While some data subject access requests (DSAR) will be made by the curious, the vast majority are submitted by individuals who have a grievance either with your organisation’s data protection compliance practices specifically, or the organisation more generally. Whether a dissatisfied customer, an unsuccessful job applicant or a disgruntled employee, a data subject access request can be a powerful weapon wielded against a data controller and if nothing else is likely to be an irritation at best and a costly and resource intensive exercise at worst, with the prospect of regulatory action or a legal claim if not handled correctly. The GDPR and Data Protection Act 2018 phased out the £10 fee to submit DSARs and resulted in an exponential increase in requests. In this post, we set out our five top tips for dominating that DSAR.

Top Tip 1: Identify the DSAR

A DSAR can be made in any form. It can be made verbally or in writing. It can be directed to your Data Protection Officer, or submitted to your company’s Twitter account. The requester doesn’t have to say that the request is a DSAR or refer to the relevant data protection legislation. A request can even be made by someone else on behalf of the data subject. This could be a parent on behalf of a child, a solicitor on behalf of a client, or a third party data subject access request submission portal.

This means that all staff, and particularly those who are customer facing or in human resources and social media teams, need to be able to identify a potential DSAR. Not every request for personal data needs to be treated as a DSAR. If you telephone your bank, for example, and request confirmation of your account balance or make a routine request of your employer for a copy of your payslip, these can be treated as routine business requests for information and provided in the normal course of business, but if it is proposed to refuse a request for personal data or the request is more substantive, it should be treated as a DSAR.

Top Tip 2: Start (or stop) the clock

Article 12(3) UK GDPR / GDPR requires that a substantive response to a DSAR must be provided “without undue delay and in any event within one month of receipt of the request”. The one month deadline is therefore intended to be a backstop and not the target deadline, although in practice many organisations will require the entire period in which to respond. It doesn’t matter if a request is submitted outside of working hours, or on a weekend or public holiday. The Information Commissioner’s guidance on the right of access states that the clock starts on the day the request is received and ends on the corresponding day of the following month or, if that is a weekend or public holiday, the next working day. If you received a request on Saturday 01 January 2022, for example, the response would be due by no later than Tuesday 01 February 2022, whereas request made on Tuesday 03 May 2022 would have been due by no later than Monday 06 June 2022. It is good practice to log requests, the date of receipt and the due date, whether manually or using specialist compliance software.

Where a DSAR is particularly complex (this requires something more than merely a large volume of information being within scope) or contains multiple requests, you can extend the period for responding by up to a further two months, but are still obliged to respond as soon as possible within that period. There is no legislative basis to extend the period for responding based on the overall volume of requests being dealt with by an organisation, although in practice many organisations do so.

You may be able to stop the clock, however. Where you are unable to verify the identity of the requester and their entitlement to the personal data of the data subject, you can stop the clock while you verify their identity. If it is reasonably necessary to clarify the what personal data is being sought by the request, you can also stop the clock while you engage with the requester. You cannot require a requester to narrow the scope of their request and must respond even if their request is simply for “all information you hold about me”.

Top Tip 3: Plan your attack

Once you have identified and logged the request, confirmed the identity of the requester and understood what is being sought, you must plan how you will identify and gather relevant personal data.

You will need to consider which individuals or departments are likely to hold personal data relevant to the request and how you want them to go about identifying it. The requester is entitled to data held by or on behalf of the data controller. This includes personal data held by data processors on behalf of the controller and personal data stored on personal devices where this held in the context of a bring your own device (BYOD) policy or as a consequence of COVID related home working. While in relation to customer records, this may be easy, where the requester is an employee this will be a more difficult task. A requester is entitled to their personal data, but that does not mean that they are entitled to a copy of every email they sent or received merely by virtue of their email address or signature being included. It may be advisable to conduct test searches to ascertain how much information is responsive to a search for the requester’s name and dip sample the results. If the volume of results is prohibitive, then this will support the justification for deploying keywords in conjunction with the individual’s name, for example. Establishing the appropriate keywords will be dependent on the identity of the requester and the nature of your organisation’s relationship with them. You may also be able to limit the time period over which searches are conducted. You should maintain a record of your approach in the event of challenge so you can demonstrate that your searches were reasonable and proportionate. Where searches are conducted by individuals outside the data protection team, you may also wish to emphasise that it is a criminal offence to destroy or hide personal data which is obliged to be disclosed in response to a DSAR.

Top Tip 4: Secure, sift & safeguard

Once you’ve determined where and how to search for relevant personal data, you need to secure and collate the information that is responsive to the searches and store it safely pending review. You then need to review the responsive information and sift it to identify the personal data relevant to the response. Where the responsive information is limited, this may be capable of being conducted by one person, but where the responsive information is more substantial this may require multiple data reviewers or the use of specialist ediscovery software.

It is also at this stage that personal data which falls within the scope of the request but is exempt from disclosure is identified. This includes personal data which relates to individuals other than the requester and which that individual does not consent to the disclosure of or which it is not reasonable to disclose to the requester. Schedule 2 of the Data Protection Act 2018 also establishes various exemptions from the obligation to disclose personal data, for example where the personal data is information which is protected by legal professional privilege or where the personal data comprises a reference provided (but not received) by the data controller in relation to the data subject. Where a request is manifestly unfounded or excessive, for example in the case of repeat requests for the same information over the same timeframe, a data controller can either refuse the request or charge a fee for complying.

Top Tip 5: Prepare for Publication

Once the personal data that the data subject is entitled to receive has been identified, it is necessary to prepare the response to the request and the personal data to be disclosed. The requester is entitled to a copy of their personal data. It is for the data controller to determine how the copy of the data is disclose, and whether this is in the format of redacted documents or a compilation of extracted data, for example. There is no obligation to identify the legal basis on which specific redactions have been applied, although some organisations do provide this information. Where redactions are applied to documents, these must effected securely. It is not sufficient to simply highlight text in black in Microsoft Word and to convert the document to a pdf, for example. The use of specialist software and the removal of metadata to ensure that redactions cannot be reversed, or the use of redaction tape to perform manual redaction are common approaches. Visually, applying electronic redactions in white rather than black tend to be less conspicuous.

It is not only a copy of personal data to which the requester is entitled, but also to various information about the processing of their personal data by the controller, including the purpose of processing, details of recipients or categories of recipients, the source of personal data, the intended retention period etc.

Finally, the method by which the response is provided to the requester must be secure.

Handley Gill’s consultants provide advice to both data subjects and data controllers on the exercise of the right of access to personal data, and can prepare requests and advise on their handling, including whether a request is valid, and what constitutes a reasonable and proportionate search. We also conduct reviews of responsive personal data, identify exempt information, and prepare letters of response to data subject access requests together with personal data for disclosure. Should you require assistance, don’t hesitate to contact us.