Written by Maeve Dunne
If you are ‘lucky’ enough to be responsible for handling DSAR (Data Subject Access Requests) for your organisation, we recommend viewing them with a Customer/Employee Care lens (unless you receive multiple on a daily basis…then good luck!). We know that, for the most part, a DSAR is rarely used for the purpose it was intended. So, take a breath and evaluate the real reason behind the request – as it is very often a positive opportunity for your business.
- Whether it is an opportunity to identify and support an employee in the workplace, or
- An opportunity to listen and respond to an unhappy customer
Engage your HR and Customer Care teams and agree how DSAR’s should be handled. Take the regulation out of the process and engage with the individual as a human being.
- Acknowledge receipt of the request (obvious, but not many companies do!)
- If appropriate, phone the individual. Often the case is that they simply do not feel heard
- Explain your company’s process and provide reassurance their request is important
- NEVER ignore DSAR’s. (Yes, it happens all the time)
- If it’s complex, provide a quick update during the 30-day period
If you are a Processor, ensure clarity with the Controller about how DSAR’s will be handled. Speaking with the DPC, this is a regular complaint that crosses their desk. A DSAR falls through the cracks between Controller and Processor. While a DSAR remains the responsibility of the Controller, our advice for the Processor is to acknowledge receipt and explain the request will be passed directly to the Controller.
Based on your organisation’s activities, write your DSAR Policy appropriately, e.g. move on from the ‘one template fits all’. Write it in clear simple language that your team members can understand and outline a process that respects the rights of an individual.
If you have a question regarding your DSAR Policy or handling a tricky request or any questions on the above articles, please get in touch via our Contact Form