Skip to content

Do I Need a Policy for Handling Data Subject Access Rights Requests?

Table of Contents

Navigating the complexities of data protection law is vital for your business, especially with the UK General Data Protection Regulation (UK GDPR) rules in place. One crucial aspect of this law is the right of access, allowing individuals to understand how your business uses their data. Your business can significantly benefit from a robust Data Subject Access Request (DSAR) policy to manage this right effectively. This article explores subject access requests and the benefits of implementing a policy to help you deal with this crucial data subject right.

What Is UK Data Protection Law?

The UK GDPR (alongside the Data Protection Act 2018) governs the handling of personal data within the UK. It gives individuals more control over their data and imposes strict requirements regarding data processing, storage, and access to your business. Fundamental principles of the UK GDPR include data minimisation and accountability. The GDPR also focuses on the rights of data subjects, among which the right of access is essential. Hence, individuals know how you intend to use their information and why. 

What is a Data Subject Access Request?

A DSAR is a request from an individual to access the personal data your organisation holds about them. This includes obtaining a copy of their data and understanding its use. Individuals can make this request in various ways, including verbally, in writing, and even via social media. A third party can also submit a DSAR on behalf of an individual.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

The right of access helps individuals understand the purpose and processing of their personal data. After making a DSAR, the individual is entitled to learn about your data processing and view the relevant information. This transparency is a crucial aspect of the UK GDPR and is also essential for building trust between individuals and your business.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Why Should Your Business Understand How to Respond to DSARs?

Understanding and effectively responding to DSARs is vital for several reasons. Correct handling of DSARs ensures compliance with the UK GDPR, reducing the risk of fines and penalties. It also helps maintain customer trust by demonstrating transparency and accountability in handling personal data. Efficient DSAR management can streamline internal processes, making it easier for your staff to provide accurate and timely responses.

A clear DSAR policy will help your business understand its responsibilities and ensure the efficient handling of requests. It can provide various valuable information and guidance, including:

  • a straightforward procedure for verifying the identity of the requester;
  • clarifying the request if necessary; and
  • ensuring that the data is provided securely and in the correct format.

Additionally, a DSAR policy can help you identify potential issues early on, allowing you to address them before they escalate. However, it must not be a substitute for training and awareness of data protection compliance.

A policy can assist by helping data controllers comply, keep track of data subject requests more efficiently, and demonstrate compliance. These requests can be highly time-consuming, complicated and generally tricky. As such, a policy can make this process much easier and smoother for your business.

What Should Your DSAR Policy Cover?

Implementing a DSAR policy involves several vital issues to ensure compliance with strict legal rules.

For instance, your policy should cover critical points on how you should handle requests, including:

  • Logging Requests: This includes recording the date the request came up to ensure the relevant time frame of a month for responding; 
  • Confirming Identity: Your policy should include requesting additional information to verify the data subject’s identity. This prevents unauthorised access to personal data;
  • Searching Data: Your policy should direct individuals to identify and search all your systems, company databases, applications, and other places where personal data might be held;
  • Confirming Data Processing: Your business should inform the data subject whether or not you process their data; 
  • Providing Information: If personal data is being processed, you should provide the data subject with information, including the purposes of the processing, categories of personal data concerned, recipients or categories of recipients, the period for how long the personal data will be stored, the right to request rectification or erasure, and details on data transfers outside the UK; 
  • Handling Exemptions: Your policy should detail the circumstances under which you will refuse or partially fulfil a DSAR, such as when exemptions apply. This is crucial;
  • Redacting Third-Party Data: Your business should review the personal data to see if it contains information about other individuals and redact it unless consent has been given or it is reasonable to disclose without consent;
  • Charging Fees: Your policy should specify the conditions under which a reasonable fee may be charged for fulfilling a DSAR, such as if the request is manifestly unfounded or excessive; and
  • Extending Deadlines: You should state the process for extending the response time by up to two additional months for complex requests and ensure the data subject is informed within the initial one-month period.

You should also regularly train your staff to recognise DSARs and understand the internal processes for handling them efficiently. You should periodically review and update the DSAR policy to keep it current with legal requirements and regulatory guidance. A lawyer can assist with this.

What Are the Benefits of a DSAR Policy?

Implementing a DSAR policy offers several benefits. It will help to ensure your organisation meets the legal requirements of the UK GDPR, reducing the risk of fines and penalties. It can streamline the process of handling DSARs, making it easier for staff to respond promptly and accurately. Demonstrating transparency and commitment to data protection can also enhance trust with customers and stakeholders, and having a solid policy in place to tackle DSARs can help with this.   

The UK data protection regulator also stresses the importance of having a process to handle this request so a policy can help show that you comply with the regulator’s guidance.

Key Takeaways

Achieving compliance with UK GDPR will help protect your organisation from risk. A DSAR policy can do this by helping streamline data handling requests and help you achieve correct and timely responses. Properly handling DSARs reduces the risk of data protection law breaches building trust with your customers and stakeholders. By implementing a DSAR policy, you demonstrate a commitment to data protection. This can enhance your organisation’s reputation with stakeholders. 

For guidance on ensuring compliance with the UK GDPR and implementing a DSAR policy, LegalVision’s experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What is the UK GDPR? 

The UK GDPR is a law governing the processing, storage and access of personal data in the UK. It aims to protect individuals’ privacy and give them greater control over their data.

What is a Data Subject Access Request?

A DSAR is a request made by an individual to access personal data that an organisation holds about them. This includes obtaining a copy of the data and understanding its use.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards