Since the enforcement of the GDPR back in May 2018, organisations that process personal data within the EU & EEA are obligated to respond to a Data Subject Access Request (DSAR). DSARs are not new, however, the GDPR enforced a new set of new rules for the process. For instance, organisations today are required to respond within 30 days upon receiving a request. The tight time-frame and the process itself often poses challenges for organisations when responding to DSARs.
In a time of big data, even identifying and verifying the appropriate personal data can be tough. As personal data is spread across various databases for different purposes like for HR or customer relationships, locating the appropriate data and tying it back to the request is often a long and hard process. This is just one of general challenges often faced by organisations. So what can be the key steps for overcoming the biggest challenges of responding to DSARs, creating a compliant, smooth, cost- and time efficient organisational processes?
DSARs as per the GDPR
Before going into detail about the key steps, let’s recap on what the GDPR says about DSARs.
Who, why, how?
Every individual holds the right to access any information of themselves that is being processed by a data controller. Data subjects can be employees of an organisation, customers or clients that engage with organisations, and even people that visit an organisation’s website.
Data subjects are permitted to a DSAR verbally, through writing, or in any other form.
If the request is made electronically, the data controller should provide the information through a commonly used electronic format, unless the data subject requests otherwise.
The GDPR points out that organisations are given 30 days to respond to a DSAR, but are permitted to ask for an extension of up to 2 months if the procedures are deemed too complex to meet the expected time frame, or if your organisation has received numerous requests from the same data subject.
However, organisations can’t extend the one month time limit on the basis that they have to rely on a data processor to provide the information needed to respond. If your organisation processes a large quantity of personal data about an individual, the GDPR allows organisations to ask data subjects to specify the information or processing activities their request relates to, before responding to the request itself. At the same time, this decision shouldn’t affect the timescale needed to respond within the 30 day period.
Manner and Legal Obligation
The GDPR states that DSARs don’t need to be formally titled a “subject access request” or “access request” for it to constitute as one.
Furthermore, the GDPR states that in addition to a copy of personal data, data subjects should be provided information regarding:
• the purposes of processing, categories of personal data concerned,
• recipients your organisation shares the personal data with,
• the retention period for storing the personal data or your organisation’s criteria for determining how long it would be stored for,
• and the existence of their right to request erasure, rectification, restriction, or to object to the processing.
Organisations are also obliged to communicate the right to submit a complaint to their respective supervisory authority, as well as additional information, including the source of the data, if automated decision-making is in place, and the safeguards in place for personal data transfers.
Exemptions - when can your organisation refuse response to a DSAR?
The GDPR provides exemptions that if an organisation finds applicable, they are permitted to refuse a DSAR (wholly or partly). However, not all exemptions apply in the same way, requiring organisations to carefully look into how each exemption could apply to a particular request.
Your organisation could refuse to comply with a DSAR if deemed:
1. Manifestly unfounded
Where the data subject is clearly showing no intention to exercise their right of access, or that the request is with malicious intent, such as having the aim to harass an organisation and creating disruption.
In this case, a data subject has repeatedly requested for a DSAR, and a reasonable amount of time has not passed by. It could also mean that the request overlaps with other requests made by the same data subject.
If your organisation finds an exemption for not responding to a DSAR, the data subject should be informed without delay, and still within the (extended) time period of the request. The data subject should clearly be communicated the reasons for not taking action, their right to make a complaint to the respective supervisory authority, and their ability to look into enforcing this right through a judicial remedy.
Exemptions specific to the Netherlands
According to the Dutch GDPR Implementation Plan, data controllers are permitted to refrain from complying with obligations and rights referred to Article 12 - 21 and Article 34 of the GDPR, which includes DSARs, to an extent necessary and proportionate to ensure:
a) National security
b) National defence
c) Public safety
d) The prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security;
e) Other important objectives of general interest of the European Union or of the Netherlands, in particular an important economic or financial interest of the European Union or of the Netherlands including monetary, budgetary and fiscal matters, public health and social security;
f) The protection of the independence of courts and judicial proceedings;
g) The prevention, investigation, detection and prosecution of violations of codes of ethics for regulated professions;
h) A monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases a, b, c, d, e and g;
i) The protection of the data subject or of the rights and freedoms of others; or
j) The collection of civil claims.
However, it’s important to note that when an organisation chooses to apply the mentioned exemptions, the data controller should also take into account several different factors. These factors include the purposes of the processings, the categories of personal data, and the different risks to the rights and freedoms of data subjects. Additionally, organisations should document their decision of using an exemption, and clearly explain the reasons for doing so to data subjects.
What happens if an organisation doesn’t respond to a DSAR?
