Understanding the Surge in DSARs
In recent years, particularly with the onset of the pandemic, there has been a substantial increase in the submission of Data Subject Access Requests (DSARs).
This article, provided by data protection specialists, aims to shed light on the background of DSARs and addresses a common query: what information can be included in a DSAR and what grounds justify withholding certain details.
Clarifying the Concept of DSARs
Data Subject Access Requests (DSARs), also known as Subject Access Requests (SARs), are formal requests made by individuals to organizations seeking information about the personal data collected and stored about them.
Governed by the General Data Protection Regulation (GDPR) in the European Economic Area and the United Kingdom, individuals possess the legal right to access their personal information.
Variety in DSAR Requests
DSARs come in various forms, from general inquiries about the information held to specific requests like accessing HR files, obtaining copies of email correspondence, or verifying account details.
These requests can be made verbally, in writing, or through various communication channels, addressing the organization without specifying a particular contact.
Significance of DSARs
While DSARs contribute to transparency in data processing within businesses, they are often viewed as burdensome. However, effective handling of DSARs can yield several benefits, enhancing data governance, operational efficiency, and customer trust.
Elements of a DSAR Response
Each DSAR is unique, requiring an individualized response based on the specifics of the request.
Common types of DSARs include requests for a data summary, confirmation of data processing details, correction of data, and employee-related requests. Timely and accurate responses are crucial in building and maintaining trust.
Timelines and Deadlines for DSARs
A DSAR must be addressed within one month of receiving the request. While there is provision for a two-month extension in complex cases, organizations must not exploit this option as a delay tactic.
Complex requests may involve technical difficulties, searches in large volumes of records, confidentiality issues, or the need for specialist legal advice.
Exemptions: Concealing Data Under Certain Circumstances
DSAR exemptions have been a source of confusion, leading to numerous complaints. Organizations can withhold data under various circumstances, including situations deemed manifestly unjustified or excessive, protection of others’ data, safeguarding rights and freedoms, crime prevention, and protection of certain types of personal data used for management forecasting or planning.
Best Practices for Handling DSARs
Successful DSAR management requires meticulous planning and control over data.
Recommendations for best practices include thorough data mapping, clear internal procedures documented in a DSAR Policy and Procedure document, staff training on data protection, and regular reviews of these practices to ensure compliance.
In conclusion, navigating DSARs involves a nuanced understanding of exemptions and proper data management practices, emphasizing the importance of transparency, accuracy, and adherence to legal guidelines.
Share on Facebook «||» Share on Twitter «||» Share on Reddit «||» Share on LinkedIn