What Is GDPR DSAR And Why Is It Important?

Companies must be able to verify that requests are made by the data subject. They may request written proof of authorisation or ask to see ID documents.

DSAR’s must be fulfilled without delay. The responsibility for fulfilling them falls on the organisation’s DPO, or someone with similar skills and knowledge.

What Is A DSAR?

A GDPR DSAR is any request from an individual who wants to see the personal data your company processes about them. The information they want to see can include things like their address, phone number, email, medical records, credit rating, and more. They can request this information by email, phone call, or via a website form. They can also ask for the details of anyone who has accessed or processed their personal information.

Businesses should respond to DSAR submissions promptly, within the legally defined window. They can deny requests that are unfounded or excessive, but they must inform the requesting party of why and provide them with an alternative means to get the information they need.

How Do I Respond To A DSAR?

You must provide the information requested by the data subject within 30 days, unless there’s a legitimate reason for an extension. This may require performing a ‘reasonable search’ of every place that your company has stored the individual’s personal data, and this should continue until there are no more locations to look.

You’ll also need to explain to the data subject any information you are unable to supply, along with a full breakdown of why. You’re allowed to charge a fee for responding to a DSAR, but it must be reasonable and cover administrative costs only – you can’t profit from these requests.

The exact process for submitting a DSAR can vary from business to business, but it’s best to have a form or dedicated email set up for such requests. 

What Information Do I Need?

There are a number of things to keep in mind when preparing to respond to a data subject access request. First, make sure you have a process in place to verify the identity of the person making the request. This will help prevent sending personal information to the wrong person, which could lead to a data breach.

Once you have verified the identity of the person making the request, you should take some time to review their request and decide how to proceed. Generally, you have to provide the requested data within one month, though it’s possible to request an extension from the supervisory authority.

If you are unable to provide all of the data the person requests, you must explain why. This should be written in clear language that the average adult can understand.

What Happens If I Don’t Respond?

While the GDPR stipulates companies must respond to DSARs within 30 days of receipt, it also allows them 60 additional days if they can demonstrate they’re working to fulfil the request. It’s important for data teams to be aware of the limits and to keep a record of their efforts to comply with requests.

It’s also worth remembering that your company is only required to provide the specific information a requester wants. This means you shouldn’t include internal memos or notes that don’t specifically mention the individual, otherwise this would be a breach of privacy. Additionally, it’s not permitted to ask individuals for a reason for their request.