020 8004 8625
contact@dsar.ai
Unlocking the Secret to Processing Data Access Requests: A Step-by-Step Guide
In this article, we provided a detailed guide on the steps that organisations must follow when processing Data Subject Access Requests (DSARs) in compliance with the General Data Protection Regulation (GDPR). We outlined six essential steps, including acknowledging the request, verifying the identity of the data subject, locating the relevant data, reviewing and redacting the data, responding to the request, and maintaining accurate records.
We also provided actionable tips for streamlining the process, such as automating the process, providing regular training for staff, and creating a clear process for handling DSARs.
Responsible (Job Title): The person or team responsible for completing the task
Accountable (Job Title): The person who is ultimately responsible for the task
Support (Job Title): The person or team who supports the responsible person or team in completing the task
Consulted (Job Title): The person or team who must be consulted before the task can be completed
Informed (Job Title): The person or team who must be informed after the task has been completed
Note: Job titles may vary depending on the size and structure of the organisation.
Step 1 - Acknowledge the request
Responsible (Job Title) : Data Protection Officer (DPO)
Accountable (Job Title) : Data Protection Officer (DPO)
Support (Job Title) : Support Staff
Consulted (Job Title) : N/A
Informed (Job Title) : Data subject
Description : Acknowledge receipt of the request within one month, including the date of the request, a description of the information sought, and any information necessary to verify the identity of the data subject.
Step 2 - Verify the identity of the data subject
Responsible (Job Title) : Staff Member, Data Protection Officer (DPO)
Accountable (Job Title) : Data Protection Officer (DPO)
Support (Job Title) : N/A
Consulted (Job Title) : N/A
Informed (Job Title) : Data subject
Description : Verify the identity of the data subject before responding to the request, requesting additional information from the data subject if necessary, and ensuring that any third-party personal data is redacted before responding to the request.
Step 3 - Locate the relevant data
Responsible (Job Title) : Staff Member
Accountable (Job Title) : Data Protection Officer (DPO)
Support (Job Title) : Support Staff
Consulted (Job Title) : N/A
Informed (Job Title) : Data subject
Description : Locate the relevant data that is being processed about the data subject, searching through various systems and databases to identify the data and ensuring that all relevant data is identified and provided to the data subject.
Step 4 - Review and redact the data
Responsible (Job Title) : Legal Counsel, Data Protection Officer (DPO)
Accountable (Job Title) : Data Protection Officer (DPO)
Support (Job Title) : N/A
Consulted (Job Title) : Legal Counsel
Informed (Job Title) : Data subject
Description : Review the data and redact any third-party personal data or sensitive personal data before responding to the request, seeking legal advice where necessary to ensure that the data is redacted correctly.
Step 5 - Respond to the request
Responsible (Job Title) : Staff Member, Data Protection Officer (DPO), Legal Counsel
Accountable (Job Title) : Data Protection Officer (DPO)
Support (Job Title) : Support Staff
Consulted (Job Title) : Legal Counsel
Informed (Job Title) : Data subject
Description : Respond to the request within one month of receipt, providing the data subject with a copy of their personal data in a commonly used electronic format, requesting an extension of up to two months if the request is complex or voluminous, and informing the data subject of the extension within one month of receiving the request.
Step 6 - Maintain accurate records
