If you receive a DSAR or FOIA today, what will you do? Where will you start? How long will it take to get all the information together? The Data Protection Commission and the Office of the Information Commissioner are great resources. The documents in the links below are incredibly informative.
In this week’s blog, we are re-sharing Margaret Julian’s top tips for completing data subject access requests. Margaret’s consulting specialties and expertise include central bank regulatory compliance and data protection legislation.
Our own top tip to deal with DSARs is to use our DiscoveryControl platform (Workflow management) and MailMeter (eDiscovery) 😁. If you only receive a handful of requests or simply want an overview of the process read on. You may also find this blog post helpful
1. Know what employee deals with data subject access requests
Time is of the essence when dealing with a data subject access request. You have a month to respond so wasting time sending it from desk to desk. If your company has a Data Protection Officer, great, otherwise it’s important that staff know what the process is. Don’t have a policy? Now is the time to draw one up.
2. Focus on the request, not the requestor
This is particularly important if the request is related to a disciplinary procedure. The request may be following an internal dispute or disciplinary action. The employee may be vexatious. The request may even contain aggressive language. When assessing if a request needs to be complied with or not, make sure you have good reason to refuse. It is very difficult to justify a refusal of a request.
3. Never assume you can extend a request deadline
The initial response timeline is one month, with a possibility to request to extend the timeline up to two additional months. Not starting the process straight away will put you on the back foot. An extension should only be justified if, from the start, it is obvious that it will take longer than a month to process. Notify the requestor early rather than waiting for the deadline.
4. Set the scope of the request
If an individual looks for ‘everything’, ask them to be more specific. They probably have something in mind. Try to avoid using the term; ‘narrowing your scope’, as it may appear that you are limiting their request. Data subject access request applies to personal data. Request for commercial documentation will fall outside the scope of the request.
5. Don’t be worried about what you find
Make your employees aware of the rights of individuals in relation to their data. Have policies in place that ensure employees think before writing an email or creating a data file about a person. This reduces the chance of any nasty surprises in an access request (which can lead to legal cases). Keep it factual, not personal.
6. Know how and when to redact in a data subject access request
GDPR allows for a subject access request to be made provided it doesn’t affect the rights and freedoms of others. Information about a third party in the same file/page/email, must be redacted (unless you have consent from that individual). As an opinion given in confidence is exempt from a subject access request, it can be redacted
7. You must justify all redactions
Don’t’ get ‘redaction happy’ with your black marker (or more sophisticated technology). You must document a justification for every redaction you make.
8. Consider reducing the amount of data that you hold
Organizations are only obliged to hold information that is necessary to carry out their work. The more data held, the more difficult the subject access request process can be. This is particularly relevant for unstructured data. Using generic mailboxes for departments instead of a personalized email address will be one less area to have to trawl through.
9. Be aware of the various forms a data subject access request can come in
DSAR doesn’t need to be a formal process. A subject access request can be made verbally, over the phone, via social media, or in any other format. Frontline staff need to know this so that they can escalate immediately. Once the request is made the clock starts ticking!
10. Be kind to yourself – let technology help you
Who wants to trawl through system after system to compile a response? Data Subject Access Requests require time and resources that can be put to better use elsewhere. Technology will make the process easier for you.
Interested in learning more about the technology options for managing DSAR’s?