What are DSARs?

A Data Subject Access Request (DSAR) is exactly what it says on the tin: a request by a data subject[1] to an organisation, requesting access to the information about them which is the organisation holds. A DSAR is not limited to just information about the individual but can also include information that is ‘parallel’ to that data, i.e., why you are collecting the data in the first place, or who you share that data with.

What is the purpose of DSARs?

DSARs give an individual[2] the ability to request confirmation that an organisation (known under these circumstances as a ‘data controller[3]’) is processing their personal data, what personal information the controller holds about them, what they are using the data for, who the data is shared with (if anyone), and where they got the data from (i.e., did you get it directly from them, or did you buy it from someone).

How do we identify a DSAR?

There is no definitive answer on how to identify a DSAR, but you and your staff must aware that they can be submitted verbally or in writing (including via instant messages, on social media, via email, or in the post). There is no specific wording Data Subjects need to use, and they can be sent to anyone in your organisation (even though you may have a direct contact in your Privacy Notice).

Do we need to respond to a DSAR?

In most cases, yes, however, there are some exceptions[4] which mean you can partly or wholly refuse to comply. If you cannot verify the identity of the individual, or if the request is deemed to be manifestly unfounded or excessive[5]; then it may be appropriate to refuse to respond.

If you refuse to comply, you must tell the individual:

  • Why you’ve refused to respond
  • About their right to complain to the ICO (or other supervisory authority)
  • About their ability to seek enforcement through the courts

How should we respond?

How you respond depends on the situation. It may be appropriate to respond electronically, in a commonly used format, but if the individual does not have access to email or a computer then it may be more appropriate to send it in the post. An individual may also ask you to provide a verbal response.

How long do we have to respond?

When an organisation receives a DSAR, they typically have one month[6] to respond to the request. If they do not respond within that timeframe, they face possible legal action.

According to the Information Commissioner’s Office (ICO):

“If you exercise any of your rights under data protection law, the organisation you’re dealing with must respond as quickly as possible. This must be no later than one calendar month, starting from the day they receive the request.”

However, you can extend this time by a further two months if the request is complex, you have received several requests from the data subject, or if you process large amounts of personal data. You can also ask a Data Subject to clarify the scope of their request if you are unsure as to what they are asking. At the point at which your clarification request is sent, the 30-day clock ‘pauses’ until a response is received.

What happens if you do not respond to a DSAR within the mandated timelines?

Legal action may be taken against you if you fail to respond to a DSAR within the mandated timelines. For example, the online estate agent Purplebricks was recently reported to the ICO for failing to respond to a DSAR within the designated time and then failing to respond within a revised timeframe set by the company, according to Contractors for Justice, who referred them to the Supervisory Authority. The outcome of this case is still outstanding, but whatever the conclusion, the referral will have caused Purplebricks to expend significant time and resources to manage the complaint.

Can the data subject request further information?

Following the organisation’s response to the individual, the latter may ask follow-up / clarification questions or submit another request. You may want to answer the questions quickly (if appropriate) but for further DSARs all of the same stipulations, conditions, etc, still apply.

A data subject may also, on the basis of the information received from the DSAR, get back in contact to request that you take action on their data in line with their rights set out above.

What else might the requester ask us to do with their data?

Data Subjects have a number of rights under the General Data Protection Regulation (GDPR). A DSAR itself is a reflection of the right of a data subject to know what data is held about them and have access to it (the ‘right to be informed’ and the ‘right of access’).

As a result of a DSAR, the requester may ask you to do a number of things, including:

  • Erase any data you hold about them (the ‘right to erasure’)
  • Correct any incomplete or erroneous data held (‘the right to rectification’)
  • Cease to collect any further data (‘the ‘right to object’
  • Amend the ways and means, by which any further data on them is collected, for example, by requesting that you only process data for certain purposes, or by restricting the use of automated processing or profiling (the ‘right to restrict processing’)
  • Request you to move it to another organisation, in a commonly used, machine readable format.

You should be aware that these rights are not always applicable, and they depend on several conditions[7].

What can Principle Defence do to help?

We offer several privacy related services to help organisations prepare for and manage a subject access request, including:

  1. Implementation of a Data Subject Access Request (DSAR) process so that your organisation has a plan for when you receive one.
  • Awareness and / or certification training. We can deliver awareness training for your staff so that they know how to identify a DSAR and what to do when they do. Additionally, we can provide specialist BCS training courses such as the BCS Foundation and Practitioner Certificates in Data Protection.
  • Virtual Data Protection Officer services. We will provide dedicated data protection services for your organisation, to manage your function and/or help you develop an in-house team. As part of this we will develop a privacy framework and strategy for your organisation that is aligned to your goals and objectives, conduct privacy audits, and provide advice and guidance on data protection management and implementation.
  • DSAR as a Service (DSARaaS). We can support organisations to quickly and efficiently respond to DSARs using an industry-leading platform. We can rapidly review, deduplicate, and redact thousands of documents (emails, instant messages, and documents) to help you prepare your response for the data subject. You’ll have full visibility of the progress of your request which will be held in a UK-based (or one of the 12 other countries), Software as a Service (SaaS) platform.

Find out more about our DSAR service on by visiting the designated webpage here.

[1] The identified or identifiable living individual to whom personal data relates (ICO).

[2] It is worth noting that an individual may give permission to someone to request this data on their behalf (i.e., lawyer) or a parent.

[3] A person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (ICO).

[4] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/#refuse

[5] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/when-can-we-refuse-to-comply-with-a-request/

[6] Can be extended by two months.

[7] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

1 comment on “Data Subject Access Requests: What are DSARs and why are they important for your business?

Leave a Reply