By
Alex Franch
March 20, 2023
A data subject has gotten in touch and requested access to their data, either through your DSAR form on your Privacy Portal or any other channel.
What steps do you need to follow now?
‍It is recommended that you maintain a record of all requests received, date of receipt and the employees responsible for certain tasks associated with the completion of the request.
A DSAR log does not have to be overly complicated, a spreadsheet would suffice, but it is important that everyone knows where the log is stored, who DSARs should be sent to and whose responsibility it is for collating, redacting and responding etc.
Step 1 is to reply to the email to acknowledge that we’ve received the request.
Hi Carey,
Thank you for your request - this message is just to confirm that we have properly received your request. We have identified this request as a Data Subject Access Request and it is our obligation under the GDPR and the Data Protection Act 2018 to comply with it.
As a way of transparency - we’d like to inform you how we proceed with these requests so that you know at which stage we’re at.
1. Verify your identity - we need to make sure that you are the person that you’re requesting data from
2. Understanding the scope of your request
3. Gathering the personal data
4. Disclose that data to you (where we can do so lawfully)
5. Answer any other concerns you may have
We aim to resolve these requests within 28 days from when we verify your identity.
Note: If you did not create this request - please let us know.
‍
Hi, We are processing your Data Subject Access Request - we're currently in Step 1.
For this step we need to verify your identity:
- We need to ask if you could please {appropriate way of identifying person}
Apologies if the steps above are inconvenient but we’re committed to protecting the data of individuals that trustus with it - therefore before we give out information we must ensure that we are giving it out to the right person.It is another step to protect data.
Example to verify the identity of a person who: (swap for “appropriate way of identifying a person” above)
- Reply to this email confirming that you acknowledge that you created a
 request on the "Date" at "Time"
‍
- Indicate your name and surname and email address with which you want
 to proceed with the request
‍
- You mentioned that you registered a meeting us - as a further means to
 verify the request - could you please give me details on the date,
 time and the method by which you booked such meeting
- Reply to this email confirming that you acknowledge that you created a
 request on the "Date" at "Time"
‍
- Indicate your name and surname and email address with which you want
 to proceed with the request
‍
- You mentioned that you received an email from us - as a further means to
 verify the request - could you please forward us the email that you are
 referring to?
Once you know the person is indeed who they say they are, the next step is to understand who the individual is in relation to your company and what data they are looking for.
You are not allowed to ask them to narrow the scope of their request, as any individual is allowed to ask for “all of their data”, but it is ok to ask them to provide additional details that will help you to locate the data they are seeking.
E.g. dates when they might have engaged with your business, names of the staff they have engaged with, if they have been to any of your events, liked any of your posts, replied to any of your previous emails.
These questions don’t prolong the 28 day deadline to reply to the request, so if they don’t answer or you are running out of time you will have to comply with the request by making reasonable searches for the information covered by the request.
To help you with this process it might be useful to think:
Once you have identified what type of individual they are you can go through your data inventory in your Privasee platform to identify the assets or third parties where you might be storing their data and what it’s used for.
The final step is to go through the assets where you have identified you hold data and collect the information you hold about them.
E.g. you might have their email address, name and a list of events they have assisted to on your CRM. If they are one of your customers you might have some payment information in your Accounting Software…
Depending on their request they might be asking for confirmation/explanation of the types of data you hold about them, how you collected that information and what it’s used for; or they might be asking for an actual copy of their information.
💡 When providing a copy of their information, especially when dealing with free-text format like emails or documents. It’s important to redact any information that could allow you to identify any other individual as to not share personal information from someone else.
It is good practice to include a covering letter or accompanying explanatory material as part of your DSAR response. It must not be forgotten that the right of access does not just cover the provision of information, it also contains confirmation of the details and nature of processing, which can be included in your covering letter.
It’s not possible to provide a template to cover all circumstances but here is an indicator of what your covering template should look like:
Dear
We are processing your Data Subject Access Request - we're currently in Step 5.Your request has been considered in line with the Data Protection Act 2018 and the General Data Protection Regulation, and the personal data you are entitled to has been included with this letter. Additional to the provision of your personal data, I can confirm that [Company] processes your personal data and for more details surrounding the purposes and scope of this can be found within our Privacy Notice [PROVIDE LINK OR COPY OF PRIVACY NOTICE].
Information relating to 3rd parties:Under the right of access, Data Subjects are only entitled to their own personal data and not necessarily that relating to any 3rd parties.
As part of providing information we have had to consider your right of access and balance that against any other rights that other individuals such as protecting their own data protection or privacy rights.Information provided in confidence:There will often be occasions whereby information is provided in confidence to the company and release of such would undermine that duty of confidence potentially resulting in legal consequences for the company. Furthermore,it is important that such confidences are respected and that individuals can share matters with the company in confidence without fear that their confidence will be breached. Please rest assured that what we can share in respect of theseinstances will have been shared or anonymised appropriately.
I hope that you find the enclosed information useful. [COMPANY] now consider your request fulfilled and the matter to be closed. Should you feel this is not the case, in the first instance please let me know. If you remain dissatisfied following this, please note that you have the right to raise the issue with the Information Commissioner’s Office (ICO), who can be contacted by the following methods - <https://ico.org.uk/global/contact-us/>. You also may wish to seek to enforce your rights through the Courts.If your concerns related to procedural matters rather than the provision of information, please can I politely suggest that such matters are taken up with the relevant departments or via our complaints processes.
Along with the covering letter you can attach a file with all the personal data about the individual, this can be an excel or similar, a JSON, or a PDF with documents, emails or other potentially redacted files.
Ensure your policies are always up to date with Privasee, an AIÂ powered GDPRÂ compliance solution that does it all.