Many businesses appoint a data protection officer to handle DSARs and to ensure that they are processed in a timely manner. This position should be someone who is familiar with privacy legislation and has a comprehensive understanding of the company’s data.
It is important that all staff understand what a GDPR DSAR is and how to recognise it. Requests can be made in a variety of ways and businesses should make it relatively easy for them to do so.
Responsibility
Anyone whose personal data is collected by a business or website can submit a DSAR. The law requires that the business respond promptly and thoroughly. The process can be time-consuming and expensive.
The business must first verify the identity of the requester. They must also conduct a thorough data search to find the requested information. This may require searching hard copies, digital files, user accounts, and payment services. Once the information has been found, it must be delivered to the consumer securely. If it is sent to the wrong person, it could be a breach of GDPR regulations.
It is important for businesses to document their DSAR response processes. This way, all employees know what to do when they receive a DSAR submission.
Responding
Responding to DSARs in a timely manner requires a great deal of effort and resources. Organisations must search hard copies, digital files, and user accounts to find the data requested by an individual. They must also keep detailed records of each response. These records may be helpful in demonstrating compliance with GDPR requirements.
It’s a good idea to nominate one person in the organisation for this task. This person might be the company’s DPO or another employee who knows the GDPR requirements and is familiar with handling DSARs. The person responsible for DSARs should also ensure that all staff understand the process and are trained to handle requests in a compliant manner.
Transparency
When a person submits a DSAR, it is important to do so in a fair and transparent manner. This includes clearly explaining the information you are requesting and how it will be used. It also involves providing a copy of the data requested.
It is important to remember that DSAR requests can be made by anyone whose personal data your organization processes. This can include employees, contractors, and even customers. They can be submitted via any communication channel, and it is important to monitor all channels to ensure that DSARs do not get missed or overlooked.
While it is possible to refuse a DSAR on the grounds that it is manifestly unfounded or excessive, it is best to provide a full response.
Law Compliancy
In order to comply with the law, it is important that a business responds to DSARs in a timely manner. It is also important to have a process in place that allows for the tracking of these requests and their fulfilment. The best way to do this is to have a dedicated team that oversees the management of these requests. The data protection officer is generally responsible for this, but if you don’t have one, it should fall to someone in your workforce with knowledge of data protection.
Individuals aren’t required to use the technical term DSAR when making their request. They can submit it in any form, through any channel, and to any person within the organisation.
