How to Handle Data Subject Access Requests

What Data Can be Requested?

Any information relating to or capable of being used to identify a person in any way falls under the purview of the GDPR. A person’s medical history, employee records, and emails sent between certain individuals are a few examples.

What Supplementary Data Should be Provided?

In addition to sending a copy of the requester’s personal data, you must also provide them with the following information:

• The reason(s) why you are processing their data;
• The categories of personal data collected;
• With whom their personal data is shared;
• How long their personal data will be retained;
• Information about the their rights;
• How you obtained their data – if you didn’t obtain the data directly from the subject;
• Information about any automated decision-making;
• The security measures in place to safeguard their data when it is transferred to a third party;
• The details of any relevant contacts, such as the data protection officer (DPO), or other individuals and bodies;

What Rights Can Individuals Exercise Under the GDPR?

The right to be informed

You must be open and transparent about the personal information you collect. Even if you didn’t obtain any personal information from the requester, you are still required to respond to requests.

The right of access

People have a right to know whether and how their personal information is being processed, as well as the categories of information gathered, the reason(s) why it is processed, who the information is shared with, how long it will be kept, and how it was obtained.

The right to rectification

Organizations must make sure that the personal data they store is accurate/up-to-date. People have the right to request that incomplete or erroneous personal data be addressed in a timely manner. To ensure that data modified in one system is automatically updated across all other systems, you will need tight integration across all systems and processes.

The right to erasure (right to be forgotten)

If it is unclear whether a person’s data needs to be erased, they can still ask for a temporary halt to its processing while the company resolves the problem. This must be done on a case-by-case basis, and the company must obtain consent from the data subject before implementing any processing restrictions.

The right to data portability

A person is entitled to request that a business transfer their personal data to another service provider in order to promote interoperability and encourage competition between service providers.

The right to object to data processing activities

Individuals may demand that a company stops using their data for marketing or other purposes unless the processing activities can be justified by the company. A company may refuse to respond to a DSAR if the request is excessive or unwarranted.

Rights in relation to automated decision-making and profiling

An individual has the right to object to the data being used for automated decision-making and profiling. In circumstances where their data is being used for automated decision-making and profiling, the company must provide “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

Best Practices for Handling Data Subject Access Requests (DSARs)

Discover and classify your data

Knowing exactly what regulated data you have, where it is stored, where it comes from, with whom you exchange it, and why you are processing it, is crucial if you want to comply with the GDPR. Since data can be stored in a wide variety of repositories – both on-premise and cloud-based – it is a good idea to use data classification software to ensure that you are able to locate all data belonging to the subject before the 30-day deadline has passed.

Determine why you are collecting personal data

Make sure that you understand why you are storing personal data in the first place. You must be able to provide proof of each subject’s consent before retaining and processing their data. If you do not have a compelling reason to retain a subject’s data, the best thing to do is delete it.

Establish rules for handling different types of data

You can prevent regulatory violations by establishing security procedures that focus on the data itself. This requires asking questions pertaining to who has access to what personal data, how, when, why and from where. The answers to these questions will help you establish a robust set of access controls, as well as keep track of how personal data is being accessed and used.

Regularly update your security policies

Security policies serve to ensure that your business is taking all reasonable steps to store and process personal data in an appropriate manner. Any changes to your security policies should be documented separately.

Hire a data protection officer (DPO) if necessary

In some scenarios you may need to appoint a DPO. For example, public authorities, businesses that regularly monitor people on a large scale, and businesses that process particular categories of data, such as information about criminal convictions and offenses, must all appoint DPOs.

Provide an easy way for users to submit DSARs

To guarantee that requests are sent to the appropriate person or department, and contain the relevant information, it is good practice to provide an online DSAR form. This will help to prevent customers from sending their requests to the first email address they come across, in the wrong format.

Use secure methods of authentication

Make sure that each request is coming from a genuine person; however, don’t do this by asking for GDPR-protected data that you don’t already have, like passport numbers or other official documents. A better alternative is to ask the user to confirm the request by providing personal information you already have.