If an organisation fails to respond to a DSAR, complaints could be submitted to the respective supervisory authority. In cases deemed as a serious offence, the authority could start an investigation, which might include audits. Furthermore, failure to respond to a DSAR could lead to distrust and unrest between an organisation and a data subject, if not dealt with appropriately.
The number of DSARs received by organisations are on the rise, and so are costs
Mass data collection leaves organisations with a huge amount of personal data, collected across various databases, sometimes even with support from third-party services. Responding to a DSAR is a time-sensitive process, that actually often requires not just a lot of time and resources, even if the appropriate procedures are in place, but can actually mean significant additional costs for organisations. With the enforcement of the GDPR, there can be no fee charged for data requests, so if the amount of DSARs received by an organisation is high, it can even mean a loss of money.
According to the Autoriteit Persoonsgegevens (the Dutch DPA), in 2019 more than 27,000 complaints relating to data privacy had been registered, a 79% rise from 2018. Most of the complaints (29%) concerned the possible violation of a right to privacy, such as the right of inspecting and the right to erasure of existing personal data. Meanwhile in the UK, studies showed that out of 90 UK based organisations, 64 reported significant increase in the number of DSARs. Of these 64 organisations, 67% had also experienced a rise in costs associated with the lengthy processes of responding to those requests.
Key steps to overcome the main challenges, phase by phase
Since a DSAR doesn’t have a specific trait in how it should be communicated structurally upon request, identifying one can oftentimes be difficult. Identifying data subjects is also just as vital to ensure confidentiality. As any DSAR requested by unauthorised individuals would result in a data breach, organisations must make sure they verify the identity of the individual before responding. At the same time, organisations should beware of not making it too difficult for the data subject to submit a request, or requiring an excessive amount of information for the authentication itself.
To overcome this challenge, staff should be trained on how to recognise a DSAR, how to register the request properly, or know which department to forward it to. Additionally, gathering further personal data for authentication should only be done with caution. Not only could this mean a burden for the data subject, but it would also put your organisation at risk for infringing basic rights of data subjects.
Verification of the request
Understanding the requirements for certain types of requests is important for determining if a DSAR is valid.Organisations should therefore have a clear overview on their processings. They should know how and where personal data is located, what the purposes are for having that data, what legal basis is applicable for the processing, and other factors that determine if the requirements are actually applicable. After clarifying the factors of the request, organisations should determine if the request can be met within the 30 day period.
Carrying out a data mapping can be highly beneficial in gaining a deeper insight into your organisation’s handling of personal data. As different disciplines from the organisation are needed in the activity, understanding and analysing the different data flows your organisation has, will help you better clarify requests.
As the 30-day time period starts when the request is made, searching for data can be time-sensitive. Some personal data can be stored at third-party data processors or stored within your organisation’s numerous tools and databases. In fact, the Varonis 2019 Global Data Risk Report found that 9/10 companies had more than 1,000 stale sensitive files, while 7/10 had over 5,000. Despite not being in use, stale files could still contain personal data belonging to individuals, which could set a drawback for cases in tracking down necessary information.
Taking time in organising databases and carrying out occasional audits could not only save your organisation valuable storage space, but it could also help ease the process of DSARs where time is a much needed factor. Conducting a data mapping also provides a significant advantage, as it provides an overview of all your organisation’s data processing activities. It’s also very important to include clear instructions on assisting with DSARs in your Data Processing Agreements (DPAs) with processors and other parties involved.
From a storage limitation standpoint, personal data shouldn’t be kept indefinitely. An organisation should understand the practical and legal retention terms that could apply to their processings. However, the latter can be difficult as applicable jurisdiction must be known. For example, if an organisation processes personal data from data subjects in different countries, the jurisdiction of those countries should be known, along with the different jurisdiction’s legal retention terms as well. Furthermore, erasing data may be more difficult for organisations that share certain information or use tools and systems that require additional steps in erasing personal data.
Look into the retention terms beforehand, and understand how some may be applicable in situations. Erasing data can be a tedious task especially when done manually. Making sure that occasional audits are conducted to gain better overview on where particular data is processed will help ease the process of identifying and erasing requested information. This can also be sorted out through data mapping. Lastly, investing in automating the process could be useful, not only would your organisation be able to pin-point necessary data seamlessly, but in some cases, organisations could set up a portal where data subjects are able to access their information and opt to erase if decided.
Catering to a data conscious society
Today, customers, employees, and other individuals are more wary of what personal data they provide and how that data is being processed by organisations. As a consequence, organisations that process personal data can expect the number of DSARs to continue to rise over time. However, with the right preparations, or even with the help of a third-party, responding to DSARs can be made into a smoother and less complex process, decreasing time, resources, and added costs spent on them. It will help your organisation in staying GDPR compliant, keep your reputation crisp, and your data subject satisfied.