For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk.
Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges.
What is a DSAR?
On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system).
Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU.
The General Data Protection Regulation
The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located.
According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
DSARs are the direct result of the right of access provided for in the GDPR. Such requests might ask for specific personal details or could demand a full list of the personal data being stored. Either way, an organization is required to provide the requester with a copy of any relevant information about them.
The UK Data Protection Act 2018
Countries across the EU have passed or will soon enact their own data protection legislation, and the Data Protection Act 2018 is the UK’s implementation of the GDPR. The DPA provides individuals in the UK with the right to obtain a copy of their personal data and extends the lawful bases for processing sensitive personal information beyond what the GDPR provides. The DPA also sets the minimum age of consent for processing a subject’s data at 13, as opposed to 16 in the GDPR.
According to a 2019 survey conducted by Lexology, since the introduction of the GDPR and the DPA, a growing trend is rapidly emerging: DSARs are increasingly being used by those more aware of their rights surrounding their personal information. This tendency is expected to grow, amplifying the need for businesses to put clear policies and procedures in place that will not only keep them in compliance with the GDPR and the DPA, but also help them avoid costly enforcement action.
Next up in this series: How to Respond to a DSAR Request.