The Importance Of A DSAR In GDPR

A DSAR is an important way for individuals to access your business’s information about them. However, it’s essential to be careful to ensure that the request is genuine and that the information is only shared with the individual concerned.

It’s vital that a single person takes control of the entire DSAR process so that responses are accurate, timely and in line with GDPR requirements. This might be your DPO or someone else in your privacy team.

What Is A DSAR?

When an organisation receives a DSAR, they must react without undue delay and within one month. This deadline may be extended where necessary, but they must inform the individual of any extension and provide reasons for this.

Who Can Make A DSAR?

A GDPR DSAR is a request from an individual for a copy of all personal data you hold about them. This includes both digital information and physical documents such as files or papers. Individuals have the right to make this request, or allow a third party to do so on their behalf (such as a solicitor or family member).

Employees are more likely to make DSAR requests, so businesses should be prepared for these requests. They should be able to respond within one month, but if they can’t, they must inform the data subject why and how long it will take.

When businesses receive a DSAR, they must verify the individual’s identity. This can be done by email, photo ID, login and password security systems, or by using third party identity verification services. Businesses are not permitted to ask for details of other people who may be contained in the same document with a DSAR requester’s personal information, as this could lead to a data breach.

How Can You Make A DSAR?

The GDPR makes it clear that individuals must be able to request the personal data held by an organisation. This is often called a Subject Access Request (SAR).

Individuals can make a SAR in a variety of ways. They don’t have to use the technical term ‘DSAR’, for example, and they can even make a DSAR over the phone or on social media.

In most cases, an organisation will be required to fulfil a DSAR within one month. However, if the request is voluminous or complex, then that deadline can be extended.

It’s important for a business to set up processes in place for handling DSARs. This will help to ensure that requests are processed quickly and efficiently.

 What Should You Do If Someone Submits A DSAR?

If a person submits a DSAR to your business, you must respond within one calendar month. If it’s clear that you won’t be able to comply with the request within this timeframe, you should write to them explaining why.

The first step is to verify the identity of the individual making the request. This can be done through an email confirmation or by asking them to provide a proof of ID.

Once you know it’s the right person, you must take a closer look at their request to understand exactly what they want from your business. It could be that they are merely looking for access to their personal data or, more likely, that they are invoking other data privacy rights such as rectification.

Remember that you must redact information that isn’t about the individual making the DSAR to avoid accidental data breaches. Also, make sure you don’t send them any documents containing personal data about other people.