Data Subject Access requests (DSAR) or Subject Access Requests (SAR) tend to be treated as something companies would rather ignore, until they have no choice. Most organisations will strictly follow the saying “failure to plan is planning to fail” in terms of their sales and marketing efforts. Customer service teams look at complaints or negative reviews as an opportunity to make a dissatisfied customer into a happy customer, or even an advocate.

Why then is data and privacy management under the GDPR not treated as the same opportunity? A well-handled DSAR builds trust in the eyes of the individual and a well-publicised culture of good data and privacy protection helps sales and marketing and builds confidence in the wider customer base.

Under the UK and EU GDPR individuals (also called Data Subjects) have the right to make a Data Subject Access Request. These requests are designed to allow individuals to find out what personal data and supplementary information is held by your organisation about them. For detailed information on DSARs read our guide What is a DSAR?

Firstly, don’t panic, as a data superstar this is your time to shine and show your company’s commitment to the GDPR and a culture of good data governance and privacy management. It will happen eventually, in fact DSARs are on the rise. According to research by the Data Privacy Group in November 2021, UK businesses are spending between £72,000 and £336,000 per year handling data subject access requests. In the same year, the UK Data Protection Index reported a 66% increase in the average number of DSARs received. This is a good thing; people are increasingly aware of their rights and value their privacy. Your organisation can foster trust with your customers by handling their data correctly and responsibly.

Here is what you need to do according to the GDPR, Article 12(3):

It is important to understand the GDPR and be able to recognise a DSAR when you receive it. You will need various policies in place to handle DSARs such as a means of recording access requests received verbally. If you are unsure about the identity of the individual making the request through email, social and other channels, you will need to verify it by asking questions only they should know the answers to.

It is possible that a third party, such as a family member or solicitor may make a DSAR on behalf of someone else. In this case you will need to get written consent from that individual that the third party is allowed access to the data. Remember you are against the clock to supply a prompt response, but the time limit can be paused if there is a need to ask the individual for more information or clarification.

It is particularly important to understand the nature of the supplementary information you need to provide in response to a subject access request. Too often answers to DSARs are criticised for being too generic. The more detailed you are with your response the better. Remember to include the information details for its amendment or deletion. This supplies transparency for the data subject and is less likely to result in a complaint to the relevant authorities.

If the data you hold also has data about other individuals, that data will need to be redacted. They have a right to privacy too and only information relevant to the data subject can be shown to them. There may be circumstances were supplying the requested data may give away details about someone else’s data or identity. This requires careful thought on your part about what information you can supply or getting permission from the other data subject. For example, the requesting individual may be able to guess the identity of another data subject from the information you supply. In this case permission would need to be sort from the person that could be identified or the data could not be provided.

One of the biggest challenges facing SMEs when responding to DSARs is a lack of systems and processes in place to deal with the request. The data is usually stored in many places, so simply finding, and accessing it can be difficult. Often it is stored in emails, cloud storage systems, physical documentation and even CCTV equipment. This is usually a manual process for most organisations and with the time limit the results are often a poor-quality generic response that costs your company time and money.

Data mapping is an important process for organisations to get accustomed to. Mapping what data you have, where it is held and who handles it; shows that the data you have has been handled appropriately and ensures SARs are responded to in a prompt and cost-effective manner. Check out our video What is Data Mapping Explained!

There is usually a lack of proper training for team members who are not qualified Data Protection Officers, but the task of handling DSARs has fallen to them. They are usually members of the customer service or complaints team and may have little or no formal training in data governance or privacy management. This can leave your organisation vulnerable to complaints and weaken your ability to defend against them.

Palqee’s user friendly software makes data protection and privacy management assessable, collaborative, and easy. Allowing you to record, map and easily report on the personal information you store. Detailing where it is stored, who handles it and its purpose. Delivering peace of mind, time savings and value for your organisation.