DSAR management: 5 key steps for privacy teams

The Data Subject Access Request (DSAR) is an eternally hot topic in the world of data protection, and it's been keeping DPOs on their toes. 

We’ll break down what you need to know about DSARs under the GDPR, from key steps to actionable suggestions on how to manage them effectively. You can also look forward to a few extra useful resources sprinkled in key parts of the article.

The 5 key steps to managing DSARs

With both the data subject’s rights and your organisation’s interests in mind, here are the five key steps you need to take, once a DSAR has been received by your organisation:
 

1. Recognise, record and analyse the request

DSARs can come in through a variety of communication channels, such as phone, email or social media. It is therefore important to ensure that all employees are able to recognise these requests and know how to notify the designated response team.

After a request is registered, it should be analysed to determine whether you have enough information to identify the data subject, if the scope of the request is particularly complex and needs clarifying, or if the request is excessive or unfounded.

Recommendations:

• Include DSAR awareness and procedures in your regular training sessions.
• Implement a ticketing system that anyone can use to report when they receive a request. 
   

2. Acknowledge the request

If you determine that a request does not contain sufficient information to identify the data subject, or that it will only be processed for a fee (e.g. excessive request), you should inform the data subject without delay.

Otherwise, the clock starts ticking on the day you receive the request, and the usual deadline for responding is 30 days, although in some cases you may extend the response time by two months for particularly complex or multiple requests from the same person.

Recommendations:

• Use known contact details to communicate with the data subject and check if they are using the same email, phone number or other credentials that you have already associated with them. 
• Be reasonable and proportionate when verifying the identity of the data subject. If their identity is apparent, especially in cases involving an existing relationship with the company, additional information is unnecessary.
• Ensure that you advise the data subject that the time limit for responding to the request starts to run from the moment they provide the requested information or pay the fee.
• Implement a notification system to alert you when the deadline for a request is approaching.
   

3. Process the request

This is the time to put the existing procedures, workflows and systems to good work. Depending on the type of request, handling it may involve one or more of the following steps:

• Determining where the requester's personal data is likely to be stored. This can include physical and electronic systems, archives, databases, files, documents and other assets inside and outside your organisation. If you're doing this manually, here are some tips on how a visual map of your ROPA can help your DSAR response team locate the information 🔗👈
• Finding and extracting the data from the supporting assets 
• Notifying and involving relevant internal and external data recipients (e.g. processors) whose assistance may be required to complete the request.
   

4. Respond to the DSAR

The manner in which you respond to a DSAR is as important as the response itself. Your written response should demonstrate that you have taken the request seriously and have made reasonable efforts to deal with it to the best of your ability.

Recommendations

• Organise the response in a logical and easy-to-follow manner, using headings and subheadings to break up the information and make it more digestible.
• Avoid technical jargon or legal language that may be difficult for the data subject to understand.
• If an exemption applies and prevents the organisation from fulfilling the request, offer a clear explanation to the individual. Explain the legal basis for the exemption and the reasons why the organisation is unable to provide the requested information. 
• Provide contact information and invite the data subject to contact you if they have further questions or concerns.
   

5. Learn and improve

That’s it! You can go about your daily business! Or can you? Here a few more pointers to consider:

• Maintain records of all DSARs received and responded to, including details of the request, the response provided and any follow-up action taken. 
• Investigate any problems you encounter to find out what happened and how to avoid them in the future.
• Monitor your DSAR response procedures on a regular basis to identify trends or patterns in the requests you receive, bottlenecks, and areas that could be improved.

Final thoughts

Handling DSARs effectively is not just a legal requirement; it's an ethical responsibility that is worth taking seriously and an opportunity for organisations to showcase their commitment to data protection and transparency. It can demonstrate their accountability and enhance their reputation in the eyes of both data subjects and regulators.

With the right mindset, tools, and processes in place, organisations can navigate this complex landscape and build a culture of data protection that puts individuals' rights at the centre.

—
Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our weekly newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.