DSARs and data protection by design

What matters

Data protection compliance requirements, including respect for data subject rights requests, need to be integrated into data processing technologies from the outset.

What matters next

Understanding search, supply chain, policy and training requirements will mean achieving more efficient DSAR processes by design. Increasingly, data controllers are looking to managed solutions such as Shoosmiths' SmartSAR to streamline the DSAR process.

The UK GDPR and similar data protection laws around the world ask for data protection by design - but what does this mean in practice when it comes to DSARs? Using products such as Shoosmiths' SmartSAR may be the solution your organisation is looking for.

Data protection ‘by design and default’ is a core concept under the UK GDPR and similar laws around the world. Put simply, it requires that adherence to data protection requirements is considered as early as possible and integrated into the technology, service, product or processing activity from the outset. 

What does this mean for DSARs? 

The approach to compliance with data protection by design and default will vary according to which data protection requirement needs to be ‘baked in’. When a data subject asks for information from a data controller about what personal data it is processing, this is known as a ‘data subject access request’, SAR or DSAR. These can be complex, and involve many documents. So when it comes to data protection by design and default for DSARs, data controllers should consider the following: 

Detection 

  • Are all communications channels through which an individual can make a DSAR monitored by the controller and have any dormant channels been withdrawn?
  • Controllers that are subject to frequent, routine DSARs should consider creating a self-service and/or request portal to introduce automation to their management of DSARs and other data subject rights
  • Have staff been trained to recognise a DSAR and do they know where to send them? 

Collection  

  • Measures to address data minimisation and storage limitation will reduce the volume of disclosable information in future DSARs and reduce review time 
  • The exposure to onerous DSARs can be minimised by ensuring that controllers always check whether it is necessary to collect the personal data in the first place, a key requirement for compliance with the ‘data minimisation’ principle
  • Considering how personal data is recorded will help to simplify searches: consistency can be ensured by considering data input and format standards, and incorporating these in training, right from the outset of any processing activity or use of a system
  • When personal data is collected, are the parts that will be retained, or which will be subject to absolute DSAR exceptions (such as legal professional privilege in the UK) easily identifiable?
  • In relation to data that is heavily mixed, or which is stored and managed by a group function within a business in a corporate group, including internationally, have the relevant controllers within the group been identified, as well as challenges in DSAR fulfilment that arise from materials held in several languages? 

Retention  

  • For retention periods, controllers need to consider whether their retention policies take into account the risk from DSARs and balance these with the commercial needs/benefits of retention
  • How soon personal data is anonymised or deleted following collection is also a key consideration
  • Also important are the location of personal data, when it is archived and put beyond use, and how it is archived and retrieved
  • Consider how long DSAR fulfilment records will be kept, including redacted and non-redacted materials. 

Searches 

  • Before starting any new processing activity, controllers need to think about how they would search for, and retrieve, data, in particular which tools will be used and by whom
  • Information management systems should be designed and maintained for efficient retrieval
  • Maintaining comprehensive asset registers or data maps will be invaluable in assisting to locate information quickly. 

Processors  

  • Controllers should only use processors who can guarantee their technical and organisational measures for data protection by design
  • While processors do not have direct obligations under the UK GDPR/GDPR in respect of DSARs, processors must be contractually required to take appropriate measures to assist the controller with its DSAR obligations and controllers should consider the form such assistance will take to reduce administrative burden 
  • We strongly recommend that controllers with sufficient negotiating power include supplementary terms, such as: 
    • requiring processors to inform the controller of any DSARs relating to the controller’s personal data within a set time limit 
    • stopping processors from contacting data subjects who make a DSAR
    • setting out practicalities of how the controller and processor will cooperate on searches.  

Policies 

  • A controller should put in place a dedicated DSAR recognition policy and communicate it to all staff, plus a DSAR management and fulfilment procedure and communicate it to those specific teams dealing with DSARs, storing each policy in an accessible location 
  • It’s useful to consider key common elements arising in DSARs and tailor them to the business, such as ID requirements for different types of request, dealing with requests made by third parties (such as solicitors or parents and guardians), datasets which are not linked to offline identity, and approaches to CCTV redaction
  • A maintenance programme should periodically review policies and procedures to ensure appropriate changes are made (certain AI tools can now defeat CCTV redaction techniques and will no longer be safe, for example)
  • Data retention and deletion policies should reflect the storage limitation principle, discussed above 
  • A DSAR register should show the status of any DSARs received, time limits, and a note of the response and information provided; other third-party requests (say from the police) can be recorded in a similar way.  

Training 

  • The one-month time limit for responding to DSARs potentially begins to run as soon as a valid DSAR is submitted to the controller, so it is vital to ensure staff are trained in how to recognise DSARs, and escalation procedures. Staff must be aware that DSARs do not need to be in writing, submitted in any particular form or to any particular person. They might not mention the right of access under the UK GDPR, or even mention the term ‘DSAR’
  • To ensure a consistent approach, enough staff should be trained in handling DSAR responses step-by-step, allowing for cover in the event of absences.  

Technology solutions 

  • Consider if any privacy enhancing technologies or other automation may be of assistance to streamline your organisation’s DSAR management process 
  • Shoosmiths provides an end-to-end DSAR solution, SmartSAR, which handles all aspects of the DSAR process from filtering search results through to the ultimate delivery of the response to the data subject. Contact a member of the Privacy and Data team to learn more.  

 

Disclaimer

This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.

 


Insights

Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.