What are some of the best practices for responding to data subject access requests (DSARs)?

Acknowledge receipt of the DSAR as soon as possible. Use clear and plain language to explain the information provided while responding to DSAR. Adhere to regulatory deadlines, such as responding within one month as required by GDPR (extendable by two months if the request is complex). The process often requires significant manual effort, including reviewing, redacting, and compiling data. Consider the cost implication of responding to DSAR. Try to Implement automation to streamline DSAR processing while ensuring accuracy and compliance.

If you are required to verify or identify, then you should maintain principles of data minimization to ensure that you only collect the minimum necessary information to verify identity. Generally, I have leveraged a double opt-in strategy of: receiving a request then emailing the requestor for them to confirm

Effectively managing DSARs under the LGPD 🇧🇷 and GDPR 🇪🇺 demands a robust, privacy-centric approach. 1️⃣ Authenticate the requester’s identity to prevent unauthorized disclosures, as required by Recital 64 GDPR. 2️⃣ Develop standardized workflows to locate and consolidate personal data across systems, leveraging data mapping and automation tools to ensure completeness and efficiency. 3️⃣ Ensure compliance with statutory timelines—15 days (LGPD) or 1 month (GDPR)—and provide responses in a transparent and accessible format, aligned with Art. 18 LGPD and Art. 15 GDPR. At MeLi 💛, our Transparency Report highlights scalable, rights-focused DSAR strategies, reinforcing transparency and accountability.

You should also consider whether the law governing a particular DSAR requires identification or, as may be the case with the CCPA's "Do Not Sell or Share" right, prohibits verification prior to fulfilling the user’s request.

"Identity verification" in data subject access requests involves confirming the requester's identity to ensure they are who they claim to be. This best practice ensures data security and prevents unauthorized access to sensitive information. Methods like multi-factor authentication, request-specific credentials, or cross-referencing provided details against existing records help uphold this crucial step in safeguarding personal data during access requests.

Just sticking the name into a huge e-discovery is NOT likely to get the results you, or the data subject, want or need. This is an area where the human touch, and common sense, prevails, if used properly. Oh, and remember that you DON'T need to search in the way the request instructs you to - you do what makes sense for you.

Automation of the data being processed will help the controller to fulfil the DSAR in record time. Adopting automation is part of privacy by default and design which the GDPR mandates.

Before completing a DSAR, you need, at a minimum, to have a catalog of all data elements and categorize them. This catalog will give you the scope of all data that needs to be retrieved and documenting it will help with other privacy projects in the future.

1. Maintain Comprehensive Records: 2. Implement Data Mapping: 3. Use Data Management Tools: 4. Establish Clear Data Retrieval Procedures: 5. Ensure Data Accuracy: 6. Protect Personal Data: 7. Consider Data Minimization: 8. Notify Third Parties: 9. Document the Process: 10. Respond Promptly: Keep comprehensive records of the personal data you hold, including where it is stored, the purpose for which it was collected, and any third parties with whom it has been shared. Implement data mapping processes to identify where personal data is stored and how it is processed, making it easier to locate and retrieve data in response to a DSAR. Use data management tools and software to help locate and retrieve personal data.

Responding to Data Subject Access Requests (DSARs) can feel like a treasure hunt. Data Mapping - Map your data landscape. Identify all systems and locations where personal data might reside – CRMs, emails, HR platforms, even social media! Know your data lifecycle. Understand how long different types of data are retained and where archived data might be stored

In some cases it might be necessary to flag with Legal, Insurance or other relevant teams, information which may pose regulatory, financial or reputational risks to the organization. Whilst this does not prevent the disclosure of information that should be lawfully provided to the data subject it helps to mitigate risks and can serve as a damage limitation exercise.

Before providing data to the requester, review and redact sensitive, confidential, or irrelevant information. Employ consistent methodologies like masking, anonymizing, or pseudonymizing to redact data, ensuring tools and automation support readability while preserving privacy.

1. Understand Legal Requirements: 2. Identify Sensitive Information: 3. Use Redaction Tools: 4. Double-Check Redactions: 5. Document Redactions: 6. Consider Context: 7. Notify the Requester: 8. Protect Redacted Information: 9. Respond Promptly: 10. Seek Legal Advice if Uncertain: Familiarize yourself with the legal requirements for redacting personal data, including what types of information can be redacted and the reasons for redaction. Identify any sensitive or confidential information that should be redacted, such as personal identifiers, financial information, health data, or third-party information. Double-check all redactions to ensure that the sensitive information has been properly removed and that no unintended information

Moreover, a robust identity verification process should be implemented to ensure that the individual making the request is the legitimate data subject. This will prevent unauthorized access to sensitive information. In our experience, keeping a centralized record of all DSARs received, including the date of receipt, the nature of the request, and actions taken, helps in monitoring compliance and responding promptly. It follows that employees should be trained on recognizing and escalating DSARs to the designated contact point. Ensure that all staff members are aware of the importance of handling DSARs in a timely and compliant manner.

These days tools exist that automatically identify the Data Subject and then mass redact all other third party data. Human review is still required but the processing time is drastically reduced. No one needs to be drawing boxes with Adobe or using a Sharpie.

