Unpacking the Cost and Action of a Data Subject Access Request (DSAR)

Understanding the DSAR Process

A Data Subject Access Request (DSAR) is a legal right that gives individuals the ability to access their personal data held by companies and other organizations. Individuals can make a DSAR to ask what personal information of theirs has been collected, stored, used, and shared by the organization.

When an organization receives a DSAR, they have one month to respond and provide the individual with a copy of the personal data they hold about them. The response should also include information on how their data is being used and why it is being processed, as well as any third parties that may have received the data from the organization. The organization must also provide details on how long they intend to keep the personal data, or state what criteria they use to determine how long it should be retained.

In some cases, individuals can use DSARs to ask for their personal data to be corrected or deleted entirely. If an organization does not comply with a DSAR, individuals may be able to take legal action against them.

Responding to a Data Subject Access Request (DSAR)

You should respond to a Data Subject Access Request (DSAR) as quickly as possible, no later than one calendar month from the day you receive it. It’s important to take the necessary steps to comply with the request within this timeframe in order to uphold your obligations under data protection law.

Understanding the DSAR Requirement

A Data Subject Access Request (DSAR) is a request made by an individual (the data subject) to view their personal data which has been collected by an organization. This typically includes any information held about them and the reasons for their processing. Under the General Data Protection Regulation (GDPR), individuals have the right to make such a request, and organizations must respond within one month of receiving it.

The requirements for responding to a DSAR are outlined in GDPR Article 15, which states that organizations must provide a copy of the personal data being processed, as well as information regarding how it is being used and why. This includes details regarding any third parties with whom the data has been shared, the source of the data, and the length of time it will be stored for. Additionally, organizations are required to provide a response free of charge, unless multiple requests have been made or extra copies are requested, in which case they may charge a reasonable fee.

Organizations should also ensure that they provide individuals with access to their personal data in an appropriate format, such as electronically or in hard copy. The GDPR also stipulates that individuals should be able to exercise their rights easily and at reasonable intervals, so organizations should make sure that they facilitate this process by providing clear instructions for making DSARs.

The Cost of a DSAR

A Data Subject Access Request (DSAR) can be an expensive process. According to a 2020 survey of privacy experts, the cost of a DSAR can range from three to six thousand British pounds. The exact cost depends on the complexity of the request, the amount of data involved, and other factors such as the expertise required to manage the request. It is important to note that many organizations do not charge for DSARs, but they may require you to provide proof of identity before granting access to your data. Additionally, some organizations may charge additional fees for extra services such as providing a copy of your data in an alternate format or helping you understand what is included in your data. Ultimately, the cost of a DSAR will vary depending on the organization you are requesting your data from.

Examples of Data Subject Access Requests (DSARs)

A DSAR (Data Subject Access Request) is a request from an individual asking for information about the personal data an organization holds on them. Examples of DSARs can include:

• Requesting access to all the personal data an organization holds about them
• Requesting copies of specific documents that contain personal data
• Requesting a list of all third-party organizations the company has shared its data with.
• Requesting that their data be amended, rectified, or removed from the organization’s databases.

Who Is Eligible to Make a DSAR Request?

Anyone can make a Data Subject Access Request (DSAR). This includes the data subject themselves, a third party acting on behalf of the data subject (such as a parent or guardian), or even someone who is inquiring on behalf of another person (such as an advocate). It also includes requests made verbally or in writing, as well as via social media. It is important to note that you cannot charge a fee to respond to a DSAR request – you must respond to it without delay and within one month of receipt.

Can a Data Subject Access Request Be Refused?

Yes, a Data Subject Access Request (DSAR) can be refused if the organization believes that the request is manifestly unfounded or manifestly excessive.

The GDPR does not provide clear guidance on what constitutes a manifestly unfounded or excessive DSAR. However, it does state that organizations may charge a fee to complete requests that they deem to be manifestly unfounded or excessive.

