Manage Data Subject Access Requests (UK)

Note: Links to our free templates are at the bottom of this long guide.
Also note: This is not legal advice

Introduction

Data Subject Access Requests (DSARs) are a key aspect of the General Data Protection Regulation (GDPR), and an incredibly valuable tool for individuals to ensure their personal data is protected. DSARs enable individuals to request information that an organization holds about them, check its accuracy, and even have it rectified if it is incorrect. However, with such power comes responsibility - organizations must ensure they adhere to GDPR requirements when responding to DSARs, or face significant penalties from the Information Commissioner’s Office.

At Genie AI, we understand the importance of DSARs which is why our team has created the world’s largest open source legal template library. Our millions of datapoints teach our AI what a market-standard DSAR looks like, allowing anyone to customize and draft high-quality legal documents without paying a lawyer. Using this guide does not require you to have a Genie AI account; we just want to help make sure your data is safe and secure.

To respond effectively and efficiently to DSARs, organizations should first establish dedicated teams who can manage them competently with adequate training and support in place - all backed up by adequate processes and procedures that encompass the specific requirements of the GDPR.

In today’s ever-evolving digital landscape it pays for companies to take their employees’ safety seriously - both legally and ethically - so why not read on below for step-by-step guidance from us on how best practice this? Also find out how you can access our template library today – free of charge!

Definitions

Data Subject Access Request (DSAR) - A request for access to personal data held about an individual by a controller.
Data Protection Act 2018 - A law in the UK that requires organisations to provide individuals with access to their personal data.
General Request - A request where the individual does not specify what type of data they would like to access.
Specific Request - A request where the individual specifies what type of data they would like to access.
Redacting - Removing or concealing part of a document or record.
Logs - Records of events or activities.
Documenting - Recording information in written or digital form.
Verifying - Checking the accuracy or truth of something.
Gathering - Collecting data or information.
Notifying - Informing someone of something.
Identifying - Recognizing or determining something.
Complex - Involving many different and connected parts.
Unclear - Not easy to understand or explain.
Appropriate - Suitable or right for a particular situation.
Accurate - Free from error or mistakes.
Format - The way something is arranged or presented.
Complaint - An expression of dissatisfaction or annoyance.
Appeal - A request to change an official decision.
Regulations - Rules that have been agreed upon by a group.
Monitoring - Observing or checking something over time.

Contents

1. Understanding Data Subject Access Requests (DSARs)
2. Definition of a DSAR
3. What Data Can be Requested
4. Types of DSARs and the Data Protection Act 2018
5. General Requests
6. Specific Requests
7. How to Respond to a DSAR
8. Timely and Accurate Response
9. Redacting Information
10. Keeping a Record of DSARs
11. Keeping Logs
12. Documenting the Process
13. Making Sure Your Response is Accurate and Timely
14. Verifying the Identity of the Data Subject
15. Gathering Appropriate Data
16. Meeting Deadlines
17. Notifying Third Parties when Handling DSARs
18. When to Notify Third Parties
19. Tracking Notifications
20. Dealing With Challenges That Arise During a DSAR
21. Identifying Complex Requests
22. Handling Unclear Requests
23. Providing Information Accurately and in an Appropriate Format
24. Format of the Response
25. Ensuring the Data is Accurate
26. How to Handle Complaints and Appeals
27. Responding to Complaints
28. Making Appeals
29. Ensuring Compliance With Data Protection Regulations
30. Compliance Standards
31. Documenting Compliance
32. Monitoring Compliance

Get started

Understanding Data Subject Access Requests (DSARs)

• Understand what a DSAR is and what rights it offers to individuals
• Learn the scope of a DSAR and what it covers
• Understand the time frame for responding to a DSAR
• Familiarize yourself with the laws and regulations governing DSARs in the UK
• Know which data you need to provide when responding to a DSAR
• Be aware of any exemptions that may apply

Once you have a firm understanding of what a DSAR is, what it covers, and the laws and regulations surrounding it, you can move on to the next step.

