And what do I need to do?

A DSAR (Data Subject Access Request) or SAR (Subject Access Request) as they might be called is when an individual asks you for all the data you hold on them, this could be a client, a supplier or more often than not, an Employee.

So, what do I need to do?

In simple terms, you need to trawl through all your systems both electronic and paper for anything that might contain personal information about the individual.

This is where the fun starts because unless you have a rigorous retention process in place and regularly clear out your emails (within legal guidelines) you could be looking through 1000s! I did a DSAR for a client a couple of years ago and had to read over 16k documents because they had never had a clear out! Not only is this time consuming, if you need to outsource it due to the time constraints, it can be very expensive!

What needs to be included?

Not everything needs to be included in a DSAR, so you need to know what’s what and you also need to make sure you redact any information that is related to other individuals like names and email addresses and also think about any commercially sensitive information you don’t want to share.

Under the GDPR (General Data Protection Regulations) you have 30 days to comply with a DSAR. If it is complex, you can extend this up to a further 2 months but that is your maximum. You also can’t charge for the work involved.

There are always exceptions to every rule and GDPR is no different here, so it is really important that someone in your business understands this process as you never know when one might come up!

Get in touch

If you need support with a DSAR or any other GDPR compliance, please get in touch with us today.