How to fulfil a data subject access request
By law, people can ask you for a copy of any information that relates to them, as it is deemed to be their personal data, and they have a legal right to see it. If someone asks you for a copy of their personal data, by phone, in person, or in writing, they have made a ‘data subject access request’ (DSAR), and you need to respond. Here’s a 10-point DSAR fulfilment checklist to help you complete a data subject access request.
1: Assign a data protection lead
Large businesses generally have Compliance teams, while small businesses are expected to nominate a member of staff member to take the lead on data protection.
2: Check on the identity of the requestor
If you’re not certain about the identity of the requester – i.e., that they are who they say they are – you should verify the requester’s identity before responding to the DSAR. Verification can take the form of requesting ID, asking questions to which only the authentic requester would know the answers, or asking for reference numbers, dates and locations.
3: Check that the requester is authorised
If the DSAR is made by someone other than the person the data is about (such as a relative or solicitor), check that the requester has been authorised. You should ask for written authority to act on behalf of the person concerned, or a document showing power of attorney. Children older than 12 can make their own DSARs, so if a parent or carer makes a request, you should usually get permission from the child first.
4: Create a DSAR fulfilment calendar
Data holders have thirty days to gather requested data and provide it to the requester in the format of their choice. The thirty days starts from the time the requester’s identity and authority have been verified. If the DSAR is complex, or the requester has made a lot of requests, you can take an extra two months to respond. You must, however, let the requester know there will be a delay before the end of the initial fulfilment period.
5: Double check what is being requested
Requesters may ask for all the data you hold on them or they may ask for something
6: Search for the relevant information
Use search functions on all devices to locate all incidents of the data being requested. Devices can include smartphones, computers, archived files, emails, external hard-drives, tablets, memory sticks, voice recordings, social media posts and CCTV records.
7: Check what you need to redact
Before providing the requester with their information, check it carefully to ensure it only contains their information. If you discover a document or email that mentions people other than the person in question, you should redact (hide, black out or remove) any information that does not relate to the person making the DSAR. Disclosing information about other people is likely to result in a breach of their personal privacy.
We covered the challenges of document data privacy in a previous article. If you are new to document data privacy, check out how to avoid the hidden pitfalls associated with data redaction.
8: Think carefully about releasing data about other people
You should avoid disclosing information about other people in a DSAR. When the personal data you gather includes information that is linked to someone else, consider the impact that disclosure could have. For example, if all the details about the other person are already in the public domain there may not be a need for redaction; if the requester does not know particular information, there is a strong case for redacting other names and identifying information; and if the requester is likely to guess at the identity of others, you may need to consider whether it’s necessary to get the other people’s consent prior to release.
9: Choose a response format
If you received a DSAR by email or post, you should reply by email or post, unless the requester specified a preferred response format.
10: Keep a record of your reply
When you send the requester their personal data, include a copy of your privacy policy. The privacy policy should explain why you hold data, how you acquired it, how long you’re planning to keep it, who you share it with, and how people can request changes or data deletion. Keep dated records of the information you send as you may need to refer to it again, for example if the requester is not satisfied with your response or if they make another request. The ICO provides a downloadable privacy notice template on its website.
File search and data removal for assured in-house data privacy compliance
In the past two years, there has been a steep increase in DSARs, and fulfilment can be overwhelming, costly and potentially risky. Facit helps organisations worldwide to automate complex document data redaction in all document formats, including complex spreadsheets. Uniquely, Facit Data Redaction goes far beyond masking sensitive data with a black box: Facit completely removes problematic data in seconds so that there is 0% risk of a privacy breach.
