A Data Subject Access Request (DSAR) enables individuals to request access to their personal data held by an organisation under data protection laws such as the GDPR. Organisations must respond within a specified timeframe, typically 30 days, providing details about the purpose, processing, and storage of the data.
How To Respond to a Data Subject Access Request
Let's say a data subject has gotten in touch and requested access to their data, either through your DSAR form on your Privacy Portal or any other channel.
What steps do you need to follow now?
Step 1: Acknowledge Receipt
Step 1 is to reply to the email to acknowledge that we’ve received the request.
Hi [Name],
Thank you for your request - this message is just to confirm that we have properly received your request. We have identified this request as a Data Subject Access Request and it is our obligation under the GDPR and the Data Protection Act 2018 to comply with it.
As a way of transparency - we’d like to inform you how we proceed with these requests so that you know at which stage we’re at:
- Verify your identity - we need to make sure that you are the person that you’re requesting data from
- Understanding the scope of your request
- Gathering the personal data
- Disclose that data to you (where we can do so lawfully)
- Answer any other concerns you may have
We aim to resolve these requests within 28 days from when we verify your identity.
Note: If you did not create this request - please let us know.
Step 2: Verify Identity
Hi, We are processing your Data Subject Access Request - we're currently in Step 1.
For this step we need to verify your identity:
- We need to ask if you could please {appropriate way of identifying person}
Apologies if the steps above are inconvenient but we’re committed to protecting the data of individuals that trustus with it - therefore before we give out information we must ensure that we are giving it out to the right person.It is another step to protect data.
Example to verify the identity of a person who: (swap for “appropriate way of identifying a person” above)
Booked a meeting with you:
- Reply to this email confirming that you acknowledge that you created a
request on the "Date" at "Time"
- Indicate your name and surname and email address with which you want
to proceed with the request
- You mentioned that you registered a meeting us - as a further means to
verify the request - could you please give me details on the date,
time and the method by which you booked such meeting
Was contacted by one of your sales/marketing emails
- Reply to this email confirming that you acknowledge that you created a
request on the "Date" at "Time"
- Indicate your name and surname and email address with which you want
to proceed with the request
- You mentioned that you received an email from us - as a further means to
verify the request - could you please forward us the email that you are
referring to?
Step 3: Verify the scope
Once you know the person is indeed who they say they are, the next step is to understand who the individual is in relation to your company and what data they are looking for.
You are not allowed to ask them to narrow the scope of their request, as any individual is allowed to ask for “all of their data”, but it is ok to ask them to provide additional details that will help you to locate the data they are seeking.
E.g. dates when they might have engaged with your business, names of the staff they have engaged with, if they have been to any of your events, liked any of your posts, replied to any of your previous emails.
These questions don’t prolong the 28 day deadline to reply to the request, so if they don’t answer or you are running out of time you will have to comply with the request by making reasonable searches for the information covered by the request.
To help you with this process it might be useful to think:
- What type of individual are they as described in my privacy policy?
- E.g. are they a customer? a visitor to premises? a former temporary staff? It’s okay to ask them if you are not sure
- If they mention a third party or one of your partners or suppliers, it might be a good idea to reach out to them and request them for information on where they got the data. Did they get it from you? If so from where?
- If they mention any of your employees it might also be a good idea to ask them about the engagement
Once you have identified what type of individual they are you can go through your data inventory in your Privasee platform to identify the assets or third parties where you might be storing their data and what it’s used for.
Step 4: Gather information
The final step is to go through the assets where you have identified you hold data and collect the information you hold about them.
E.g. you might have their email address, name and a list of events they have assisted to on your CRM. If they are one of your customers you might have some payment information in your Accounting Software…
Depending on their request they might be asking for confirmation/explanation of the types of data you hold about them, how you collected that information and what it’s used for; or they might be asking for an actual copy of their information.
💡 When providing a copy of their information, especially when dealing with free-text format like emails or documents. It’s important to redact any information that could allow you to identify any other individual as to not share personal information from someone else.
Step 5: Disclose data in a secure format
It is good practice to include a covering letter or accompanying explanatory material as part of your DSAR response. It must not be forgotten that the right of access does not just cover the provision of information, it also contains confirmation of the details and nature of processing, which can be included in your covering letter.
