Data subject access requests (commonly known as DSARs or SARs) are a key component of data protection rights in the UK. Whilst all individuals are entitled to receive a copy of their personal data and often have legitimate desire to have this information, DSARs are increasingly being used and abused as a tool in litigation or as a way of causing disruption. Here is a practical guide to help employers navigate DSARs.
Step 1: Understanding the Legal Framework
It’s essential to have a solid understanding of the legal framework. The key legislation governing DSARs in the UK includes the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The Information Commissioner Office (ICO) offers practical guidance and advice on all aspects of data protection, from detailing an organisations’ responsibilities, to how to handle a DSAR.
Step 2: Establish Internal Processes
Developing robust internal processes is crucial for managing DSARs. It’s important to assign a dedicated individual or team responsible for handling DSARs within your organisation who have been properly trained. If you need help training your staff, then we can help you. This person can then ensure that requests are identified, processed, and responded to within the required timeframe, which is one month.
Step 3: Educate Employees
Educating employees about retaining information and their responsibilities is vital, especially in the context of potential litigation. Ensure your workforce understands the importance of data protection, their obligations when handling DSARs and why only relevant information should be retained, as well as understanding the procedures in place to address such requests. Their devices are also likely to be searched as part of the data collection process for a DSAR which they may not appreciate. This can also cause problems when it comes to undertaking a data protection audit which, again, is an essential practice for any business processing personal data. Regularly review and update your policies and train your staff so they are aware that WhatsApp, email and text messages are all potentially disclosable.
If a request has been made in the context of litigation, special care needs to be taken it’s best that you obtain legal advice in that scenario.
Step 4: Implement Effective Data Management Practices
To navigate DSARs successfully, organisations must implement effective data management practices. This includes maintaining only relevant, accurate and up-to-date records of personal data, establishing data mapping processes to identify where personal data is stored, and implementing appropriate security measures to protect the data. Although data protection audit’s can be daunting, they are essential to ensure that you are compliant and aware of where personal data is stored and processed.
Step 5: Responding to DSARs
When a DSAR is received, the clock starts ticking. Organisations must respond within one month, providing the requested information or explaining any valid reasons for extending the response time up to 2-3 months.
Step 6: Documentation and Record-Keeping
Maintain detailed records of all DSARs received and the steps taken to respond to them. Document the decision-making process, including any legal assessments or exemptions applied. This helps demonstrate compliance in case of any future audits or disputes.
Navigating data subject access requests in the UK requires a proactive and well-structured approach. By understanding the legal framework, establishing robust internal processes, implementing effective data management practices, and following the recommended steps for responding to DSARs, organisations can navigate these requests efficiently and maintain compliance with UK data protection laws.
Should you receive a data subject access request or would like to undertake a GDPR audit to ensure your company is data protection compliant, please contact our Loch Law team who can offer support you or manage this as a whole for you.