Data Subject Access Requests (DSARs) are on the rise as more people become aware of their rights under the UK General Data Protection Regulation (GDPR), thanks to more education on data protection generally (and the power of TikTok!)
A DSAR is a request from an individual to understand how and why you are using their data and check that you are doing it lawfully. Sometimes a request lands in the wake of an HR issue, such as a recent grievance, redundancy or performance management review.
Responding to a DSAR can bring you positive reinforcement that all of your processes are compliant with data protection regulations and HR policies. But it can also be a time-consuming and stressful exercise, particularly for small businesses with fewer resources.
In normal circumstances, a business has 30 days to respond to a DSAR, which often means dropping a chunk of your everyday tasks to scrabble together the information in time. How can you make life a little easier for yourself and handle these sorts of requests more effectively?
Use software in the smartest way
You probably already have software installed that will help you with these requests.
Use the search function to locate data that includes their full name and email address. But search like you would on Google. Use quotation marks to capture the entire phrase, or an astrix to broaden the search to find data that start with the same letters. Like this:
· “Joe Bloggs” – finds all the data containing “Joe Bloggs” as a single phrase
· “Jo*” – finds data where Jo, or Joe, or Joseph is mentioned.
Once you’ve done a thorough search, you’ll need to redact any privileged information, or information that relates to anybody else’s personal information (which would lead to a data breach).
The quickest way to redact documents is in Adobe or Nitro. But remember that these programmes will have shortcuts to help you. Try “sanitising” the document first. That will remove information that isn’t visible on the file, like comments, metadata or hidden layers.
If your organisation holds reems of personal information, then you might consider investing in specific software that helps you search and redacts. There are a number of programmes out there and you can compare and contrast them here.
Revise down your retention policy
How long are you storing information for? Lots of organisations have never thought about this and the default position is ‘forever’. Which can result in searching and providing far more information than is strictly necessarily in answer to a DSAR.
You can change your retention period, so long as it still complies with your industry standards. After your chosen retention period, the system will automatically delete emails and instant messages.
You’ll save on storage and reduce the amount of data to wade through when you receive a DSAR.
Know where to draw the line
In some circumstances, you could be looking at thousands of documents to redact and send to an individual. But remember, your obligation is only to provide ‘data’ and not ‘documents’.
You can provide a table listing which personal information appears. For example, if you ask a bank for full copies of your bank statements, they are not required to give you the actual bank statements in response to a DSAR. They provide you with your personal data contained within those statements, which may be a list of transactions.
That means that you don’t need to provide all of the emails an employee has ever sent or received either. You just disclose the personal data once, like the subject’s name, phone number and email address. You don’t need to provide every single instance of this data appearing in the documents you hold.
And if you’re not too sure what the person is asking for or why, just ask. You’re perfectly within your rights to ask them if they are looking for something in particular. That way, you look helpful by trying to respond with the most relevant data, and it can cut down the amount of searching you need to carry out.