In today’s digital data-driven realm, where 120 zettabytes of data are generated daily, ensuring data privacy and personal data protection is paramount. Amid this, organizations are under more and more pressure to comply with evolving data protection regulations.
Processing Data Subject Access Requests (DSARs) efficiently and legally is crucial to this compliance journey. The United Kingdom’s regulatory body on data protection, the Information Commissioner's Office (ICO), has provided comprehensive guidelines on Data Subject Access Requests (DSARs), enabling organizations to navigate the complex landscape of DSARs.
This guide delves into the critical components of the ICO's guidance on DSARs and enables organizations with a clearly defined roadmap to comply with these evolving data protection requirements.
Understanding DSARs
Understanding DSARs' significance is crucial before delving into the ICO's guidelines. A DSAR is a request made by or on behalf of an individual (data subject) to access the information that he is entitled to request under Article 15 of the UK GDPR. DSARs are a crucial component of most data privacy regulations enacted worldwide.
The UK GDPR doesn't specify strict rules for making a DSAR. Individuals can make a DSAR verbally or in writing, even through social media. They can address it to any part of the organization without specifying a person or contact point.
The request doesn't need specific phrases like 'subject access request' or references to GDPR Articles. It just needs to be clear that the individual is seeking his personal data. A request can be valid even if it mentions other legislation like the Freedom of Information Act.
Under renowned data privacy laws such as the European Union’s General Data Protection Regulation (GDPR), the UK’s Data Protection Act 2018, and the California Consumer Privacy Act (CCPA), individuals have the right to initiate DSARs and organizations are legally obligated to respond to them within a specific timeframe.
ICO's Role in Data Protection
In the UK, the ICO plays a crucial role in regulating and enforcing the seamless implementation of data privacy regulations. The ICO is an independent organization established to safeguard information rights. ICO aims to protect individuals' right to privacy while encouraging accountability and transparency among organizations that process personal data.
As part of their mandate, the ICO provides comprehensive guidance to assist organizations in comprehending and complying with evolving data protection requirements, such as DSARs. Their guidance serves as a beacon in the complex world of DSARs that helps data subjects exercise their data subject rights and enables controllers to respond in compliance with the law.
Gain insights into ICO’s updated guidance on DSARs for employers.
Key Components of ICO's Guidance on DSARs
Regardless of whether you commonly receive DSARs, it is crucial to be well-prepared and adopt a proactive approach. This ensures an efficient and timely response to such requests. The extensive ICO guidance on DSAR is intended to help organizations handle DSARs efficiently.
Identifying a DSAR
Acknowledging a DSAR when you receive one is the cornerstone of the ICO's guidance. The ICO guidance offers guidance on identifying a legitimate request. This includes providing enough data to verify the requester's identity, determining the request's scope, responding within the specified time limits, ensuring the request is submitted in writing, and being clear about the personal data that is being requested.
Using standardized forms can make it easier to identify the DSARs for both organizations and individuals. Recital 59 of the UK GDPR suggests offering electronic means for DSAR submissions, particularly when processing personal data electronically. Therefore, it is advisable to create an electronic subject access form for individuals to complete and submit.
It's important to clarify that DSARs are valid whether submitted through a form, letter, email, or verbally. Encourage the use of the form but emphasize that it is optional, leaving individuals free to choose their preferred method of submission.
How Organizations Should Prepare for DSARs
There are numerous ways for organizations to prepare for DSARs depending upon the type of personal data they are processing, the number of DSARs they receive, and their size and resources. Such preparation may include the following steps:
Awareness
Provide information on how individuals can submit a DSAR, such as on its website, in pamphlets, or within your privacy notice.
Staff Training
Conduct comprehensive training for all staff to ensure they can identify a DSAR. Additionally, offer more detailed training specifically focused on DSAR handling to staff members whose job roles involve dealing with such requests.
Organizational DSAR Handling Guide
Create a designated data protection page on the company's intranet. This page should contain links to policies and procedures related to DSARs.
Request Handling Staff
Designate a specific individual or a central team within your organization with the responsibility of responding to DSARs. It is important to ensure that multiple staff members are trained in DSAR processing procedures to provide resilience in case someone is absent.
Asset Registers
Keep information asset registers that clearly document the locations and methods used for storing personal data within the organization. This practice is crucial in expediting the retrieval of necessary information when responding to DSARs. By maintaining a comprehensive record of where and how personal data is stored, organizations can streamline the DSAR process.
Checklists
Develop a standardized checklist for staff to ensure a uniform and systematic approach to handling DSARs. This checklist shall promote consistency, efficiency, and compliance with this guidance and the Data Protection Act.
