• Main Switchboard

  • Norwich

  • Diss

  • London

Share this page

Email a friend

Enter the email address and we'll send a link to this page to that address.

    First Name

    Last Name


    Share on Social

    Or share on social media.

    20 March 2019

    The dos and don’ts of data requests

    An individual's right to access information held about them (a Data Subject Access Request or DSAR) is a key element of the General Data Protection Regulation (GDPR).

    Although it may seem like a new concept for many, the right of access to personal data has actually been a major part of data protection legislation since 1984.  The explosive growth of digital technology has in turn led to an expansion in the nature and quantity of data processed.  This is ultimately why Data Subject Access Request ‘DSAR’ have the potential to cause such a headache.

    What does the GDPR mean for Data Subject Access Requests?

    The first major change is that the individual no longer has to pay a fee for making the request in the majority of cases.  Although an organisation can charge a reasonable fee if it can show the request is manifestly unfounded or excessive, this should still only be the administrative cost of carrying out the Data Subject Access Request ‘DSAR’ and in reality will be a high hurdle.

    Another important change is the time limit that the organisation has to respond to a request, which has been reduced from 40 days to one calendar month.  This may, however, be extended to two months where necessary; taking into account the complexity or number of requests the business receives.  However, the individual should still be informed within one month.

    Complying with a DSAR may initially seem overbearing and daunting but it is important to remember that a DSAR is not a right to see all documentation with a person’s name on.  It is instead a right of access to personal data.  This could be an email address but not the contents of the email itself, depending on what is said in the email about the individual.  Whilst DSARs should be handled transparently, there are a number of possible exemptions which include, where relevant, the redaction of all third parties’ personal data.

    Perhaps the golden rule in this new era of Data Subject Access Request ‘DSAR’ is thus: mind what you say about people in private emails because you can’t guarantee that they won’t end up reading it!

    If you receive a Data Subject Access Request ‘DSAR’, or better yet are reviewing ways to best protect your business when you next receive DSAR’s, contact our dedicated DSAR team to discuss how we can solve your concerns for you with our specialised service at a fixed cost. Contact the Steeles Law Employment team on 01603 598000 or email employment@steeleslaw.co.uk. Appointments are available at our Diss, Norwich and London offices or at your offices by appointment.

    Other related news you might be interested in