Definition of a DSAR

• A Data Subject Access Request (DSAR) is a request from a data subject (e.g. an individual) for access to their personal data that is being processed by a data controller (e.g. a company).
• DSARs can be made verbally or in writing, and are free of charge.
• DSARs must be responded to within one month of receipt.
• DSARs should be responded to with the data subject’s personal data and an explanation of how it is being processed.

You will know when you can check this step off your list when you have identified what a DSAR is and understand when it should be responded to.

What Data Can be Requested

• Identify what type of data the individual can request from you
• Understand what personal data you need to provide in response to a DSAR
• Check your data protection policies, procedures and records to ensure you are handling DSARs correctly
• Document which data you are legally obliged to provide
• Document any data that you are not legally obliged to provide

When you have identified the data that can be requested and documented your process, you can move on to the next step.

Types of DSARs and the Data Protection Act 2018

• Understand the types of data subject access requests (DSARs) and the Data Protection Act 2018 that applies to all requests
• Know the eight individual rights of data subjects and the requirements for each one
• Be aware of the potential exemptions and conditions that may apply to certain requests
• Be able to determine which requests are subject to the Data Protection Act 2018 and which requests are exempt
• Be able to identify any legal requirements and restrictions that apply to the data subject rights
• Have a process in place to handle DSARs
• Understand the timeframes and deadlines for responding to DSARs
• Have the necessary resources to respond to DSARs

Once you have a good understanding of the types of DSARs and the Data Protection Act 2018, you can check this step off your list and move on to the next step.

General Requests

• Review the data subject access request you have received and ensure that it meets the requirements of the Data Protection Act 2018.
• Check to see if the data subject has provided sufficient information to enable you to locate the data they are requesting access to.
• Make sure the data subject has provided proof of identity, such as a copy of their passport, driving license or national identity card.
• Contact the data subject if you need more information or clarification before you can process their request.
• Establish a timeline for responding to the request and ensure that you respond within this timeframe.
• Check to ensure you have all the necessary resources and tools to carry out the request.

How you’ll know when you can check this off your list and move on to the next step:

• When you have reviewed the data subject access request, checked to see if the data subject has provided sufficient information, established a timeline for responding, and ensured that you have all the necessary resources and tools to carry out the request.

Specific Requests

• Identify the specific request: make sure that the request is specific enough to allow you to locate the relevant personal data;
• Assess the request: review any exemptions that may apply and check whether the request is manifestly unfounded or excessive;
• Gather the data: locate the relevant personal data and check that the data is accurate and up-to-date;
• Review the data: review the data to check whether it is relevant to the request;
• Prepare the response: prepare the response including any exemptions and explanations;
• Provide the response: provide the response to the Data Subject;
• Document the response: record the response and any documents provided in the response.

How you’ll know when you can check this off your list and move on to the next step:

Once the response has been provided to the Data Subject and the response and any documents provided in the response have been recorded, you can check this step off your list and move on to the next step: How to Respond to a DSAR.

How to Respond to a DSAR

• Create a process for responding to DSARs, including nominating a team member to be the point of contact for such requests
• Establish a timeline for responding to DSARs, which should be no more than one calendar month
• Ensure that the response to the DSAR is accurate and timely
• Ensure that the data subject is adequately informed of the progress of their request
• Check that the data subject has provided sufficient information to identify them and the data they are requesting
• Check that the data subject has provided evidence that they are entitled to make the DSAR
• Obtain the requested data or confirm why the data cannot be provided
• Provide the data subject with the requested data
• When responding to a DSAR, ensure that any third parties (such as sub-processors) are notified and that the data subject is provided with details of those parties

This step is complete when the requested data is provided to the data subject and they are aware of any third parties who have processed the data.