1. Use Secure Channels: 2. Provide Access to the Original Format: 3. Consider Accessibility Needs: 4. Organize the Data: 5. Ensure Data Integrity: E 6. Provide Explanatory Notes: 7. Maintain Confidentiality: 8. Notify the Requester: 9. Provide Contact Information: 10. Keep Records: Deliver the data through secure channels, such as encrypted email or a secure online portal, to protect it from unauthorized access. Provide the data in the format requested by the requester, if feasible, and in its original format if possible, to ensure accuracy and completeness. Consider the accessibility needs of the requester, such as providing data in a format that can be easily read by screen readers for visually impaired individuals.Organize the data.

The last step is to format and deliver the data to the requester according to their preferences, using common electronic formats like PDF, CSV, or XML. Ensure secure and encrypted delivery through reliable methods like email, online portals, or physical media.

Once the review and redaction process is complete, the next step is to format the data in a clear and accessible manner for delivery to the requester. This may involve organizing the information into structured files or documents, ensuring compatibility with common file formats such as PDF or CSV. Organizations should also consider the requester's preferred method of delivery, whether through secure online portals, encrypted email, or physical mail. By providing data in a user-friendly format and delivery method, organizations can enhance the requester's experience and facilitate their access to personal information while maintaining data security and confidentiality.

It's key to align with the requester's format preferences if feasible. For instance, I once handled a request where the individual preferred CSV (comma-separated values file) format due to its ease in analysing data. Security matters: encryption during delivery and reliable methods (email, portals, physical media) ensure a safe transfer. Yet, balancing security with accessibility is vital. Always prioritise secure transfer, but aim for a format that meets the requester's needs. For instance, PDFs might be secure, but CSV or JSON could be more useful for data manipulation. Remember, it's about meeting their needs while safeguarding sensitive information.

Provide the requested data in a clear, portable, and reusable format, following the data subject's reasonable preferences. Ensure secure and encrypted delivery using reliable methods like secure portals or encrypted email. Maintain an audit trail of data delivered. Recommend implementing secure and auditable processes for data delivery, leveraging tools and technologies that enable efficient, secure, and compliant responses while minimizing the risk of unauthorized access or data breaches.

Have a procedure about how to manage requests, but also how to deal with any subsequent complaints. It helps the team with planning and clarifies who does what if things escalate. Share the complaints procedure with senior managers so they know when their input might be needed.

Maintain ongoing communication with the requester, providing timely updates on the status and progress of their request. Acknowledge requests promptly, offering estimated response timelines. In case of delays, difficulties, or exemptions, transparently communicate reasons and legal basis. Document the entire response process, including outcomes and communications, for record-keeping and potential audits.

Some data may contain information that the data subject might find distressing ( for example, former care leavers uncovering information about their childhood, traumatizing experience and family association). It is important to prepare the individual including offering or encouraging them to seek professional support during the course of reading their records or afterwards.

"Communicate and document the response" refers to providing a clear, timely, and comprehensive reply to a data subject's access request while keeping records of the communication. This best practice ensures transparency, accountability, and compliance with data protection regulations. Documenting the response process, including details of the request, actions taken, information provided, and any relevant justifications, serves as an essential record for regulatory audits and demonstrates adherence to data privacy laws.

Send your DSAR response to the right person. Oh, you want more characters to properly add value to this insight? Ok is this enough now?

If you are a data processor, Article 28 of GDPR specifically addresses the processor's obligations. When handling data subject access requests (DSAR), processors must assist the data controller in ensuring compliance with the rights of data subjects. This assistance involves taking appropriate technical and organizational measures to fulfill DSAR requirements, including security measures and notifying the controller of any personal data breaches. Processors should also contribute to the controller's obligation to respond to DSARs within the specified time frames.

I think to ensure that Data Subject Access Requests are effectively responded to, it is important to have certain practices at the organizational level even before the stage of DSAR comes 1) Data Mapping- Data Mapping is a crucial exercise, knowing what data an organization possesses, who in the organization is responsible for data, and where the data is stored. 2) Ensure that policies are in place- Data Subject Access Request policies should be in place at the organizational level, dealing with procedures around DSAR 3)Staff training- Employees should be trained on how to respond, the timeline for responding, and the procedure to deal with DSARs

I would add: Staff Training: Train your staff to recognize and appropriately handle DSRs, emphasizing the importance of data protection and privacy. Automated Processes: Implement automated processes for handling DSRs, where feasible, to ensure efficiency and accuracy in response. Documentation: Document the steps taken in processing the DSR, including any challenges faced, to demonstrate compliance in case of regulatory inquiries.

Once the data subject has been identified and verified - question number 1 - is the response to the DSAR strategic to the organisation? Strategic DSARs involve potential or actual employee disputes, litigation, where the DSAR is used as a discovery tool, or key customers/notable individuals (e.g. Nigel Farage). If the answer to this question is “yes” then you should have a “high risk” DSAR process in place to triage these DSARs and immediately get legal and forensics support in place to properly use all possible disclosure exemptions including legal privilege.

Depending on the requestor's jurisdiction, different rights and timelines could be applicable. For example, the CCPA has slightly different Data Subject Rights than the GDPR does. Configuring workflows that align to the appropriate jurisdictions an automating the process as much as possible using a privacy rights automation tool can help streamline the process and ensure there is documentation of fulfilled requests. It can also help avoid missed requests and help keep the correct stakeholders are kept in the loop when implemented correctly.