A Data Subject Access Request (or a 'DSAR') is a way for our customers to gain access to all of the information we hold about them. This information may also be referred to as data.
When you make a DSAR we will share this data with you. You can also ask us how we use this data, who it is shared with, and where it came from.
How do I make a DSAR?
You can make a DSAR via email providing your full name and any other relevant details to identify you. You will get an initial response in one calendar month. It may take us longer than this to provide you with the personal data you have requested, if so we have a further 60 days to fulfil your request. If we require this time, we will let you know.
Before we can send you a copy of the personal data we hold about you, we need to confirm your identity, we will contact you once we receive your DSAR in order to do this.
After a data subject files a DSAR with a data controller, the controller has a maximum of one month to fulfill a DSAR. If the data controller needs more time to fulfill the request, he/she must let the data subject know within the one month period. The controller may extend the DSAR processing period to two months, taking into account the complexity or quantity of requests a data subject has filed. However, the following reasons are unlikely to earn an organization an extension:
If the request is manifestly unfounded or excessive
An exemption applies
The organization requests proof of identity before considering the request
The organization has a lack of resources to fulfill DSARs cookie consent.
Misplacing, losing, or forgetting about a DSAR
It’s helpful to understand why the right to access is part of GDPR Policy template and data privacy legislation, as this can help you explain to business leaders why they need to take DSARs seriously.
GDPR and the Data Protection Act 2018 (the UK’s implementation of GDPR) updates our data protection legislation for a digital age. It’s very difficult to live in a digital age without sharing your personal information and leaving a data trail wherever you go – both on and offline.
With so much PII (Personable Identifiable Information) in other people’s hands, it’s only right that individuals have a way to get visibility on what information organisations, businesses and government has on them, and get reassurance that it’s being protected appropriately.
There are no formal guidelines on how an individual instigates a DSAR. They can ask you verbally or in writing. Even if you have developed a DSAR process for individuals, they don’t have to adhere to it. Therefore, you could receive a DSAR via social media, email, messaging app, phone call or by letter. It doesn’t have to be sent to a specific person within the organisation either, such as your DPO. So, an individual could in theory make this request to a member of staff in a store, or your IT support team could receive a DSAR via a chatbot or as a support ticket.
Many companies include a form on their website for an individual to complete to submit a DSAR. This can make it easier for you to recognise a DSAR and for the individual to provide the information you need to identify their PII. Recital 59 of the GDPR Training recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’.
Fees and Data Subject Access Requests
In normal circumstances you cannot charge a fee for complying with a DSAR. However, if the request falls under one of these 2 factors a ‘reasonable’ fee to cover administrative costs can be charged:
The DSAR is manifestly unfounded or excessive; or
An individual requests further copies of their data following a request.
In these situations, the 1 month clock starts when you receive payment. Although you must respond promptly to the initial request to inform the individual of the fee.
For many organisations a DSAR is more of a threat to business than the ICO’s much publicised fines for non-compliance.
The cost of responding within one month to a DSAR can run into the tens of thousands of pounds if you’re not prepared. Data protection impact assessment discovery, especially if you need the support of a consultancy firm, is expensive and time consuming – taking your IT team away from projects and support roles in the race to comply in the one month timeframe.