Data Privacy Regulations

GDPR Subject Access Request in 5 Steps

What is a GDPR Subject Access Request?

GDPR Data Subject Access Request (DSAR) is part of the General Data Protection Regulation (GDPR), the data protection regulation  adopted by the European Union. A DSAR is a request from a subject for their personal data. It includes all data processed by a data controller along with an explanation of how data is being used.

DSARs are formal requests beyond simple complaints or general queries. For example, a subject asking why they are receiving certain marketing materials is not a DSAR. Instead, DSARs are requests for all of the data you hold for a subject.

GDPR requests can be sent to any department in an organization and do not need to come from a specific source. For example, subjects can make requests through social media, email, or in person. Addressing requests to the “wrong” person is not a valid reason for dismissal.

In this article, you will learn:

5 Step Process for Handling a Data Subject Access Request

Organizations that are held to GDPR standards are charged with managing requests transparently and fairly. They must provide information in an accessible, concise way, with details in plain, clear language. Organizations can specify preferred methods for subjects to request data from them but they cannot enforce these methods and must handle all requests.

When you receive a DSAR, you can use the following process to process the request: 

  1. Recognize the request—deliver incoming requests to the responsible person (the Data Protection Officer in many cases) and determine if they are valid and reasonable.
  2. Manage fees and excessive requests—determine if tasks will require excessive effort, warranting a fee, or if requests are unreasonable and can be denied. According to GDPR, Article 12 (5):

“response to a Data Subject Access Request must be provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or repetitive in character”

  1. Identify disclosure data—determine what qualifies as personally identifiable data and locate it in your systems.
  2. Disclose data—deliver data to the subject in a secure and accessible manner.
  3. Record disclosures—maintain an audit log of the request process to cover compliance and legal liability.

1. Recognise the Request

Since requests can come through multiple sources in multiple formats, it’s best to assume that any request for information qualifies as a valid DSAR. This is important for staff who are not responsible for managing requests. You do not want adjacent staff to discard requests because they do not understand what’s valid or not.

Once a request is received, your staff should know who in the organization handles requests and should forward all information promptly. When you receive a request, you have 30 days to deliver data to the subject so timeliness is important. If you cannot deliver the data in this amount of time due to complexity or number of requests you must notify the subject as soon as possible. In these cases, you have 90 days to deliver data.

2. Dealing with Fees and Excessive Requests

In general you are not allowed to charge fees for data requests and must provide the data to the subject for free. The exception is if you receive a ‘manifestly unfounded or excessive’ request. In these cases you are allowed to either charge a reasonable fee or to deny the request.

There is no clear definition of what can be considered an unfounded or excessive request so you must take care if making this claim. There is also no clearly defined fee schedule for processing these requests. However, the Information Commissioner’s Office (ICO) guidance recommends it be charged in line with administrative costs incurred during retrieval.

3. Identify Personal Data to be Disclosed

The bulk of your time spent when responding to requests is likely to be during data identification and retrieval. The difficulty retrieving data depends on both the breadth of the subject’s request and how you are storing their data.

For a DSAR, personal data applies to any information that can be identified as belonging to an individual under GDPR. However, this definition is vague and can make it difficult to determine which data applies. In general, you should focus on any data that can be clearly linked to the individual through uniquely identifying metadata or contents.

When working to identify relevant data, you should try to centralize the task with a coordinating staff member, often known as a document management provider. These providers can help you effectively search for data. If you do not have a qualified person on staff to perform this task you can outsource the job to ensure timeliness.

4. Securely Disclose the Personal Data

Once the data is gathered, you can prepare it for disclosure. Generally, the expectation is that data is returned in the same format as the request. Therefore, if the request was electronic the data is returned in digital format. However, you can check with the subject to verify how they want data returned.

Additionally, however you return data you need to take measures to ensure that it is kept private. This may be easier for digital responses since you can deliver the data and an encryption key separately.

5. Keep a Record of Review and Decisions Made

Throughout the request response process you should document communications and actions taken. This audit trail proves your responsiveness to requests and may be required for compliance auditing later on.

You should record who received the request and how, who was responsible for processing the request or data, and how and when the response was returned. If you charged fees, extended the request, or denied the request, be sure to explain your reasoning and your communications with the subject.

Refusing a Data Subject Access Request

There are a few cases in which you can refuse DSARs. The primary case is when you are not the data controller. For example, if you are working as a contractor for a company that collects and provides access to user data. 

In this case, you are not responsible for disclosing data but you are responsible for informing the subject of this. In this response, you need to explain why you cannot deliver data and inform the subject of their ability to complain to the ICO.

The other case is as covered above, when requests are “manifestly unfounded or excessive”. These denials also require a response to the subject with an explanation of why the request is being denied and their ability to complain to ICO.

However, take care that you provide a well-reasoned and verifiable explanation for such denials. If the denial is challenged by the subject with the ICO and they determine your reason is invalid, you may be in breach of compliance.

What Must the DSAR Response Contain?

The contents of a DSAR response are outlined in Article 15 of the GDPR. This article specifies that responses should contain the following:

  • A copy of personal data with no inclusions of other subjects’ data
  • An explanation of how data was processed and why
  • The categories of personal data included
  • An explanation of who receives or has access to data, including staff and third-party vendors
  • A description of the source of the data (unless the subject provided it)
  • A description of data retention periods
  • An explanation of the subject’s rights to request deletion or modification of data or to object to processing
  • A notice of the use of automation for processing
  • An explanation of safeguards used in the case that data is transferred outside the EEA
  • Notice that the subject can file a complaint with ICO

GDPR Compliance with NetApp Cloud Compliance

NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the GDPR and the CCPA.

Learn more about NetApp Cloud Compliance

New call-to-action

Senior Marketing and Strategy Manager

-