Skip to content

DSARs for Luddites



Contents

  • Changing attitudes in a data-driven world 
  • What is a DSAR? 
  • What types of data can be included in a Data Subject Access Request? 
  • An example scenario
  • Why DSARs are on the rise 
  • How DSARs work: The process explained 
  • The biggest challenges employers face with DSARs 
  • FAQs

Changing attitudes in a data-driven world

Our previous Luddite’s guide looked at the age-old disconnect between legal professionals and leading-edge technologies. Following the positive reception we received, we thought it made sense to establish the Luddite’s guide as an ongoing series. 

Law is an intense, mentally demanding and time-consuming profession. Staying on top of the countless changes that shape and impact the legal landscape is no mean feat, even for the most conscientious lawyers. 

For this second edition of the Luddite’s guide, we’re moving our focus from technology to an equally complex subject — data. Or, more specifically, Data Subject Access Requests, more commonly known as DSARs. We've created this guide so you can arm yourself with the knowledge you need to handle DSAR situations effectively. 

The growing difficulty of DSARs 

Due to a combination of factors — data volumes surging with each caseload, increasing public concern around how personal data is used and the scope of data formats continually being transformed and reinvented — DSARs are becoming more challenging to manage. 

They’re also becoming a more frequent occurrence and, as such, a much more prevalent topic of conversation among clients and counsel alike. With that increasing stake in the industry, the conversation has a tone of concern around DSARs among HR departments, legal teams and businesses in general. 

Many organisations have found the management of DSARs to cause complications for their internal operations, thereby impacting output, efficiencies and costs due to not having the correct systems, workflows and processes in place.

Others have faced sanctions from the ICO (the Information Commissions Office) and found themselves at risk of committing a criminal offence due to non-compliance. 

If today’s legal professionals want to protect themselves from the potentially devastating impact DSARs can have if not conducted optimally, they must get to know them inside out. Read on to understand the key information you need to know about DSARs.

What is a DSAR?

In short, a DSAR is a process undertaken by an individual (or the ‘data subject’) when requesting that an organisation (or ‘the controller’) provide a copy of all the personal data they hold on that individual. 

Let’s say an online shopper wants to see just how much Amazon knows about them or the detail with which they can track their online activity. They could email someone at Amazon requesting they disclose all of the Amazon customer data attached to the online shopper’s name. 

But, while customers can make DSARs, most of them (and the vast majority of cases we deal with at Altlaw) are made by employees requesting all of the information their employer holds on them. 

Why might an employee make a DSAR? 

Usually, an employee would submit a DSAR if they were considering taking legal action against their employer or to support them in the event of an ongoing grievance or disciplinary process. 

For example, an employee may have reason to believe that inappropriate, defamatory, or otherwise harmful comments have been made about them by staff members. They may even think they have grounds for litigation and intend to take action against their employer but wish to gather supporting information and build a case first. 

In this case, a DSAR may enable them to obtain and collate significant evidence around a particular issue before making plans to proceed with any legal action.

DSARs in numbers

A 2020 Netwrix report found that:

21% of CISOs (Chief Information Security Officers) responsible for GDPR compliance said their organisations didn’t see a rise in DSARs during the last 12 months

80% of organisations need hours to deal with a DSAR, with 11% needing days

33% of government and 29% of financial organisations noticed an increase in DSAR requests during the previous year

66% of EMEA (Europe, Middle Eastern and Africa) organisations believe DSARs put additional pressure on IT teams, with 72% of UK respondents agreeing with this statement

44% of German organisations reported an increase of up to 24% in costs associated with DSARs

What types of data can be included in a Data Subject Access Request?

The guidelines for what data can be requested and what response is appropriate can be found within the Data Protection Act (DPA) 2018 and the UK General Data Protection Regulations (GDPR).

Data included in a DSAR tends to fall into one of two categories: 

  1. Correspondence 

Correspondence includes emails addressed to or from an individual or containing the individual’s name.

  1. Personal information

You can find personal information on a personnel file — addresses, bank details, next of kin, etc.

It’s important to note that, in the event of a DSAR, any physical copies of this information must be located, collated and sent across. 

As well as going through your systems with a fine tooth comb, you may also need to rummage through those filing cabinets. 

What’s my responsibility as an employer? 

As long as the request itself isn’t ‘manifestly excessive’ (more on what that means in the FAQs section), committing to a proper and thorough process is the main thing to consider. 

