What is a DSAR and what do I need to know?

A DSAR is a right that individuals have under the Data Protection Act 2018 to request a copy of the data that an organisation holds about them.  The individual can request to see a copy of such data, as well as ask:

  • Why the data is being processed;
  • What type of data it is;
  • The recipients of that data;
  • How long it is stored;
  • How the data has been collected; and
  • Evidence to show that the data is being appropriately safeguarded.

Under the legislation, organisations must provide the requested information without delay and within one month.  Where requests are complex or numerous, organisations are permitted to extend the deadline to 3 months, however they must still respond within the month and explain why the extension is necessary.  Requests for extensions due to “their just being too much data to review” will not be looked upon favourably!!

Recent change

Following the ruling by the Court of Justice, of the European Union, the timescale to respond to a data subject access request has now changed to reflect the day of receipt as ‘day one’, as opposed to the day after receipt.

Example – if an organisation receives a DSAR on 14 October, the months’ time limit will start from the same day.  Therefore the receiving organisation will have until the 14 November to comply and respond.

If the following month is shorter and there is no corresponding calendar date, then the date for response is the last day of the following month.  Furthermore, if the corresponding date falls on a weekend or public holiday, then the organisation will have until the next working day to respond.

Example – if the DSAR is received on 31 August, the time limit starts to run on the same day.  As there is no equivalent date in September, this means the organisation has until 30 September to respond.  If the 30 September falls on a weekend then they will have until the next working day to respond.

The change made by the Court of Justice, in the European Union now means that the exact number of days that an organisation will have to comply will vary, depending upon the day it was received.  As such great care needs to be taken when dealing with any such request.

Things to consider as an organisation

The changes brought in by the General Data Protection Regulations in May last year, to DSAR’s mean that organisations have to provide a lot more information and respond quicker.  So what can organisations do?  Pushing it to one-side, with the thought of leaving it till one lands, is not the answer.  Such approach can lead to a failure to respond, or a failure to respond adequately, resulting in the individual complaining and a regulatory enquiry.

As with anything, preparation is always the key.  So …

1. Put in place a process

The act of documenting how you would deal with a DSAR will force an organisation to think about the steps that need to be taken, by who and how.  As part of this process put together templates that can be used at various stages.  This will speed up the process, save effort and allow for effective delegation.

2. Cleanse, Cleanse, Cleanse

The more data you hold, the more of a nightmare it will be when you get a DSAR.  A common example of this, which is becoming increasingly more frequent, is the receipt of an employee DSAR.  Such a request often arises in the context of an employee dispute, when an ex-employee goes on a fishing expedition, trying to find supporting evidence for its claim in the organisations data.  Such a request will often seek access to personal data within emails between third parties, namely other employees and managers.  In such circumstances, organisations will often be left with no option but to conduct key word searches across the firm’s emails.  This undoubtedly will throw up thousands upon thousands of emails which will need to be sifted through, one by one, to work out if they contain personal data.

The easiest solution is therefore to cleanse the data you hold on a regular basis, and only hold what is absolutely necessary, for sensible periods of time.  Put in place data retention policies and adhere to them.

If you have any queries or concerns about data subject access requests or data protection generally, then please contact our corporate and commercial team on 01524 548494 or 01228 552600.

Email Alerts

Baines Wilson LLP send our clients and contacts legal updates by way of short email alerts. If you would like to receive our regular alerts, please follow the link below.

Sign up for Alerts

Awards & Accreditations

  • Lexcel
  • Chambers UK
  • Chambers UK
  • Supply Chain
  • Cyber Essentials