Data Subject Access Requests: 5 steps to help you to prepare

The right of access under the UK GDPR gives individuals the right to request copies of their personal data, as well as other supplementary information. Whether or not you receive Data Subject Access Requests (DSARs) regularly, it is important that you are prepared so that you can deal with requests quickly, efficiently and in compliance with your obligations.  We have set out below some suggested steps to implement within your organisation:

1. Systems and Processes

You should ensure you have appropriate systems in place for dealing with a DSAR, including:

a. maintaining adequate information management systems and procedures which enable you to easily locate and extract personal data;

b. developing a response procedure;

c. carrying out frequent tests of your response procedure; and

d. keeping a log of requests.

2. Request Handling Staff

You should nominate an individual or a team that is responsible for responding to DSARs.

3. Information Registers

In response to a DSAR, you are required to produce personal data that is held in a “filing system”, which means “any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.  This definition is very broad and places a high expectation on you to find and retrieve the requested information.  We would suggest that you map where all personal data is stored and create an information register, so that you know where to search if you receive a DSAR.

4. Retention and Deletion Policies

Under UK GDPR, you must comply with the principles of data minimisation (limiting the personal data you store to what is necessary) and storage limitation (keeping personal data for no longer than is necessary for the purposes of which it is processed).  To ensure compliance with these principles, we recommend that you prepare a retention policy which sets out (with rationale) the periods of time you will hold personal data for before it is deleted.

Deleting personal data in accordance with your data retention policy will make your life easier when responding to DSARs as it will potentially reduce the amount of information you need to review. However, should be aware that it is an offence to amend or delete personal data relating to a data subject after that data subject has made a DSAR.

5. Training

DSARs can be made to any part of your organisation and can take any form (including verbally, by email or social media).  The request does not need to include the phrases “access request” or “right of access”; it just needs to be clear that the individual is asking for their personal data.  You should therefore ensure that your staff are trained to identify a DSAR. They should also receive training on your DSAR response procedures and know who to report them to.

If you would like us to assist with helping you prepare for DSARs or for any other data protection queries, please do not hesitate to contact our data protection team on 0330 175 7613 or email enquiries@ibblaw.co.uk. Alternatively, contact us via the enquiry form at the top of our Corporate and Commercial page.