Unpacking DSARs (or SARs): What Your Business Needs to Know.

You might be watching the news or reading the newspaper this week and seeing lots of references to Subject Access Requests (SAR).  Perhaps you’re wondering what your business can do to prepare for a SAR.  In this blog we’ll demystify SARs and help you know what steps you need to take next.

So, what exactly are SARs (or DSARs as they are also known), and how do they tie into the GDPR? And more importantly, what does your business need to do about them? Let's find out.....

Understanding DSARs

DSAR stands for Data Subject Access Request. In simple terms, it's a request made by an individual, or 'data subject,' to access a copy of the personal data that your business holds relating to them. This can include anything from their name and email address to transaction history, information relating to them in emails or meeting or employment notes.

DSARs are a legal right enshrined in the UK General Data Protection Regulation (UK GDPR), laws that govern how businesses handle the personal data of individuals. 

DSARs and GDPR: The Connection

One of the main goals of the UK GDPR is to protect fundamental rights and freedoms and in particular the right to the protection of personal data. The first principle is that of transparency which promotes a clear understanding between businesses and their customers or employees about how their personal data is used.

Under the GDPR, individuals have the right to request access to their personal data, ask how it's being used, and even demand its rectification or deletion in some circumstances. This is where DSARs come into play, allowing individuals to exercise these rights.  The right to access our personal data isn’t absolute and there are certain exceptions that businesses need to understand.

The Impact on Small to Medium Businesses

While it might seem like GDPR and DSARs are a concern for major corporations, the Regulation applies to all businesses that handle personal data, irrespective of their size. If your small or medium business has customers or employees in the UK or EU understanding and efficiently handling DSARs should be on your to-do list.

Handling DSARs: A Practical Approach

Handling DSARs doesn't have to be a headache. Here's a step-by-step guide to manage them efficiently:

  • Identify the DSAR: First and foremost, train your staff to recognize a DSAR when it comes in. It might arrive through any communication channel and won't necessarily use the term 'DSAR' ‘SAR’ or 'data subject access request'.
  • Verify the Requestor's Identity: To protect customer data, make sure the request is genuine. This could involve asking for additional information to confirm the requestor's identity.
  • Locate the Personal Data: Once you've confirmed the requestor's identity, the next step is to find and compile the requested data. A well-maintained data map can make this process faster and more accurate. 
  • Understand What You Can OR Can’t Send: You must not send the personal data of other individuals without their consent, so you may need to redact this data from your documents. Decide if any data needs to be withheld or whether there are any other exemptions you can rely on.
  • Respond in Good Time: UKGDPR mandates that businesses must respond to DSARs without undue delay and, in any case, within one month of receipt of the request. If the DSAR is particularly complex, this can be extended by two more months, but the data subject must be informed about the delay.
  • Provide Personal Data in a Clear Format: When providing the requested information, use a clear, user-friendly format. The aim is to make the information understandable for the average person, not just tech experts.

A word of caution: The Data Protection Act 2018 (DPA 2018) makes it a criminal offence to delete or conceal personal data that individuals making a DSAR request might otherwise be entitled to receive.

Next Steps:

  • Ensure you know where all your personal data is. 
  • Train your staff to understand what to do and who to contact if they suspect they have received a DSAR
  • Ensure that your DSAR policies and processes are up to date and ready to use if you receive a DSAR.

Conclusion:

While DSARs may seem daunting at first, they offer an excellent opportunity for businesses to show commitment to data protection and build trust with your employees, customers or clients. By understanding your obligations under the GDPR and putting in place a robust process for handling DSARs, your business can not only stay compliant but also cultivate a culture of transparency.

Remember, when in doubt, it's a good idea to get prepared and seek advice to ensure your business is on the right side of the law.

We're here to you navigate your way around the world of data protection whether it's training, data mapping or policies. Get in touch today if you'd like a free initial chat.  Email: info@ethiqs.legal

Book a free 20min Chat

Feel free to ask for details, don't save any questions!

Our Office

Business Hours

  • Monday - Friday - 9am to 5pm

Get in Touch

Ethiqs is committed to providing our clients with accessible, transparent and affordable legal services and this starts all the way from the initial consultation.