What businesses need to know about Data Subject Access Requests

It could be a client, contractor, employee or supplier – known as the ‘data subject’ - and they can ask for a copy of their information as a ‘Data Subject Access Request’ (DSAR).  The information you hold could cover multiple formats such as emails, digital files, messages, printed documents, and even CCTV recordings. Responding appropriately is a legal requirement and must be done within one calendar month, which in practice, could mean as little as just 20 days. 

A DSAR can create a lot of work, especially if you’re unprepared.  It’s usually used to check what information is held, how long it’s been kept, why you have it, if it’s been shared with a third party, where it came from and who can access it. There is no formal process for making such a request– a simple verbal request from a data subject is sufficient to trigger DSAR.

Despite the effort involved, the law states that in most cases businesses cannot charge for gathering and supplying this information. It must also be provided in a clear, concise and secure format.

I recently helped a construction business respond to a DSAR from a dissatisfied client disputing an invoice. The request was potentially being used to delay the outcome and making payment, but the company was still legally obliged to respond.

Here’s what you need in place to pre-empt such a request – well-organised records and documents are vital to make this job easier.

• Keep detailed records of where all personal information is stored – such as Microsoft, G-Suite, Dropbox. A clear filing system is invaluable for grouping personal data together and easy retrieval.
  
  
• Be able to say how and where information is being shared, and with whom; remember, personal information should be shared with people in your organisation who need access to it.
  
  
• Have a clear retention policy stating how long you keep personal information. Data should be kept no longer than necessary and then securely deleted.
  
  
• Ensure you have client contracts that also cover data protection so that clients clearly understand what they can expect from you when it comes to handling their data.
  
  
• Make sure personal information is not being shared across messaging apps (WhatsApp, Facebook Messenger etc) as these are easily intercepted. 

Handling data collection, storage, and use confidently will boost your business growth and ensure that any DSARs are easier to respond to. If you are unsure of what systems you need to put in place, seek guidance from a trusted professional.