Unlocking the Secrets of Efficient DSAR Processing: A Guide for UK Companies

Since the implementation of the General Data Protection Regulation (GDPR) in May 2018, companies in the UK have had to adapt their data protection practices to comply with the new regulations. One area that has seen significant changes is the processing of Data Subject Access Requests (DSARs). In this article, we will explore the active changes to DSAR processing that have taken place since the implementation of the GDPR, and provide actionable tips for UK companies to streamline their DSAR processing and remain in compliance with the regulations.

What is a Data Subject Access Request?

A Data Subject Access Request is a written request from an individual, known as the data subject, to obtain information about any personal data that an organisation holds about them. This information must be provided by the organisation within one month of the request being received. Under the GDPR, data subjects have the right to know what data an organisation holds about them, the purpose for which it is being processed, and who it is being shared with.

Changes to DSAR processing under the GDPR

The GDPR has significantly impacted the processing of DSARs. The key changes include:

  • Tighter deadlines: Organisations now have one month to respond to DSARs, rather than the previous 40-day deadline.
  • No fee: Organisations are no longer allowed to charge a fee for processing DSARs, unless the request is manifestly unfounded or excessive.
  • Broader scope: The scope of personal data that is subject to a DSAR has been broadened, and now includes any information that can be used to identify a data subject, including online identifiers such as IP addresses and cookies.
  • Right to information: Organisations must provide additional information to data subjects, such as the purpose for which their data is being processed, the period for which it will be stored, and the recipients of the data.
  • Data portability: Data subjects have the right to request their personal data in a commonly used electronic format, and to have it transmitted to another organisation if they wish.

Key considerations for UK companies processing DSARs

  • To process DSARs effectively and efficiently, UK companies must consider the following:
  • Understanding the scope of the request: It is important to understand the scope of the request and to ensure that all relevant data is included in the response.
  • Verifying the identity of the data subject: Organisations must take steps to verify the identity of the data subject before responding to the request.
  • Redacting third-party personal data: Any personal data that belongs to third parties must be redacted before responding to the request.
  • Protecting sensitive data: Sensitive personal data, such as health information, must be handled with extra care and attention.
  • Responding within the deadline: Organisations must respond to DSARs within one month of receiving them, or request an extension if the request is complex or voluminous.

Tips for streamlining DSAR processing

  • To streamline DSAR processing and remain in compliance with the GDPR, UK companies can:
  • Implement automation tools: Use automation tools to track and monitor requests, set reminders for deadlines, and generate standard responses.
  • Provide regular training: Provide regular training for staff on how to process DSARs, verify the identity of the data subject, and handle complex requests.

Create a clear process: Create a clear process for handling DSARs, including verifying the identity of the data subject, assigning responsibility for processing the request, and ensuring that all relevant data is identified and redacted as necessary.

  • Centralise DSAR processing: Consider centralising DSAR processing to ensure that all requests are handled consistently and efficiently.
  • Prioritise DSARs: Prioritise DSARs based on their complexity and importance, and ensure that urgent requests are responded to promptly.
  • Keep accurate records: Keep accurate records of all DSARs received and responded to, including the date of the request, the date of the response, and the nature of the response to help demonstrate compliance with the GDPR and ensure that requests are handled consistently.

The benefits of efficient DSAR processing

Efficient DSAR processing can bring numerous benefits to UK companies, including:

  • Improved compliance: Efficient DSAR processing can help UK companies comply with the GDPR and avoid penalties for non-compliance.
  • Enhanced customer trust: Efficient DSAR processing can demonstrate to customers that their data is being handled carefully and responsibly, enhancing trust in the company.
  • Reduced costs: By streamlining DSAR processing, UK companies can reduce the time and resources required to handle requests, resulting in cost savings.
  • Improved data management: Efficient DSAR processing can help UK companies better manage their data and identify any areas where data protection practices can be improved.