Timely and Accurate Response

• Respond to DSARs within a month of receipt, unless there is a valid reason for an extension
• For complex requests, you may need to seek legal advice
• Provide as much information as possible to the data subject, including any information excluded from the request
• Ensure that all data provided is accurate, up to date and relevant
• Check that any third parties that data has been shared with are also responding in a timely manner
• When the response is complete, inform the data subject and provide the information in the format requested
• Check off this step when all data has been provided and the data subject has been informed of the response.

Redacting Information

• Review the data subject’s access request to determine the specific information the individual has asked for.
• Identify any personal data that you must redact in order to comply with the data subject’s request.
• Redact the personal data requested.
• Ensure that the redacted data is not sent to the data subject.
• When you have completed the redacting process, you can move to the next step of keeping a record of the data subject access request.

Keeping a Record of DSARs

• Maintain a secure log of all DSARs received, including contact details and the date received
• For each DSAR received, record the request, the response, and the date of response
• Any additional notes should be included in the log, such as if a request was complicated or if additional information was requested
• Ensure that the log is regularly reviewed and maintained
• When the DSAR is complete and the response has been sent, the log entry can be marked as closed
• After the response has been sent, keep a record of it for at least 6 years

Keeping Logs

• Keep a log of all DSARs received, including the data subject’s name, contact info, and the date the request was received
• Take note of the date you respond to the request and any other relevant information about the request
• Ensure the log is detailed enough to allow for an audit trail to be followed
• Keep the log secure and ensure it is only accessible to those with a legitimate need to know
• When you have completed the log and ensured it is up to date, you can move on to the next step of documenting the process.

Documenting the Process

• Document the process for responding to data subject access requests (DSARs).
• Create a record of the process you will use to respond to DSARs, including the information you will need to provide, the timescales you will adhere to and any other relevant information.
• Update your documentation as necessary, to ensure it remains up-to-date with any changes in data protection law and your internal procedures.
• Make sure you document any relevant changes to the process you use to respond to DSARs.
• Keep a record of any changes made to the process.
• You will know this step is complete when you have documented the process for responding to DSARs and updated the record of changes made to the process.

Making Sure Your Response is Accurate and Timely

• Ensure that the response you provide is accurate and timely by regularly reviewing the accuracy of the data you hold
• Update the data if incorrect or out-of-date information is found
• Ensure that the response is given in the format requested by the data subject
• Respond to the data subject within the timescales set out in the Data Protection Act 2018
• Respond to the data subject within one month of receiving their request, or within a longer period if you have agreed to do so
• When you have provided the response, check that the data subject is satisfied with the result and that you have answered all of their questions
  You can check this off your list and move on to the next step once the response is accurate and timely and the data subject is satisfied with the result.

Verifying the Identity of the Data Subject

• Ensure the individual making the request is the Data Subject by verifying their identity
• Use a form of ID that is satisfactory, such as passport, driver’s license, or utility bill
• Check the photograph and other personal details of the ID to verify the individual
• If the Data Subject is unable to provide satisfactory ID, have them answer questions about their personal details that only they should know
• Upon successful verification, record the method used and details of the ID
• Once the individual’s identity is verified, you can move onto the next step, Gathering Appropriate Data.

Gathering Appropriate Data

• Identify all systems and services containing personal data of the data subject
• Collect all the relevant personal data about the data subject from each of these systems and services
• Prepare the personal data for disclosure in a secure, appropriate and legally compliant manner
• Check the personal data for accuracy and whether there’s any information that you don’t have the right to disclose (e.g. third-party data)
• You can check this step off your list when you’ve gathered all the relevant personal data about the data subject and prepared it for disclosure.

Meeting Deadlines

• Establish the deadline for responding to the DSAR: the deadline must be no later than one month after the request is received
• Set an internal deadline - ideally two weeks before the response is due, to allow enough time to respond
• Have a designated team member responsible for tracking the progress of the DSAR
• Set up an internal reminder system to ensure that the response is sent on time
• Make sure all relevant stakeholders are aware of the deadline, and their roles in meeting it
• Once the response has been sent out, document that the deadline has been met and make a note of it in the relevant records.

