Skip to content

How to Avoid Falling Foul of a DSAR Breach

| Written by Imogen Fraser-Clark

Since the introduction of GDPR in 2018, Data Subject Access Requests – more commonly known as DSARs – have seen a monumental surge.

To the uninitiated, a DSAR is when an individual (or ‘data subject’) requests that an organisation provide evidence of all of the personal data they have stored on that particular individual.

These requests are most commonly made by employees to their employers – often to support their case in a tribunal, grievance, or some other form of legal dispute.

Today, DSARs are not only becoming more frequent, they’re also becoming more costly and more complicated. Increasing numbers of businesses report having to take on new staff, or even implement new technology, just to cope with the operational strain that a DSAR can create. But it doesn’t have to be this way. With sufficient knowledge and preparation, you can handle a Data Subject Access Request without it having an adverse effect on your operations, your productivity, or your bottom line. Read on to find out how…

Recognising when a DSAR has been submitted

 

Day 1 card isolated on white backgroundOne thing that makes DSARs so difficult to handle is that there is no official process or protocol for submitting one.

This can make them difficult to recognise – particularly if it comes through to a junior team member in a non-legal department, such as a social media or admin executive. Regardless though, once a DSAR has been made, the recipient organisation has one calendar month to fulfil the request – so any additional time it takes to recognise a DSAR, and figure out who it should be escalated to, is likely to be time you can’t afford. Missing this deadline can lead to serious sanctions from the Information Commissioner’s Office (or ICO), not to mention lasting damage to your credibility and reputation.

Because of this, it’s vital that staff at every level of your organisation, from operations to HR to legal, have a foundational knowledge of what constitutes a Data Subject Access Request. So whether it comes via email, or over Twitter, and no matter how formally or casually it’s worded, your team can recognise it, escalate it, and ensure it is treated with the appropriate levels of efficiency and severity.