Are Data Subject Access Requests on the rise again? It certainly appears to be that way from our experience with clients, especially with individuals using them as a default tactic when a dispute arises in the workplace. They are nothing new and we have seen them increasingly used since the implementation of the General Data Protection Regulation (GDPR) 2018.
What is a Data Subject Access Request (‘DSAR’)?
A DSAR is a request from a person for a copy of their personal data that is being processed or held by a company. These requests can be made verbally or in writing and it doesn’t have to say it is a DSAR. So, it is crucial that organisations take any requests for personal data seriously and understand their obligations when dealing with them.
Complying with a DSAR
Organisations generally have one calendar month to respond to a DSAR, calculated from the day you receive the request. However, requests are becoming increasingly complex and clarification may be necessary. The UK regulator, the Information Commissioner’s Office (ICO), has allowed the for organisations to extend the deadline if it is complex or ‘stop the clock’ in these instances. The time for responding is stopped between the organisation seeking clarification up until the data subject provides the clarification. This is a useful tool for organisations who do not believe they have the scope to extend the DSAR response to the full three months.
However, extending time or stopping the clock isn’t always enough for organisations to help them comply. We have experienced first-hand when assisting our clients, the time, stress and money that complying with these requests entails. With our expertise in data protection law, we can minimise the costs and legalities when dealing with a DSAR.
If you would like to receive a request or need help complying with DSARs, please do not hesitate to contact our solicitors by calling 0203 667 5400 or email [email protected]
