By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Start Your Business Magazine
  • Topics

    Grow, expand and leverage your business..

    Grow your start up business with our experts and industry insiders…

    Get Started

    Quick Links

    • Finance
    • Marketing
    • Technology
    • Business Books
    • Wellness
    • Interviews
    • Franchise

    Our Newsletters

    Our website stores cookies on your computer. They allow us to remember you and help personalise your experience with our site..

    Read our privacy policy for more information.
  • Trending
    TrendingShow More
    Communicate Better
    Start Your Business Start Your Business
    Majority of UK Employees Looking for a New Job
    Start Your Business Start Your Business
  • How To
    How ToShow More
    Tips for Running a Restaurant in the Most Efficient Way Possible
    Start Your Business Start Your Business
    Becoming self employed…
    Start Your Business Start Your Business
    Vet Start up
    Start Your Business Start Your Business
    Builder’s Growth
    Start Your Business Start Your Business
    Market for Construction
    Start Your Business Start Your Business
  • Agenda
    AgendaShow More
    How to Keep Your Business Compliant When Selling Internationally
    Start Your Business Start Your Business
    What does the future hold for plastic packaging?
    Start Your Business Start Your Business
    How International Hiring Can Help Startups To Scale In 2023
    Start Your Business Start Your Business
    Creating and Maintaining a Culture of Equality in Your Business
    Start Your Business Start Your Business
    The Great Resignation or Quiet Quitting
    Start Your Business Start Your Business
Reading: Data Access Requests
Connect
Start Your Business MagazineStart Your Business Magazine
Aa
  • Contact
  • Blog
Search
  • Agenda
  • Blog
  • Finance
  • Growing
  • Marketing
  • Opportunity
  • Starting Up
  • Technology
  • Wellbeing
  • Contact
Have an existing account? Sign In
Follow US
  • RSS
  • Terms And Conditions
  • Privacy Policy
  • Contact
  • Licensing
Copyright © 2014-2023 Ruby Theme Ltd. All Rights Reserved.

Data Access Requests

Start Your Business
SME Update Technology
Share
6 Min Read

Demystifying Data Subject Access Requests

One year on from the introduction of the General Data Protection Regulation (GDPR) and it is becoming clear that when it comes to Data Subject Access Requests (DSAR), organisations are confused regarding a desire to balance the rights of an individual with the needs of an organisation, John Potts (Head of DPO DSAR and Breach Support) GRCI Law, outlines the essential processes that companies must put in place to avoid falling foul of DSAR breach.

GDPR Misunderstanding

While subject access requests were in place under the Data Protection Act 1998 (DPA), growing personal data awareness has resulted in a significant spike in DSAR activity – and there is a degree of resentment regarding the way individuals are now using these new data rights. However, whether a business feels the DSAR is justified is in the main irrelevant: it is the law. Companies have a legal requirement to comply with a DSAR within one month – or face the wrath of the Information Commissioner’s Office (ICO), and a potential enforcement action which could mean a fine, it will always impact on the reputation of the organisation.

This deadline applies for any DSAR, whether it is created internally or externally. Indeed, a significant proportion of the rise in DSARs is in support of employee grievance and tribunals. Many employment lawyers will now typically file a DSAR for the relevant period(s), as part of any case – whether it is an employee fighting dismissal or filing a complaint against a colleague. Companies, therefore, need to recognise that in such cases these individuals know exactly what information the DSAR should include, whether that is an email trail or meeting notes. Don’t fall into the trap of overlooking the DSAR simply because a tribunal is underway: the right process must be in place to respond to every DSAR irrespective of who makes the request or why.

As such, it is essential to put in place a process for immediately recognising a DSAR. Individuals can make requests via any medium, from Twitter to email and letter. Fail to respond within the deadline, for whatever reason, and the individual can raise a complaint with the ICO, which will then investigate. In addition to ensuring DSARs are not overlooked for any reason, a company also needs a smooth escalation process and at least one individual trained to respond to the DSAR.

Exemptions and Third Party Data

While the majority of DSARs are simple, organisations will face some that raise questions. The way third party data is handled, for example, can be a minefield. Many companies believe it is simply a case of going through all the relevant data and redacting any names other than that of the individual that has made the request. That is not the case.

For example, if ten people were in a meeting and one of those makes a DSAR, there is no point redacting the names of those other nine individuals – everyone knows they were in the meeting. However, this approach cannot be applied to CCTV records, for example. An individual may accept the existence of CCTV in a nightclub, but that does not provide implicit agreement that their presence can be shared in a response to someone’s DSAR. Or take a police custody suite: even if faces are redacted, background conversations could infringe individual rights. When it comes to third party data, DSARs will have to be considered on a case by case basis, there is no blanket response.

Furthermore, there are a number of exemptions that can be applied to DSAR, including Legal Professional Privilege (LPP) for information exchanged between an individual and legal representative, as well as information relating to company finances or national security. The ICO will look at each exemption on a case by case basis and it is therefore essential to ensure each DSAR is annotated with the relevant exemption.

Conclusion

Failure to respond quickly to a DSAR is not going to automatically incur the huge fines associated with data theft. However, it is still a breach of GDPR and the ICO is not going to go easy on organisations that fail to put in place the right processes. DSARs are becoming a fact of life for every organisation; individuals know their rights and, as the rise in employee grievance inspired DSARs reveals, they are actively looking to use the new legislation to support their cause.

For any organisation process is key: monitor all incoming communication channels for DSARs and escalate quickly, the clock starts when the company receives the request. Put in place good professional support for any complex cases that may require exemption or redaction. And, critically, think hard about data retention strategies. The whole aim of GDPR is to make companies consider their data resources and move away from storing data for the sake of it. Only retain data that is relevant and you have a lawful reason for processing put in a place a retention policy with strong methods for recording, extracting and redacting if needed.

TAGGED: header

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Start Your Business August 20, 2019
Share this Article
Twitter LinkedIn Reddit Email Copy Link
  • RSS
  • Terms And Conditions
  • Privacy Policy
  • Contact
  • Licensing

Get the latest from us delivered straight to your inbox

Start Your Business Magazine: The Ultimate Business Start Up Guide provides information advice and guidance for entrepreneurs and new business start ups. Get the latest from us delivered directly to your inbox.

Our website stores cookies on your computer. They allow us to remember you and help personalize your experience with our site..

Read our privacy policy for more information.

Copyright 2023 Gambit Interactive Media Limited – All Rights Reserved.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
Join Us!

Sign up to our free newsletter and never miss a hot topic!

Zero spam, Unsubscribe at any time.
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?