As data protection laws don’t set many absolute rules, your processes can be flexible and take a more risk-based approach. As long as you’re meeting the main legal requirement, there are virtually no barriers to doing new things that best suit your situation. 

It’s your legal obligation to effectively obtain, collate and send all the information required to fulfil the request. And in line with the update to the ICO’s guidance in 2019, you must complete this process within one calendar month of the DSAR. 

The information a data subject can request from the controller and the information a controller must supply can be found in Section 7 of the Data Protection Act 1998 (DPA). 

When responding to a DSAR, the controller must also provide the requester with the following information:

  • The purposes for processing or holding the data 
  • Who the personal data has been disclosed to (or who it’ll be disclosed to in the future) 
  • The length of time the data will be held (or the criteria for determining how long it’ll be held) 
  • The data’s source (unless it has been collected directly from the data subject) 
  • Clarification of how the data has been or will be processed and the reason for this 

If the employee’s information is processed through an automated system or workflow, you must provide details of this process and its intent. As well as supplying the correct information regarding the data itself, it’s also the controller's responsibility to reiterate some of the requester's rights. 

Be sure to inform the data subject that they hold the right to object to processing their personal data. They may even request that these processes be rectified, erased or restricted. 

The matter of redactions 

To remain compliant with a DSAR, you must obtain and send across all relevant personal data that you hold on the data subject and provide clarification of the purposes and means for processing this data. 

However, it’s also imperative that by fulfilling a DSAR, you don’t compromise the integrity of another data subject’s private information. In layman’s terms, the information you provide in a DSAR can only include personal information of the data subject alone, not of other people. 

To avoid this, the controller must redact any sensitive information from the data they send across, ensuring the integrity of anyone else’s data remains safeguarded throughout the process.

An example scenario

Person A is an employee at Big Business Ltd. Person A believes they’ve been selected unfairly for redundancy. To clear the air and better understand the situation, Person A emails the HR department, requesting to see the internal correspondence that directly refers to them.

In many of these emails, the company has referenced Person A.

While Big Business Ltd. must comply with the demands of Person A’s DSAR, they’ll be at risk of breaching data regulations should they disclose information to Person A, which refers to Person B or Person C.

But, Person A is still entitled to see the contents of these emails between Person B and Person C as Person A is mentioned.

Therefore, to comply with the DSAR and protect the personal information of Person B and Person C, the names of Person B and Person C are redacted from the documents sent to Person A.

Why DSARs are on the rise

Data management and privacy were the most significant concerns in 2020/21, according to the Data and Marketing Commission’s (DMC) annual report. The DMC reported that most complaints relate to data, privacy and quality (64%).

Increasing data awareness 

Since the introduction of GDPR in 2018, attitude towards the privacy and protection of our personal information has changed.

After initially clicking ‘Yes’ to every consent box and third-party cookie notification put in front of them, millions worldwide are gradually becoming more aware of how their data can be used (or misused) by organisations.

The average person is more concerned than ever about personal data and how it’s accessed, stored and controlled. They see value in their data and, as such, are increasingly demanding greater autonomy and control over it. 

Turbulent employment dynamics 

National lockdown restrictions put countless employers under enormous strain, forcing many to make difficult decisions regarding the structure of their organisation and the fate of their workforce. 

The UK labour market overview for January 2021 from the ONS showed that the rate of redundancies recorded since early 2020 exceeded that of the 2008 financial crisis. 

And as of April 2021, 11.5 million jobs were relying on the government’s furlough scheme. While the furlough scheme offered far more of a financial safety net to employees than redundancy, it still had a widespread impact in the form of deteriorating mental health, loneliness, isolation and anxiety. 

In many cases, these times of hardship have eroded the bond of trust between organisations and their employees. This fraying of employee-employer relations has naturally manifested in a higher frequency of grievances and disciplinary actions. We’ve also seen a spike in the number of DSARs submitted.  

How DSARs work: The process explained

All employees are entitled to request information an organisation holds on them at any time.

There’s no need for prior warning or for a request to be formalised in writing. As previously mentioned, the organisation on the receiving end of the request must locate and collate all the requested information within 30 days. 

Conditions like these can make DSARs incredibly disorienting and hard to manage — particularly for organisations with limited resources or no established protocol to deal with such matters. 

