DSAR Requests – 5 Top tips for dealing with requests

Under GDPR legislation, employees have the right to obtain copies of their personal data by making a data subject access request (DSAR). We understand that these types of requests can be challenging for employers to manage, particularly where large volumes of data are being requested. Whilst this can seem overwhelming, there are lots of steps that employers can take to be prepared.

5 Top tips for dealing with DSAR requests

Below we list our 5 top tips for dealing with DSAR requests:

1. Ensure that you understand the remit of the request

   As a starting point, you will need to check whether the request is a DSAR and what personal data is being requested.

If you are unclear what the employee is seeking, you may need to clarify what information the DSAR relates to. In some circumstances, if the nature of the request is extremely broad, it may be reasonable to seek to narrow down the scope.

2. Keep track of time!

   The usual time limit for responding to a DSAR is one calendar month of receipt of the request. Whilst that may seem like a long time, the volume of work involved means that it will be important to plan timings carefully as soon as a request is received.

Where the DSAR is complex, it may be possible to extend the deadline by a further two calendar months. However, employers cannot simply rely on this extension as a matter of routine. Any extension sought will need to be clearly communicated to the individual.

3. Plan and prepare your DSAR response team

   One of the main challenges that employers face is how they are going to allocate resources to respond to the DSAR. This process may involve a number of people across the company.

If staff are unfamiliar with what the DSAR process entails this can cause delays to already tight timelines or misunderstandings about what needs to be done. Ensuring that staff are suitably trained on their obligations and equipped to deal with DSARs promptly is really important.

4. Have a process for redactions and dealing with third party data

   Once you have gathered the relevant information, you will need to review it to establish what information needs to be disclosed. GDPR legislation requires employers to undertake a balancing exercise in weighing up the rights of any other individuals that may be identified from the information gathered.

You may need to redact certain information from the documentation before it can be disclosed. This stage can be very time consuming, so it is important to start this as soon as possible.

5. Document your decisions and communicate them

   Our final top tip is around transparency and clearly documenting your decisions. The best way to demonstrate compliance is to show that you have thought about the steps being taken and explained this to the individual.

This will also assist if the individual raises a complaint with the Information Commissioner Office (ICO) as you can then show the rationale behind any decisions made.

How we can help

Paris Smith LLP has new AI based technology which is specifically designed to manage DSARs. Using this software, we can have oversight of the DSAR process for you. We can streamline the documents that you need to disclose, apply redactions and complete the DSAR in compliance with your legal obligations and current ICO guidance. We can also advise you on any tricky documents or queries that you may have.

As a team, we also deliver training sessions on GDPR compliance, including dealing with data subject access requests, which is aimed at HR and line manager professionals.

If you would like to find out more about how we can help you or if you require any assistance with DSARs please contact Sarah Hayes, an Associate in our Employment team.

We publish blogs and social media posts to give a general overview of legal and commercial issues, relevant at the time of publication, which we hope you will find interesting. Please note that legal rules often change depending on the specific facts of a situation. The law also changes over time following changes in legislation or new court cases. We do not actively update our blogs or posts once they are published to reflect changes in the law.

As such, our blogs and posts are not intended to advise you on the law and must not be relied upon as legal advice. If you require advice on a particular issue then please contact us and we will be pleased to help.