If receiving a Data Subject Access Request (DSAR) is not a common occurrence for you, then the best initial piece of advice is to take some preliminary steps to set yourself up for success.
Work out the response date
Under the GDPR you have one calendar month to respond to a DSAR. The time frame starts on the day you receive the DSAR (so it is important to establish this if the request did not come to you directly) and ends on the same day in the next month. So, for example, if you receive the DSAR on 15 April, the last day to respond will be 15 May. If the end date is a weekend or Bank Holiday, the deadline is extended to the next working day after this. Things are a bit different if you receive a request on a date which has no equivalent in the following month, e.g. 30 January. In this case, the last date for responding will be the last day of the following month (28 or 29 February as the case may be (assuming these are working days)).
When you have worked out the timeline, make sure you diarise it straight away and set reminders in the run up. We strongly recommend ensuring that at least two people diarise the response date in case of illness/unexpected absence. This is also a good time to start an entry in your DSAR log, you can track progress and cross refer to decision making documents to make sure anyone can see what the status of the DSAR is.
If you are dealing with a complex DSAR or you have received multiple data subject rights requests from the same individual, you may be able to extend the time frame for responding by a maximum of two further calendar months. If this is applicable, you must tell the data subject in good time before the expiry of the original one calendar month timeframe and explain why you have made this decision.
Communication, communication, communication
A common reason for complaints relating to DSARs is that the data subject doesn’t know what is happening with their request. You must make sure that you avoid this pitfall by acknowledging the DSAR promptly when it is received and letting the data subject know that you will be in touch about it within the specified time frame. If the time frame changes because of a request for clarification, ID or because of the complexity of the DSAR, you need to let the data subject know about this promptly.
Do you know who the requestor is?
It may be obvious that the requestor is who they say they are, e.g. an employee emailing from their work email address, but in some situations, you may consider you need to verify the identity of the requestor. The important thing to remember is to take a proportionate approach to this. You should only do what you need to check identity. You won’t need to ask for identity documentation in every case, it might be possible to identify the individual by confirming information that you hold on them – for example if a customer emails you from a new email address with a query about an order, you might be able to ask them to confirm the order number and their postal address details to see if they match what you hold on file. If the data you will be sharing is sensitive, you will need to take a more cautious approach as the consequences of sending this information to the wrong person are more significant.
If you do need to check identity, this will “stop the clock” for responding to the DSAR until the information is received (although remember you must ask for the information promptly). Remember to adjust any diary entries accordingly and keep the data subject informed.
Is the request clear or do you need to ask the data subject for more information?
If an individual contacts the customer service department of a large retailer asking for “my information” in a situation where they have been employed by the company as well as being a customer over a period of years, it might be reasonable to clarify whether the individual is looking for information in their capacity as customer or employee or both. If a request is unclear, you can ask the data subject for clarification and the time limit for responding to the DSAR will be paused whilst the clarification is being provided.
Remember, you should not do anything to try to encourage the data subject to narrow their request. This is simply a means of clarifying any ambiguity and don’t forget to keep the data subject informed about any change to the timeframe.
Dealing with bulk requests
If you receive a number of requests with similar deadlines, you will need to plan accordingly. There is no automatic right to extend deadlines just because you have to deal with multiple claims at the same time. You may need to ask for reinforcements at this stage to manage the process, whether that be internal resource or some external help.