If you get to know the standard processes involved, you can then implement a workflow around this to ensure you manage DSARs smoothly and seamlessly, to the same standard, every single time.

1. Acknowledge the request 

The main thing to note here is that there’s no formal process for submitting a DSAR. A DSAR can be made via email, verbally or even in a message on a social media platform. Elected representatives can also carry out the request on the data subject’s behalf. 

A subject can make a DSAR to any staff member or department. Once it’s received, the clock starts ticking. Your team must know what constitutes a DSAR and which department can handle it. Coordination ensures an efficient and effective response, so the request is picked up and resolved. 

2. ID the data subject 

This step can be more complicated than you might expect. If the request is made by a representative on behalf of a data subject, you may need more information to verify their identity and fulfil their request. 

But certain methods of ID verification, such as asking for a copy of a passport, birth certificate or some other government-issued document, can be seen as ‘disproportionate’ in the eyes of data regulations and can even land you with some hefty fines. 

So what is ‘proportionate’? Here’s what the ICO’s detailed Right of Access Guidance says on the matter… 

“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person the data is about. The key point is that you must be reasonable and proportionate about what you ask for. 

“You should not request more information if the requester’s identity is obvious to you. You should also not request formal identification documents unless necessary. Think about other reasonable and proportionate ways to verify an individual’s identity. You may already have verification measures in place which you can use, for example, a username and password. 

“However, you should not assume that on every occasion, the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.”

3. Determine scope and feasibility 

The drawbacks of a DSAR being ‘manifestly excessive’ go both ways. In addition to the data subject’s request being proportionate and reasonable, the controller’s response must be proportionate and appropriate, too. 

Collating more information than necessary is a common mistake organisations face with a DSAR. The negative repercussions of this are twofold. Firstly, you waste more time and money than needed fulfilling the request. Secondly, you risk overwhelming or confusing the data subject, which can lead to you being penalised for non-compliance.

Clarifying the scope of a DSAR and ensuring it’s as focused as it can be will benefit all parties involved, so be sure to determine the nature of the request. 

Is it simply an access request? Or are they invoking other rights, such as rectification or the right to be forgotten? Is the request specific to a certain category of data processing or limited to a particular period? Is the request valid? Can it be reasonably completed within the one month permitted? 

Also, you should determine which format the requester would prefer the data to be in when you send it across. We’ll come back to this in Step 5. These are all matters you should be clear on before getting started. 

4. Collect the data 

Now the real work begins. While collecting the data, check whether the data needs amending and if you need to protect the personal information of any other data subjects. 

And remember, multiple employees within an organisation may somehow hold or have access to data relating to the data subject and the scope of the request. You must ensure no stone is left unturned. 

5. Package data 

Ensure you present your data in an appropriate format. The data subject may want all the files to be in PDF format or a .docx file. They may even request that it be printed out as physical copies and sent in the post. 

Whatever the data subject's preferences, you’ll need to ensure the format of the data you send across is in line with their specified preferences. 

Be sure to factor the time and resources required to do this into your processes. You don’t want to find out hours before the deadline that you failed to accommodate the time taken for printing or postage. 

6. Inform the data subject of their rights 

Before sending the information, ensure the data subject knows their rights. These include (but aren’t limited to) the right to object to the processing of their personal data, the right to request that these processes be rectified, erased or otherwise restricted and the right to complain. 

Head to this page on the ICO website for a more comprehensive list of individual data protection rights. 

7. Send the data across 

That’s it. You’ve done it. Now breathe.

The biggest challenges employers face with DSARs

You can summarise the challenges DSARs present in three short words: time, effort and money. 

Currently, many organisations simply don’t know how to tackle DSARs optimally and opt for an approach far more costly than necessary; 2021 research revealed that DSARs cost individual UK businesses between £72,000 and £336,000 each year.

Much of this cost was because teams only had manual processes of gathering, collating and redacting information. There are two leading solutions organisations can apply to address these challenges. 

Solution 1: Automation 

The more streamlined, standardised and automated your process is for collating data, the better. 

Integrating your data sources, indexing the information across your business and applying innovative search principles on a huge scale, DSAR-specific software, or even generic eDiscovery tools can bring you dramatic savings in terms of time, costs and resources. 

With suitable systems and workflows in place, you can reduce the process of locating and accessing specific information from weeks to minutes. The same applies to other methods, such as redaction. These same technologies can also significantly improve the accuracy and precision of your DSAR response. 

