The EU GDPR Policy Template (General Data Protection Regulation) grants individuals (data subjects) the right to access their personal data from data controllers so that they can understand how it is processed and make sure it is processed lawfully.
DSARs are the result of the GDPR’s right of access – one of eight data subject rights included in the Regulation.
When an individual submits a request, organisations must provide a copy of any relevant information about them.
A request might refer to specific personal details or processes for which the organisation processes that information, in which case you only need to provide relevant information.
Organisations are obliged to fulfil the DSAR “without undue delay”, and within one month of receipt.
Assuming that the Data Protection Officer (or similar) is responsible for coordinating the response and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption that a minimum of two people would be involved in a DSAR response.
Staff would spend at least one hour dealing with the request. That would result in a DSAR "earning" the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated with responding.
When requests are vexatious, the requestor would likely not pay a fee if asked. However, they may continue to make DSARs, write letters, send emails or call to waste the firm's time and money. This approach is often taken by disgruntled customers, who have, in their mind, had their own time and money wasted by the firm.
Even with GDPR Training providing a Data Controller with the right to levy a fee in such circumstances. Charging a fee is unlikely to bring an effective resolution to the harassing and pestering activities of someone determined to cause disruption.
Have processes in place to ensure that you respond to a subject access request without undue delay and within one month of receipt.
Understand how to perform a reasonable search for the information security policy for small business .
Understand what you need to consider if a third party requests on behalf of an individual.
Be aware of the circumstances in which you can extend the time limit to respond to a request.
Understand how to assess whether a child is mature enough to understand their rights.
Understand that there is a particular emphasis on using clear and plain language if you disclose information to a child.
Data Subject Access Requests (DSARs) give individuals the opportunity to request access to all the information an organisation holds on them, within 30 days of receipt of the request. People have become increasingly ‘data aware’ amidst concerns over who is using our personal data, and why. It is perhaps unsurprising that the number of DSARs is on the rise: the Information Commissioner’s Office (ICO) reports that data protection impact assessment complaints from the British public have gone up: 41,000 since May 2018, compared with 21,000 for the preceding year, and over a third (38%) relate to DSARs.
This raises the stakes significantly for data privacy compliance, with corporations facing additional responsibilities and costs. DSARs are time-consuming to manage and despite the impact of COVID-19, the 30-day legislated timeframe remains unchanged.