The General Data Protection Regulation (GDPR) transformed the way organisations handle the personal information of individuals, introducing a new set of rights for citizens of the EU. While the UK has now left the EU, the GDPR has been retained in domestic law, although the UK now has the independence to keep the framework under review.
At present, one of the key rights included in the GDPR is the right to access – a right that entitles individuals to know what information an organisation has on them and how they are using this information. This is what’s known as a Data Subject Access Request, the purpose of which is to ensure transparency and give individuals more control over how companies use their data.
In the following article, we answer the most frequently asked questions on Data Subject Access requests to help you maintain compliance with data protection regulations and retain trust with your community.
What is a Data Subject Access Request?
A Data Subject Access Request (DSAR) is a request made by an individual, as per the subject rights of the GDPR, for a copy of any relevant information an organisation holds about them – their name, address, job title, location, or more granular data such as their earnings, their education, homeownership and relationship status.
Recital 63 of the GDPR states:
“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
So, in other words, when an individual submits a Data Subject Access Request, organisations have a legal duty to provide them with a report that details the information they have stored on the individual. The individual in question could be an employee, a customer or a prospect being targeted for marketing communications.
DSARs aren’t an entirely new concept and have been used in business and by governments for years before the enforcement of the GDPR. However, the introduction of this regulation brought with it key changes that would allow individuals to make DSARs more easily.
How long does a company have to comply with a data subject access request?
When an individual makes a Data Subject Access Request, your organisation should respond within one month of receiving the request. Inevitably, there will be certain circumstances whereby more time is needed – for example, if the request is particularly complex, or the individual has made a number of requests.
If this is the case, an extra two months is allowed, and you should calculate this extension as exactly three months from the original start date – i.e., the date you received the request.
But what constitutes as complex? According to the ICO, a complex request could include any of the following:
- Data that is technically difficult to retrieve (e.g., if it is electronically archived)
- Data that can only be extracted by searching through volumes of unstructured manual records (this is only applicable to public authorities)
- Clarifying potential issues around disclosing information about a child to a legal guardian
- Subject access requests that require specialist work for the data to be obtained or communicated in an intelligible form
- Clarifying potential issues around the disclosure of sensitive medical information to an authorised third party
- Circumstances that would require specialist legal advice to be obtained for data to be provided. If you regularly seek legal advice on similar matters, this is unlikely to qualify as a complex request.
- Applying an exemption that involves large volumes of particularly sensitive information.
What can be requested in a subject access request?
Under Article 15 of the GDPR, individuals have the right to request a copy of any personal data that is being “processed” by “controllers” and any other relevant information. In simple terms, you can expect a subject access request to ask
- what personally identifiable information your organisation holds on an individual;
- how you are using it (i.e., marketing communications)
- Your lawful basis for processing their data (the consent obtained to process it.)
- The period for which you’ll store their data (or the criteria you’ll use to determine that period.)
- who you are sharing their data with; and,
- where your organisation acquired the data (i.e., via social media, sign-up forms or third parties)
They might make this request via email, on social media or verbally. Their request is valid if it is clear that they are asking for information on their own personal data. They need not use a specific form or write the request in a particular way.
What’s included in a DSAR response?
If you receive a subject access request, the GDPR states that you should respond in writing (even if the request was made verbally), tell the requester whether you hold any information on them and make that information readily available for then, unless an exemption applies.
Essentially, your response should provide whatever information the subject has requested. In some cases, they will seek to know all of the aforementioned details, while in others, they may only request to know a specific element such as evidence for how you obtained their consent. Individuals do not need a reason to submit a DSAR and can ask to see their data at any time.
If their identity is unclear, you are entitled to ask the subject any questions that will verify their identity and help you locate the information they requested.
Can you refuse to respond to a DSAR?
In most circumstances, response to a DSAR is critical to ensure compliance with the GDPR. However, in some circumstances, the DPA 2018 provides an exemption from particular UK GDPR provisions, including DSARs. Not all exemptions apply in the same way, so it’s worth looking each exemption individually to determine how it applies to a particular request.
You can also refuse to respond to a DSAR if it is:
- manifestly unfounded; or
- manifestly excessive.
A request is manifestly unfounded if the individual has no intention to exercise their right of access. In practice, you might receive a request from an individual who proposes to withdraw the request in return for some form of benefit from your organisation. A request is also manifestly unfounded if it was made with the intent to harass the organisation, and the individual clearly has no purpose for their request other than disruption to the organisation.
A request is manifestly excessive if you determine that it is clearly unreasonable. The guidance provided by the ICO states that you should base your decision on whether the request is proportionate when balanced with the burden or costs involved in handling the request. You’ll need to take into account the nature of the request, the context under which it was made and the relationship between you and the individual. You should also take into account the resources you have available to respond to their request and whether refusal to respond to the request may cause damage to the individual.
It’s worth keeping in mind that a request is not excessive just because a large amount of information is requested. Similarly, a request is not unfounded because the individual uses aggressive language.
Please note that these guides are for informational purposes only, and do not constitute legal advice. You can contact one of our expert lawyers using the form below.