So, you’ve received and then – maybe, more formally – recognised a Data Subject Access Request (DSAR).
DSAR Forms & Identity Checking
As the Data Protection Officer (DPO) of your organisation, you should verify the identity of the requester to ensure they are dealing with the correct person and therefore lessen the risk of a potential security breach.
If it’s a part of your own corporate DSAR procedure, the requestor may be asked to complete a Data Subject Access Request Form to better enable your company to locate the relevant information. As a part of that form or, as a parallel activity; the DPO will need to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it.
Irrespective of the source of the request, it is good practice to communicate with the requester and seek reasonable clarification around the focus and scope of the request where it is required. The Data Subject Access Request Form will also – once returned to you – provide your company with sufficient information to validate his or her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).
If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification; one may be a photo identity and the other likely to be a confirmation of address. Ahead of the requesters identity being verified, the DPO or other designated person should decide on whether the request is valid or not and provide acknowledgment of this to the requester. We use ‘signed for’ postage via the Royal Mail to main an audit trail of all outbound communication associated with DSAR requests.
As a UK business, we also log ALL DSARs; capturing rec’d date, inbound delivery method, the initial acknowledgement date, the subsequent acknowledgement date & send method (including the date of the identity request), fees rec’d (yes or no), additional reasons codes (if applicable) as well as DSAR expiry date and subsequent ‘complied with’ date; once again, if used / applicable.
An accurate record of what has been done with, to and for every DSAR submitted.
Failed Identity Checks or, No Response from the Requester
If your organisation is not satisfied as to the identity of the requester or, no response has been provided to the request for proof of identity, then the request will not be complied with as to avoid the potential for an inadvertent data breach. Also, should the requester not respond to the identity check, our own corporate Data Subject Access Request Procedure outlines the procedural step that the DSAR will be closed after 10 working days.
As a recap … A DSAR is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. A DSAR must be made in writing; in general, verbal requests for information held about an individual are not valid DSARs. In the event a formal Data Subject Access Request is made verbally to a staff member of the Company, further guidance should be sought from the DPO, who will consider and approve all Data Subject Access Request applications.
Data Retention Considerations
In verifying the identity of the requester, this is a further collection and processing of the requesting data subject’s data and as such, the requester should be informed of the applicable retention period for this data; the retention period being referenced in any communication or correspondence with the requester.
Receipt of a Data Subject Access Request
A DSAR can be made via any of the following methods: email, fax, post, corporate website or any other method. DSARs made online must be treated like any other Data Subject Access Requests when they are received, though the Company will not provide personal information via social media channels obviously. For an ex-employee, the request may come in through the HR department, a line manager or arrive as a hand-delivered note through the front office reception area. Handwritten or hand-delivered present an extra challenge in that, you also don’t have an electronic trail or check on the source of the request making the need to check the identity via alternate needs even more important.
For the other categories of requesters, the request would usually come in directly to the designated Data Protection Officer (DPO). There is also the possibility of requesters sending in requests through a live chat portal if this is a resource offered on your website however not something that we currently offer.
One Calendar Month to Respond
The DPO should also be clear and transparent on the timelines involved in responding to the request and make clear when the 30-day response clock starts ticking. If the organization considers that the period to respond commences when it receives the identification and any additional information sought this should be made clear to the requester. The time between receipt of the initiating request and the receipt of identification and any further information requested may be several days, so this communication is important to correctly set expectations.
If in doubt, seek advice from the ICO: email@example.com
Maintaining your Data Subject Access Request Procedure
Lifting an extract from our own Data Subject Access Request Procedure, ‘Where the Data Protection Officer is reasonably satisfied with the information presented by the person who received the request, the Data Protection Officer will notify the requestor that his/her DSAR will be responded to within 30 calendar days. The 30-day period begins from the date that the required documents are received. The requestor will be informed by the Data Protection Officer in writing if there will be any deviation from the 30-day timeframe due to other intervening events.’
Replaying the comments made by Elizabeth Denham at the Data Protection Practitioners’ Conference on 9th April 2018; ‘… 25 May is not the end. It is the beginning. This is a long-haul journey. But it’s not a holiday. There’s a lot of work to be done along the way…’, it therefore goes without saying that all GDPR related plans, policies, processes and procedures all remain under constant review.
Welcome your thoughts & comments.
Are your DSAR experiences any different from ours?