Notifying Third Parties when Handling DSARs

• Make a list of any third parties that have been sent any data about the data subject, such as third parties that have been sent a copy of the data subject’s records
• For each third party, decide whether the data must be sent to them in order to fulfil the data subject’s request
• If you have decided that the data must be sent, then notify the third party of the subject access request and provide them with details of the data subject’s request
• Once notified, the third party must provide the requested data to you within one month
• Keep records of any notifications sent to third parties and the response received
• When you have received the data from all third parties, you can check this off your list and move on to the next step (### When to Notify Third Parties).

When to Notify Third Parties

• Identify if any third parties need to be notified when handling DSARs
• Determine whether the third party is a data processor or joint controller, as this will affect the process and the timeline for notification
• Assess the potential impact of the DSAR on the third-party and consider whether additional information is needed
• Provide the third party with the necessary notice in a timely manner
• Keep a log of all notifications sent
• Once you have notified the third parties, you can check this off your list and move on to the next step of tracking notifications.

Tracking Notifications

• Create a log of all DSARs received, including the date received, the data subject’s name and contact information, the scope of the request, and the response plan.
• Track the progress of each request and the action taken by your organization.
• Keep copies of any documents or evidence you send in response to the DSAR.
• Record the date the DSAR was completed, and the date the data subject was notified.
• Monitor the response times for DSARs and identify any areas of improvement.

When you can check this off your list and move on to the next step:

• Once you have created a log, are tracking the progress of each request and have recorded the date the DSAR was completed and the date the data subject was notified, you can move on to the next step.

Dealing With Challenges That Arise During a DSAR

• Familiarize yourself with the UK data privacy laws and the rights of data subjects to make DSARs
• Develop a DSAR procedure that employees can use to ensure that any DSARs received are handled quickly and efficiently
• Train data controllers and other relevant personnel on how to effectively respond to DSARs
• Make sure that necessary data is easily accessible to fulfill DSAR requests
• If a DSAR is complex, identify which data controllers are responsible for handling the request
• If a DSAR is overly broad or excessive, consider seeking legal advice
• If a DSAR is unclear or incomplete, contact the data subject for clarification
• If a DSAR is unfounded or excessive, consider seeking legal advice

You’ll know when you can check this off your list and move on to the next step when you have trained relevant personnel on how to effectively respond to DSARs, identified which data controllers are responsible for handling complex requests, and made sure that necessary data is easily accessible to fulfill DSAR requests.

Identifying Complex Requests

• Consider the amount of time needed to respond to the DSAR request and identify any complex requests that require additional time
• Assess the complexity of the request and determine the information needed to be collected and reviewed
• Identify any third parties who need to be consulted and any additional measures that need to be taken
• Make sure the data subject is aware of the complexity of their request and the additional time it may take to respond
• Document the steps being taken and the additional time needed to respond
• When the complexity of the request has been identified and documented, you can move on to the next step of handling unclear requests.

Handling Unclear Requests

• Review the request to determine if it is unclear.
• Contact the data subject to clarify the request.
• Provide the data subject with an estimate of the time needed to respond to the request.
• Ask the data subject if they are willing to narrow the scope of the request.
• If the data subject does not provide clarification or narrow the scope of the request, consider consulting a legal advisor for advice.
• Once the request is clear, you can move on to the next step.

Providing Information Accurately and in an Appropriate Format

• Ensure that all information you provide is accurate and up-to-date.
• Provide the data subject with all the information they have requested.
• Ensure that the information you provide is provided in an appropriate format.
• Provide the data subject with a copy of the information they have requested in a readable format.
• Check that the information you have provided is easily understandable and accessible.
• Ensure that any automated decision-making information is provided in a readable format.

When this step is completed, you can be sure that you have provided all the information requested in an accurate and appropriate format.