Logs
Keep a record of all the DSARs it has received and update it to track progress. This log can include copies of the information the organization has provided in response to a DSAR, along with any material that has been withheld and the reasons for doing so.
Retention and Deletion Policies
Have clear and documented policies for the retention and deletion of personal data processed by them. This practice ensures that information is not retained longer than necessary, potentially minimizing the volume of data that needs to be reviewed when responding to a DSAR.
Security
Implement appropriate safety measures to send information safely, such as utilizing trusted courier services or employing a system to verify email addresses and review responses before sending.
How Do Organizations Comply with DSARs
The following key components act as your road map to compliance with DSARs:
Responding to DSARs
Organizations have a deadline for responding to DSARs. The ICO guidance outlines the timeframe that organizations must respond to requests and provides additional guidance on handling complicated or repeated requests.
A DSAR should typically receive a response without undue delay and no later than one month after receipt of the request or any requested information to confirm identity or a fee. This can be extended by two more months for complex or bulk requests, but the individual must be informed of the extension and its reasons within one month of receiving the request.
Clarify the Request
Organizations can pause the one-month time limit if the data controller needs the requester to specify the information and processing activity in the DSAR before responding to the request. This is known as “stopping the clock.”
The clock only stops when you seek clarification specifically related to the requested information. It does not come into effect if you seek clarification on other matters, such as the format of the response.
Once the time responding to the DSAR has paused until any clarifying information is received, the clarification requests cannot be taken advantage of as a means of delay. Instead, the ICO expects organizations where the request is genuinely unclear to:
- make prompt contact with the individual in question in the same format they made the request (for example, via phone or email, if acceptable);
- maintain a record of any conversation you had with the individual in question regarding the nature of their request;
- notify the individual why additional data is being requested;
- have the ability, upon request, to justify their position before the ICO; and
- after a clarification request goes unanswered, give it an adequate period of time before deeming a DSAR "closed."
Charging Fees
Although most DSARs are free, organizations can charge a reasonable fee for administrative costs under specific conditions. Organizations cannot charge for responding to DSARs unless they are manifestly unfounded or excessive or an individual requests more copies of their data following a request.
Adjustments for Disabled People
Individuals with disabilities might encounter challenges in communication, potentially making it difficult for them to submit a Subject Access Request (SAR). There is a legal obligation to implement reasonable adjustments if they wish to make a request. If the SAR process is not straightforward, it is advisable to document the information in an accessible format. Additionally, it is recommended to send this documentation to the person with a disability to ensure the accuracy and confirmation of the details related to the request.
ID Check
To prevent the accidental or deceptive transmission of personal data about an individual to another party, it is crucial to ensure the following:
- Organizations are certain about the identity of the requester (or the person on whose behalf the request is made), and
- The data organizations possess is genuinely associated with the specific individual in question, especially in cases where individuals share similar identifying information.
It is permissible to request sufficient information to assess whether the requester (or the person on whose behalf the request is made) is indeed the individual the data pertains to. It is essential to exercise reasonableness and proportionality in determining the extent of information sought. If the requestor's identity is readily apparent, there should be no unnecessary request for additional information.
Although it is not necessary to retain copies of identification documents, it could be beneficial to maintain a record of the following:
- The specific identification documents submitted by the individual;
- The date on which the verification process was conducted; and
- Details regarding the personnel within your organization responsible for the verification.
Before supplying any information in response to a SAR, it is imperative to confirm that accurate and current details are available for delivering the response, such as ensuring the correct email address is used.
When Can Organizations Refuse to Comply with a Request
In cases where an exemption is applicable, organizations can decline full or partial compliance with a DSAR. It is essential to note that not all exemptions apply in the same manner, and a careful examination of each exemption is necessary to determine its application.
Additionally, organizations have the right to reject a DSAR if it is deemed:
- Manifestly unfounded; or
- Manifestly excessive.
If organizations refuse to comply with the DSAR, they must notify the individuals about the reasons for non-compliance with the request, their right to file a complaint to the ICO, and legal action before the competent court.
How Securiti Can Help
As data privacy regulations evolve, organizations that invest in robust DSAR automation tools will be better equipped to meet the growing expectations of a data-conscious society while maintaining compliance and confidence with their data subjects.
Securiti DSAR automation is the most efficient and modern way to honor DSAR. Organizations can save money during the DSAR process, lower their risk of compliance fines dramatically, and maintain brand integrity by implementing automation.
Request a demo to witness Securiti in action.