How to effectively manage data subject access requests
Data and AIRisk and Governance

How to effectively manage data subject access requests

It was recently reported that data subject access requests (DSARs) are costing UK organisations between £72,000 and £336,000 per year. However, you can’t charge for them, and you are legally obliged to comply: a costly process, particularly if your organisation receives a large volume.

The Data Privacy Group also reports that large UK organisations handle anything from six to 28 DSARs a month, with a significant rise in employee DSARs due to an increase in redundancies during the Covid-19 pandemic. This has had a significant impact on human resources and IT teams. There has also been a rise in customer requests where employees are submitting DSARs prior to a tribunal hearing as it provides an inexpensive way to gather evidence that may support their cause.

With employee GDPR training now standard practice in most organisations, knowledge is growing about data protection rights. Employees understand their rights, are increasingly challenging misuse of their personal data, and are willing to enforce their rights and their rights of access.

How to respond to a DSAR

Collating together the necessary data to respond to a DSAR is often challenging due to the number of documents, varying formats, and data assets involved. Most organisations hold a lot of information, located across multiple databases and in different formats, putting a strain on resources to gather it all together.

Using smart tools with full audit trails and encryption to streamline workflows and improve efficiency through technology reduces the time spent on each request.

Six top tips for managing DSARs

 

  1. Make sure you complete it in 30 days

    In most cases, you have just one month to respond to requests. If the case is complex, or the subject has made several requests, you can extend the deadline to two months, but you must notify the subject with justification.

  2. Don’t request payment

    Although DSARs take up valuable time and resources, you cannot legally charge someone for making a subject access request.

  3. Remove sensitive data

    When responding to a DSAR, you must redact personable identifiable information (PII) about third parties.

  4. Follow best practice and prepare for an audit

    As part of your DSAR response you will need to demonstrate that you’ve handled the process securely from start to finish and if requested, provide a full audit trail.

  5. Comply to reduce the risk of fines and reputation damage

    The Information Commissioner’s Office (ISO) oversees the handling of subject access requests and failure to comply can lead to penalties. The maximum fine in the UK for a serious breach of the DPA is £500,000, and failure to comply with the DSAR requirements could cost a data controller the higher 4% of annual global turnover for the previous financial year.

  6. Introduce an effective data retention policy

    These greatly reduce the volume of employee personal data you hold, and while the law dictates how long you must hold some records, it is your responsibility to manage this.

 

Manage your DSARs better to release time and budget

Creating a successful process for managing DSARs not only ensures that you are compliant, it also saves your organisation time, money, and improves trust between the company and your employees.

Chat to our governance, risk, and compliance team today for support with your current DSARs or guidance on creating a strategy for managing them.

Talk to us now

 

Tracey Hannan-Jones
Tracey Hannan-Jones

Tracey is Phoenix's Lead GRC Consultant, with over 25 years' experience across Technical Information Security, Data Governance, and Compliance and Auditing.

See all posts by Tracey Hannan-Jones

About Phoenix

Phoenix enables digital transformation in the workplace, empowering UK organisations to innovate and transform with cloud and hybrid infrastructures data, AI, security, and collaboration tools. By understanding the individual goals of its customers, Phoenix delivers remarkable, outcome-focused IT solutions and services that allow UK organisations to make a difference to the lives of their employees, service users, and communities.

Phoenix is a signatory on the Race at Work Charter, and a Disability Confident and Living Wage employer. The company is also actively involved in encouraging more women into the IT industry.

 

How we handle data  |  Unsubscribe

Recent Blog Posts

  • 25-04-2024 - Phoenix Software have been recognised for exceptional performance and innovation in Customer Cloud Data Security Phoenix announced today that it...... Read more
  • 04-04-2024 - As we innovate, QR codes are becoming commonplace. From accessing restaurant menus to event tickets, QR codes offer convenience and...... Read more
  • 03-04-2024 - From 15 July 2024, Adobe will no longer be selling Acrobat Standard 2020 and Acrobat Pro 2020 licences in the...... Read more

Sign Up

Please enter your details below to opt-in for the latest news, events and industry updates from Phoenix.

©2024 Phoenix Software All Rights Reserved. Phoenix Software Limited is a company registered in England and Wales, with company number 02548628 and VAT number GB 755 3490 15. Registered Address: Blenheim House, York Road, Pocklington, York, YO42 1NS