What Is a Data Subject Access Request?

One of the most notable features of the General Data Protection Regulation (GDPR) is its creation of enforceable privacy rights for individuals. Chief among these rights is the Right to Access. This gives individuals the right to contact an organization to ask it to confirm whether it is processing personal data about them and, if so, provide them with access to that data. Such a request is called a Data Subject Access Request (DSAR), or sometimes just a Subject Access Request (SAR).

Before delving into how DSARs work, it will be helpful to go over some basic GDPR terminology:

• Personal Data - Personal data is any information that relates to an identified or identifiable individual. This individual is known as a data subject. Personal data includes a wide variety of information from email addresses to online search history.

• Processing - Processing means any operation performed on personal data. This includes collection, transfers, analytics, and even simple storage of data.

• Controller - The controller is the party that determines the means and purposes of the processing of personal data. They decide the who, how, and why of processing.

• Processor - A processor is any party that processes data solely on behalf of a controller. For example, if a controller stores its customer data with a cloud storage service, that storage service is a processor.

How to Respond to a DSAR

The first step in responding to a DSAR is to check whether your organization actually processes any personal data about the person making the request. If not, you must respond and tell them so. If you do process personal data about them, you’ll need to provide the requester with a copy of all the personal data you have. This includes personal data that is held by your processors.

Along with a copy of the personal data, you must provide the requester with the following information:

• The purposes of the processing
• The categories of personal data concerned
• The recipients or categories of recipient to whom the personal data have been or will be disclosed
• Recipients in third countries or international organizations
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
• The right to lodge a complaint with a supervisory authority
• Where the personal data are not collected from the data subject, any available information as to their source
• The existence of automated decision-making that produces legal or significant effects for the data subject, as well as meaningful information about the logic involved and the envisaged consequences of such processing for the data subject
• If personal data is transferred to a third country, the safeguards in place to keep it safe

In most cases, the above information will be the same for all requesters and need not be personalized.

Two more things to keep in mind when responding to a DSAR. First, the controller must verify the requester’s identity in order to protect their personal data. Most commonly this is done through an email confirmation, but if the personal data is particularly sensitive or the controller has reasonable doubts about the requestor’s identity, it may be appropriate to require further proof of identity. Second, the controller has one calendar month to respond to the request. This may be extended by two further months when necessary, but the controller must tell the requester of this extension within the first month and explain why it needs more time.

Controllers & Processors: Who Must Respond to a DSAR?

As a general rule, it is solely the controller’s responsibility to respond to a DSAR, while the processor has an obligation to assist the controller by providing any relevant data. If a data subject makes an access request directly to a processor, the processor at a minimum must inform the requester that they cannot respond to the DSAR and direct them to the controller. However there may be cases where, depending on the contractual arrangements between controller and processor, the processor is obligated to respond in other ways, including responding directly to the request.

Narrowing the Search

It is often the case that a requester’s personal data is scattered across numerous vendors and consists primarily of contact information that is likely of little interest to the requester. It is permissible to contact a requester and ask them if there is any particular personal data they are looking for. If the requester confirms that they are only seeking a specific set of personal data (e.g., a history of their purchases), the controller may narrow its search and provide only that information. It’s important to remember, however, that the requester has the right to access all of their personal data. If they don’t respond to the query or they indicate they would like a copy of everything, the controller must provide the full set of personal data.

Automated GDPR Request Workflows

GDPR compliance can’t be accomplished by simply posting a privacy notice and forgetting about it—it requires an ongoing effort to stay up-to-date and respond to privacy requests such as DSARs. For larger organizations, this means either hiring full-time privacy personnel or retaining a specialist law firm, but these options may not be practical or even possible for small and medium-sized businesses.

TrueVault Polaris gives SMBs the advantage of in-house expertise without the expense. Not only does Polaris guide you step-by-step through the process of becoming GDPR compliant, it includes important tools like automated workflows for DSARs to help your business stay compliant with minimal effort. Contact us today to learn more.