Solution 2: Outsourcing 

However, the problem with Solution 1 is that most organisations simply don’t have access to the right software to streamline their DSAR processes. Investing in such software represents more of a long-term cost than it does a long-term benefit. 

By outsourcing some or all of the responsibilities in handing a DSAR to a third-party specialist, you can gain access to leading-edge technologies and systems on a ‘pay for what you need’ basis. 

Outsourcing allows you to leverage the benefits of these tools and technologies to make your response process as effective and efficient as possible without the burdensome long-term costs that come with owning, implementing and running these technologies and systems in the long term.

FAQs

Is it possible to ‘stop the clock’ on a DSAR? Or extend the deadline? 

While it’s always crucial that you comply with the requirements of a request, the nature of a DSAR isn’t always crystal clear from the offset. Sometimes, you must clarify many factors before fulfilling the request. 

There are a few choice circumstances where a controller can ‘stop the clock’ on a DSAR and buy themselves some time in addition to the permitted calendar month. 

The first circumstance to note is a controller can stop the clock until they’ve received proportionate identification from the data subject. The verification process can vary greatly depending on the situation at hand. 

For example, the requirement for proportionate ID verification regarding the service user of a utility company is likely to be much lower than a C-suite executive whose request requires access to public healthcare records. 

It may be unclear from the initial request whether the data subject is making the request or it’s from a representative.

A controller can respond by asking them to clarify that they are happy for the information to be provided and that they’re happy for someone else to conduct the SAR (Subject Access Request) process on their behalf. 

Until they receive such clarification, they can ‘stop the clock’ on the one-month time limit. Another scenario in which you can stop the clock on a DSAR is when you can classify the request as complex.

You can find the definition of a ‘complex case’ on the ICO website, but it mainly applies to cases in which data retrieval is considered more difficult than usual or external legal advice is required. In any scenario, ensure these requests for information or deadline extensions are made as soon as possible. We wouldn’t recommend waiting two weeks after the initial request to ask for further clarity.

Can a DSAR ever be rejected? 

ICO guidelines state a controller can refuse to fulfil a DSAR either wholly or partially if you deem it to be ‘manifestly unfounded’ or ‘manifestly excessive.’ 

Streamlining the process and avoiding an excessive request is ultimately better for both the data subject and the controller as it leads to a more effective, efficient and precise process. 

When presented with an overwhelming batch of documents, a data subject can be just as unproductive as a controller exhaustively locating, collating and formatting all the personal information of an employee with a 20-plus year tenure at one company. 

Could a request be made more productive and helpful by focusing on a particular information format, a specific date range or a predetermined subject matter? 

If so, a partial refusal of a DSAR may be the best option for both parties. Here are a few circumstances where you can lawfully reject an entire DSAR:

  • If the controller lacks the budget and resources to handle the request 
  • If you can deem the request as malicious, to annoy or if it hasn’t been submitted with genuine intent 
  • If the request appears to be a duplicate of a request from the same data subject

Important points to remember are that the application of exemptions for DSARs is decided on a case-by-case basis and that you must refuse to fulfil a DSAR within a reasonable time frame.

What constitutes as ‘manifestly excessive’ or ‘manifestly unfounded’? 

If an organisation wants to make a case for a DSAR being manifestly excessive, they need to present a case to demonstrate that it’s ‘clearly or unreasonable’. 

The conclusion as to whether or not a request is manifestly excessive should be based on whether the desired outcomes are proportionate when weighed against the costs involved with handling it. 

Not having access to the resources needed to deal with the request is also a good cause for extenuating circumstances. For example, many organisations could not complete a DSAR during the height of the national lockdown. 

The conclusion as to whether or not a request is manifestly unfounded would require more of an investigation into potentially malicious or insincere motivations for submitting a request. For example, a disgruntled employee may do so to waste their employer’s time and money, with no intention of taking legal action at any point. 

Can data subjects be charged for raising a DSAR? 

A controller can charge the data subject up to £10 for dealing with their DSAR. But, as has been made clear by the earlier contents of this guide, responding to a DSAR will cost an organisation far more than that overall.

Still have questions about DSARs and the rights of access? Altlaw can help. 

Contact a member of our team today for an informal chat. 

eDiscovery Services: 020 7566 7566 

Print/Hard Copy Services: 020 7490 1646 

Email us: enquiries@altlaw.co.uk