Data Subject Access Request Response Template
Dear [Name],
We are processing your Data Subject Access Request - we're currently in Step 5.Your request has been considered in line with the Data Protection Act 2018 and the General Data Protection Regulation, and the personal data you are entitled to has been included with this letter. Additional to the provision of your personal data, I can confirm that [Company] processes your personal data and for more details surrounding the purposes and scope of this can be found within our Privacy Notice [PROVIDE LINK OR COPY OF PRIVACY NOTICE].
Information relating to 3rd parties:Under the right of access, Data Subjects are only entitled to their own personal data and not necessarily that relating to any 3rd parties.
As part of providing information we have had to consider your right of access and balance that against any other rights that other individuals such as protecting their own data protection or privacy rights.Information provided in confidence:There will often be occasions whereby information is provided in confidence to the company and release of such would undermine that duty of confidence potentially resulting in legal consequences for the company. Furthermore,it is important that such confidences are respected and that individuals can share matters with the company in confidence without fear that their confidence will be breached. Please rest assured that what we can share in respect of theseinstances will have been shared or anonymised appropriately.
I hope that you find the enclosed information useful. [COMPANY] now consider your request fulfilled and the matter to be closed. Should you feel this is not the case, in the first instance please let me know. If you remain dissatisfied following this, please note that you have the right to raise the issue with the Information Commissioner’s Office (ICO), who can be contacted by the following methods - <https://ico.org.uk/global/contact-us/>. You also may wish to seek to enforce your rights through the Courts.If your concerns related to procedural matters rather than the provision of information, please can I politely suggest that such matters are taken up with the relevant departments or via our complaints processes.
Along with the covering letter you can attach a file with all the personal data about the individual, this can be an excel or similar, a JSON, or a PDF with documents, emails or other potentially redacted files.
Are there any exceptions to a DSAR?
A company can restrict access to data subject rights including DSARs whereby it is necessary to safeguard:
- Crime and taxation
- Crime and taxation risk assessments
- Information required to be disclosed by law or in connection with legal proceedings
- Legal professional privilege
- Self-incrimination
- Disclosure prohibited or restricted by an enactment
- Immigration
- Functions designed to protect the public
- Audit functions
- Bank of England functions
- Regulatory functions relating to legal services, the health service and children’s services
- Other regulatory functions
- Parliamentary privilege
- Judicial appointments, independence and proceedings
- Crown honours, dignities and appointments
- Journalism, academia, art and literature
- Research and statistics
- Archiving in the public interest
- Health data
- Social work data
- Education data
- Child abuse data
- Corporate finance
- Management forecasts
- Negotiations
- Confidential references
- Exam scripts and exammarks
Can I ever reject a DSAR?
You can refuse to comply with a manifestly unfounded or excessive request. The decision should be made on a case by-case basis and your rationale for this should be clearly documented in case this needs to be demonstrated to the ICO or the courts. Examples of requests given by the ICO which may be manifestly unfounded are:
- The individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation
- The individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption
- The request makes unsubstantiated accusations against you or specific employees
- The individual is targeting a particular employee against whom they have some personal grudge
- The individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption
Key Takeaways & Wrap-Up
In this article, we’ve covered the following key points about Data Subject Access Requests (DSARs):
- A DSAR enables individuals to access the personal data your organisation holds about them, promoting transparency under GDPR.
- Responding to a DSAR involves five key steps: acknowledging receipt, verifying identity, understanding the scope, gathering the data, and securely disclosing it.
- Organisations must respond to DSARs within 28-30 days, balancing the individual’s rights with any applicable legal exemptions.
Privasee can help streamline your DSAR management - book a demo today.
Data Subject Access Request - FAQs
What is a Data Subject Access Request (DSAR)?
A DSAR is a request made by an individual to access personal data that an organisation holds about them.
How long do I have to respond to a DSAR?
Organisations have 28-30 days to respond once the individual’s identity has been verified.
Can I refuse a DSAR?
Yes, you may refuse a request if it is manifestly unfounded, excessive, or falls under specific legal exemptions. Proper documentation is essential in such cases.
What steps are involved in fulfilling a DSAR?
The process involves acknowledging the request, verifying the individual’s identity, understanding the scope of the request, collecting the relevant data, and securely providing the requested information.A Data Subject Access Request (DSAR) is a request made by an individual to access their personal data held by an organisation. Under data protection laws like GDPR, organisations must provide this information within a specified timeframe, typically 30 days. DSARs help ensure transparency and individual control over personal data.
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.