lastly, as mentioned previously, this open communication channel reassures the data subject that you are taking their request seriously.
Step 4: Identify Data, Prepare Data Sets and Send
Once that data is clarified, it is time to identify the data sets requested in the information system and prepare them for “transport.” This transport means finding the secure channels to send the data through so that the recipient may access it safely.
Note that you may not disclose any data that may infringe on another natural person’s rights and freedoms. For example, disclosing any emails involving the data subject and another person cannot happen while fulfilling the access request.
Step 5: Record and Review Decisions Made
The final step is to record all actions taken and review the process. This step is essential because it will help your organization make improvements if another DSAR is requested. This internal audit will also help in any supervisory authority review, allowing you to avoid fines.
How We Can Help
Handling a data subject access request is a small part of becoming fully GDPR compliant. Regulators are becoming more aware of data misuse, and the pressure for the supervisory authority to seek out non-compliant businesses is high.
Don’t let regulatory requirements slow your business down. Get in contact with RSI Security today, and let us help you with your compliance strategy. Schedule a consultation here.