Organizations should take into account factors such as the complexity of the request, how many resources would be needed to process it, and whether it is necessary for them to comply with their data protection obligations when determining whether a DSAR is manifestly unfounded or excessive. If an organization considers a DSAR to fit this criterion then they are within its rights to refuse it or charge a fee for its completion.

Difference Between DSAR and SAR

The main difference between a DSAR (Data Subject Access Request) and SAR (Subject Access Request) is the scope of the request. A DSAR is a request for access to personal data, which can include any type of data about an individual, such as name, address, date of birth, and financial information. A SAR is a more specific request for access to particular pieces of information held by an organization about that person. For example, if you want to know what information your employer holds about you, you would make a SAR.

Consequences of Ignoring a Subject Access Request

If a subject access request is ignored, the requester may choose to take legal action. They can apply to the court for an order requiring you to comply with the SAR. The court will consider the case and decide whether to make such an order. If an order is issued, failure to comply could result in fines or other penalties. It is therefore important that you respond promptly and appropriately to any SAR that you receive.

Understanding a DSAR Response

A DSAR response is the answer to a Data Subject Access Request (DSAR) made by a data subject. It is a document that outlines what personal data an organization holds about the data subject and how it has been used. A DSAR response must include all of the information requested in the DSAR, as well as an explanation of how it was collected and used. It should also provide instructions on how to access any other relevant documents, such as consent forms or privacy policies. The response should be provided within one month of the request being made, in an easily accessible format such as an email or PDF file.

Handling a DSAR Request

When handling a DSAR request, it is important to assess the request, acknowledge receipt and provide information on how you will review and respond to it. Once you have reviewed the request, you should collate and review any relevant records that are needed to answer the question. During this process, any personally identifiable information (PII) of other individuals should be redacted before sharing the response with the requestor. Finally, it is important to keep a record of all DSAR requests and responses in order to comply with your data protection obligations.

Responding to a Data Subject Access Request

The responsibility of responding to a data subject access request (DSAR) lies with the organization’s data protection officer (DPO). If the organization has appointed one, then they will be in charge of fulfilling any DSARs. However, if no DPO has been appointed, then it is the duty of someone in the workforce who has knowledge and experience in data protection to respond to a DSAR.

The person responsible for fulfilling the DSAR should ensure that they adhere to all relevant legislation when responding, including GDPR and any local regulations which may apply. This includes providing an appropriate response within the legally required timeframe. The individual should also ensure that all personal data provided is accurate, up-to-date, and only kept for as long as necessary.

What Information Can Be Requested in a Data Subject Access Request (DSAR)?

A Data Subject Access Request (DSAR) allows you to request access to the personal information an organization holds about you. You can ask for:

1. A copy of your personal data – this includes any information the organization holds about you, such as your name, address, and contact details.

2. An explanation of how your personal data is being used – this includes any processing activities, such as marketing or research purposes for which the organization is using your data.

3. Information about who your data has been shared with – this includes any third parties the organization has shared your data with, such as credit reference agencies or other organizations for marketing purposes.

4. Details of where the organization obtained your data from – this includes any sources from which the organization collected your personal information, such as a previous employer or online service provider.

5. The right to have inaccurate personal data corrected or deleted – if you believe that any of your personal information held by the organization is incorrect or incomplete, you can request that it be amended or removed from their records.

Who Is Eligible to Make a Subject Access Request?

Anyone who is the subject of personal data held by an organization can make a Subject Access Request. This includes individuals, employees, customers, and members of the public. It applies to any type of organization or business that processes or holds personal information. Examples include banks, insurers, employers, universities, and local authorities. An individual can make a Subject Access Request on behalf of someone else if they have permission to do so.

Conclusion

In conclusion, a Data Subject Access Request (DSAR) is an important tool that allows individuals to understand what personal data of theirs has been collected and stored, and how it is being used. The GDPR officially explains the right of individuals to access their personal data and to do so easily and at reasonable intervals. A 2020 survey showed that the cost of a DSAR can range from three to six thousand British pounds. It is important for individuals to be aware of how to exercise their rights under data protection law, such as through making a DSAR, in order to ensure their data is handled in an appropriate manner.