A (DSAR) data subject access request involves a written request submitted by any individual where a company or organization is processing, storing, or utilizing data that can identify them. A DSAR can arise at any time. Your organization needs to have a procedure in place to respond.
As the number of DSARs rises it is vital that organizations have systems in place to meet the demand. Complying with data obligations and providing an audit trail is vital.
1. Be confident that you know how to respond to a DSAR request
Completing a DSAR is time sensitive. In line with the GDPR rules, organizations must:
- respond to valid requisitions without undue delay
- at the latest within one month of receiving the request.
Whilst extensions are available, they are justified. It is best practice to inform the requester as soon as possible and give them regular updates. Once the DSAR has been acknowledged it needs to be assigned to the right person to handle and research it. Prepare your organization by having a compliance officer and an organized system. This enables you to respond with the right information.
2. Make sure you know who deals with your compliance requests
You must confirm the identity of the person who has filed the request. This will verify that you have data for the individual. All employees must be aware of both their rights and who to contact within the organization with a query. It should state on your Privacy Policy who is responsible and how to contact them.
3. Have a solution in place so you can respond to a DSAR
When it comes to completing a DSAR you will need to document a justification for every redaction you are making. Reducing the amount of data, you hold makes the DSAR process request more streamlined.
Having a solution in place allows you to
- have a policy for both your structured and unstructured data repositories
- qualify, search, review, redact, and export the information accurately to the individual.
- software solutions like ComplyKEY enable you to see your email and file data, and manage the workflow.
4. Make sure to review, redact, and remove information that is not relevant.
It is key to ensure that upon the request no other information from a third party is within the same file/page or email. Be sure to remove any information that is not relevant or confidential personal data. If this does occur, it is potentially a breach of information. You will need to contact all individuals affected and clearly explain what information has been shared. You also need to notify to the relevant DPA in your country with 72 hours.’
Remember to check the number of individuals cc’d or bcc’d in every email coming into and leaving your organization. They must be removed from any export.
5. Be sure you know how to formally respond to a DSAR
GDPR suggests that you should respond to a request in the same way a request is made unless specified. You should keep an audit trail of the request. This should include the
- sources of information gathered
- the review undertaken
- decisions made on whether information amounted to personal data
- whether exemptions or delays were applied.
Simplify things by ensuring your process and procedures for responding to a DSAR are up-to-date and maintained. That they adhere to your policies and privacy statement, and that staff has the relevant training and software solutions in place.
To learn more about our ComplyKEY suite of DSAR solutions click on the links below or request a demo.