DSAR (Data Subject Access Requests) - the hidden nightmare of GDPR compliance

4 March 2020

If you hold personal data, and you lose it by any means, you’re pretty much boned, especially if you weren’t doing a decent job of trying to protect it. If you hold personal data, and you process or use it in a way that you don’t have explicit permission for, you’re pretty much boned, at least on a technical level – if anyone decided to chase you down on it, you’d have very little recourse.

These are the things that two years of preparation and nearly two years (at the time of writing) of the GDPR being ‘in the wild’ have taught us. We’re sick of hearing them, to be honest.

There’s something else, however. Something that’s technically always been there (well, since the Data Protection Act 1998, at least), and that is the rights of an individual to get a complete view of the data you hold on them, from you, on request. They’re called Data Subject Access Requests (originally just SARs), and whilst they’re not completely new, the GDPR brought about some fundamental changes which make them much more of a problem for organisations holding data on an individual.

The changes aren’t massive in terms of the rights that an individual has, but the implications of those changes are huge. In summary:

  1. As a data controller (someone who holds personal data), you are no longer allowed to charge an individual for dealing with their request;
  2. You don’t have much time to deal with a request when it comes in – typically the longest you’ll get is 30 days, unless you can demonstrate why it will take you longer;
  3. Requests can be made in basically any format you have open – if you have a live chat box on your website, a request can be initiated from that. It doesn’t have to be a formal letter in any particular format or wording;
  4. There is very little room for your refusal to provide that data, including technical inability to access it. If you hold it, you typically will have to share it.

Historically, charges levied for providing individuals with copies of the data one holds have been used to dissuade all but the most insistent from actually putting a request in. Add to that a much more generous allowance on the time required to respond (basically, as long as you could argue that you were making progress, there was no come-back for each request taking months to be dealt with) and whilst it was technically possible for an individual to get a view of the data being held on them, it was very time and cost intensive.

Not any more. Now, an individual can reach out to you via email, or your web chat, or over the phone, and request a complete copy of all of the data you hold on them. That’s customer records from your ecommerce system, contact details from your email system, any profiles you’ve set up in your CRM related to them. Everything. They don’t have to specify what they want, they can just ask for it all and it’s your burden to find it.

When a request comes in, you’re faced with the following:

  1. Verifying the identity of the person making the request, which you’ll need to do a good job on because you absolutely don’t want to cause a data breach by giving out personal information to the wrong person!
  2. Finding all of the information held on that individual, in all of your systems;
  3. Sharing that information in a logical and secure way;
  4. Making sure that the individual then has the ability to amend or delete any of that data on request;
  5. Doing all of this as quickly as possible, and almost always within 30 days;
  6. Making sure you do it all without charge to the user – you can possibly levy some charges to the individual if there is costs involved in processing their data for them, but you cannot simply charge for your time, and in most cases any fees you try to charge will be shot down (after all, you should have mechanisms in place to extract the data you hold in the first place).

There is very little wriggle room when such a request comes in. You can refuse access if it’s an unreasonable request (for example, if the same person requests their information repeatedly) but generally speaking, if you get a request in, you’d better be prepared to deal with it.

And that could be huge. First, imagine if just 20 of your customers dropped you an email today asking for a complete copy of all the data you hold on them, across all of your systems. Even if you have a complete handle on it and know exactly how to find and export all of that information accurately, it’s a big task to do it for 20 people at the same time, especially when you factor in verification of their identity.

And what if, like most people, you’re not ready for this? Do you even know what all of your systems are? Would you be able to quickly export information from those systems in a secure and complete way? What’s your process for verifying their identity?

Imagine trying to dig through emails, CRMs, spreadsheets, marketing systems, customer databases and accountancy systems to find everything you hold on a user.

Imagine actually dealing with it all, and then 5 of those individuals asking for their data to be removed, and another 5 asking for their information to be updated (because it’s highly unlikely all of your systems hold up-to-date information on everyone, if we’re being honest).

Sounds like a nightmare, right? That’s because it is.

So what can I do about it?

If you did your GDPR prep properly leading up to May 2018, you’ll have done a thorough review the systems you use and the data they hold. A really thorough review would have included how you’d handle with DSARs too, as they’ve always been a part of GDPR, but in reality most organisations haven’t been this thorough, and most of the focus on then has been around data security, not access.

So it’s important that you consider it, and put a plan in place. Taking the following steps to ensure that, if a call ever does come in, you’re ready for it:

  1. Have a process in place for capturing and processing requests, so that you don’t lose sight of a request or its progress;
  2. Make a list of all of the systems you use, or have ever used that are still online, and make sure you know how to access them. Close down and delete the data of any that you no longer need, and document how you go about exporting and updating information on the systems you retain;
  3. Burn all of your old, non-compliant contact lists. Do it now. Yes, I know there’s 70,000 addresses in there, but you can never use them. Double delete and move on;
  4. Make sure your team know what a DSAR is and how it should be dealt with. In particular, make sure that no data leaves your office until it is securely packaged up and you have verified the identity of the requesting individual;
  5. Scour your shared drives and download folders for email list exports and spreadsheets of personal information, and delete them permanently.

It may seem like overkill, especially as you’ve likely not had a single request through yet, but you really don’t want to be starting this process under the pressure of a ticking clock when the first request does come in.

If you’d like to talk in more detail about it, hit me up on twitter – @boboshady