Format of the Response

• Provide the requested data in a format that is easily accessible and understandable to the data subject, such as a PDF or CSV file.
• Explain any technical terminology used in the document so that it is easily understood by the data subject.
• If the data subject has requested a copy of the data, provide it in the same format and language as the original.
• If the data subject has requested an explanation of the data, provide an explanation that is clear and concise.
• Ensure the response is easy to read and navigate, such as providing an index or table of contents.

How you’ll know when you can check this off your list and move on to the next step:

• You will know you can move on to the next step when you have provided the data subject with a response that is in a format that is easily accessible and understandable, and that any technical terminology used is explained.

Ensuring the Data is Accurate

• Check that the data you are providing is accurate and up-to-date
• Ensure that any data that is being withheld is properly marked and justified
• Check that any data that is being provided is accurate and up-to-date
• Check that the data is being provided in the correct format
• Ensure that all the requested data is provided in a timely fashion

Once you have checked that the data is accurate and up-to-date, as well as any data being withheld is properly marked and justified, you can move on to the next step.

How to Handle Complaints and Appeals

• Establish the complaint process, including who is responsible for responding and handling appeals
• Record the details of the complaint or appeal, including all relevant information
• Assess the complaint or appeal and determine whether data subject access rights have been breached
• Draft a response to the complaint or appeal, taking into account the applicable data protection laws
• Review the response to ensure accuracy, consistency and compliance with the applicable data protection laws
• Communicate the response to the data subject, ensuring that it is clear, concise and easy to understand
• Monitor the complaint or appeal to ensure that it is adequately resolved

You’ll know when you can check this step off your list and move on to the next when you have received a satisfactory response from the data subject.

Responding to Complaints

• Contact the individual who made the complaint to acknowledge their complaint and discuss their concerns
• Establish a timeline for responding to the complaint
• Gather any relevant documents or evidence that could be used to respond to the complaint
• Investigate the complaint and assess any potential breach of data protection rights
• Decide if any action needs to be taken to remediate the complaint
• Respond to the complaint in writing, outlining any action taken and the outcome of the investigation
• Keep a record of the complaint and the response
• Check off this step when you have responded to the complaint and all necessary action has been taken.

Making Appeals

• Determine who should handle appeals: Depending on the size of your organization, it may be useful to assign an individual or team to handle appeals.
• Understand the appeals process: Familiarize yourself with the appeals process, including the timeline for responding to appeals and the criteria for overturning a decision.
• Document appeals: Create a system to properly document appeals and their outcomes, to ensure the appeals process is transparent and accountable.
• Respond to appeals quickly: Respond to appeals within the required timeline, and address each appeal on its own merits.
• Make an informed decision: Ensure you have all the necessary information to make an informed decision on the appeal before deciding the outcome.
• Notify the data subject: Once you have reached a decision on the appeal, notify the data subject of your decision.

You’ll know you can check this off your list and move on to the next step when you have responded to all appeals and notified the data subject of the outcome.

Ensuring Compliance With Data Protection Regulations

• Understand the Data Protection Regulations and how they apply to the data subject access request
• Make sure all personal data is compliant with the regulations and GDPR
• Ensure all data processes are documented and fully transparent
• Monitor any changes to the data protection regulations and update processes accordingly
• Review the request for access and any additional information needed to comply with the regulations
• Respond to the request in a timely manner with the required information

Once you have reviewed the request, have ensured all personal data is compliant with the regulations and GDPR, and have responded with the required information, you can check this step off your list and move on to the next step.

Compliance Standards

• Become familiar with the current UK data protection legislation.
• Understand the rights of the data subjects under the current legislation.
• Put in place the necessary policies and procedures to ensure compliance with the regulations.
• Ensure that all staff members understand and adhere to the policies and procedures.
• Develop processes to ensure that data subjects are informed of their rights.
• Monitor, review, and update the policies and procedures regularly.

You’ll know that you can check this off your list and move on to the next step when you have famili