• Norwich

  • Diss

  • London

Share this page

Email a friend

Enter the email address and we'll send a link to this page to that address.

First Name

Last Name

Email:


Share on Social

Or share on social media.

20 March 2019

The dos and don’ts of data requests

An individual's right to access information held about them (a Data Subject Access Request or DSAR) is a key element of the General Data Protection Regulation (GDPR).

Although it may seem like a new concept for many, the right of access to personal data has actually been a major part of data protection legislation since 1984.  The explosive growth of digital technology has in turn led to an expansion in the nature and quantity of data processed.  This is ultimately why DSARs have potential to cause such a headache.

What does the GDPR mean for Data Subject Access Requests?

The first major change is that the individual no longer has to pay a fee for making the request in the majority of cases.  Although an organisation can charge a reasonable fee if it can show the request is manifestly unfounded or excessive, this should still only be the administrative cost of carrying out the DSAR and in reality will be a high hurdle.

Another important change is the time limit that the organisation has to respond to a request, which has been reduced from 40 days to one calendar month.  This may, however, be extended to two months where necessary; taking into account the complexity or number of requests the business receives.  However, the individual should still be informed within one month.

Complying with a DSAR may initially seem overbearing and daunting but it is important to remember that a DSAR is not a right to see all documentation with a person’s name on.  It is instead a right of access to personal data.  This could be an email address but not the contents of the email itself, depending on what is said in the email about the individual.  Whilst DSARs should be handled transparently, there are a number of possible exemptions which include, where relevant, the redaction of all third parties’ personal data.

Perhaps the golden rule in this new era of DSARs is thus: mind what you say about people in private emails because you can’t guarantee that they won’t end up reading it!

Steeles Law is hosting a free breakfast seminar on dealing with Data Subject Access Requests, including a post GDPR Q&A session, on Wednesday 1 May 2019, 7.45-9.00am at Norwich Theatre Royal.  Visit the events section of the website for more information and to book a place.

Author