Podcast | DSAR Preparation for Businesses

DSAR preparation for businesses:
what to expect & how to prepare

 

  • The GDPR gives people the right to know what personal data any company or organisation holds on that person. A DSAR, or data subject access request, is how people ask to see this data.
  • All businesses are obliged to respond to DSARs in order to be GDPR compliant.
  • The number of DSARs being filed is increasing every year. Now more than ever, businesses need to understand their obligations and have a dedicated process ready to respond to DSARs effectively.
+ - Podcast details
Episode Title: “DSARs for Businesses: What to expect and how to prepare.” 
Description: 
  • The GDPR gives people the right to know what personal data any company or organisation holds on that person.  
  • A DSAR, or data subject access request, is how people ask to see this data. All businesses are obliged to respond to DSARs in order to be GDPR compliant.  
  • The number of DSARs being filed is increasing every year. Now more than ever, businesses need to understand their obligations and have a dedicated process ready to respond to DSARs effectively.
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.  
Recording Date: 25 May 2021 
Recording Length: 00:20:48 

 

+ - Podcast transcript
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of GDPR podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. In this episode, we talk about DSARs, or Data Subject Access Requests. (In plain English, that’s when someone asks you to share copies of data you have about them.) Dayle and I discuss what DSARs are, why people make them, and how GDPR compliance is as much about the process as the product. 
 
DR: …when we had our last conversation you were mentioning how, if an employee were to leave for whatever reason and they make a data subject access request, emails for example may also include other employees’ personal information. How do you know what to give to the employee who made the request? 
 
TF: What you have to do is figure out, first of all, what personal data you have about the data subject who made the request. If I’m the employer, this means itemising the pieces of information I have about that employee: I’ve got this list of emails; I’ve got this specific document, for instance, an annual review in their HR file.  
The thing is, now someone needs to read that annual report and figure out if anyone else’s name is in there. At minimum, consider the person who wrote that annual review – this is also personal data about them because they wrote it. 
 
DR: So, I assume the person doing this itemising would be a manager, or would it be the person who wrote the review, or who made the request? 
 
TF: It could be both, it depends on the process. The process I went through with my last employer, I was the line manager of a team of about 10 people, but obviously I had my own line manager. So I went through the quarterly and annual process with my line manager evaluating me, and I did it for my direct reports.  
So the reports that get generated included input both from me and my direct reports, and it could say any number of things. If you’re being careful about it, you’re not naming other people, but you can’t guarantee that. There has to be a process before we just dump all this information into a data subject access request. Somebody has to go through it and read it and flag any areas where the report is about some third person, not just about the employee making the request. There’s going to be personal data about the person who wrote the report and it could possibly name other people directly or indirectly. 
Let’s say an employee has complained to me about, ok let’s take an example: Jim comes to me and complains about Anne’s conduct. We might have an email exchange back on forth, and it might not even have Anne’s name in it, but it could be clear from the context who we’re talking about, and that makes it personal data about Anne.  
So, who’s making those assessments? First of all, you have to decide whether to give it to the employee or not. And if you’re going to give it to them, what are you going to redact out of it? 
 
DR: I thought the rule was that if I, as the data subject, request data about me, it has to be given. Is that not right? 
 
TF: No. There are plenty of exceptions. You can refuse to give information to the data subject after the request if doing so will infringe the rights of others. This is phrased fairly broadly. For example, Dayle, you make this request to me and say you want all the information I have about you. So I locate this document and think, yes, this is clearly personal information about Dayle. But if this report also has in it my opinion about somebody else’s behaviour, that report become personal data about them. Dayle, you may or may not even realise that this information about the other person is in the report. It may or may not be relevant to you and, even if it is relevant to you, does your interest in having that information outweigh the privacy interests of the other person who isn’t even involved in this request? 
 
DR: I have another question. I can’t imagine ever asking for data about me from an employer or former employer. Why would someone do that? What is the issue that makes someone make a data subject access request? What’s going on there? 
 
TF: Ok. Under GDPR, the ‘why’ doesn’t matter. But for general interest, there are all sorts of examples, like maybe an employees is a little bit paranoid and may be worried about what people are writing about them in their HR file.  
You’ve got other situations when the person is not paranoid at all, rather they’re in a conflict with their employer. Maybe they’ve been made redundant, or maybe they’ve been through a redundancy consultation process and they don’t like the final result, for instance, finding themselves in a group of employees they don’t think they should be classed in for the purposes of the consultation. They may want to see how this decision was made.  
So, one of the ways they could maybe get at that is to say to their employer: “Look, I’m not going to fence with you, I just want to see what personal data you’ve got about me because the GDPR says, as a data subject, I can make that request.” The GDPR also says the employer has to fulfil that request, subject to some relatively narrow exceptions. It’s those exceptions where the employer can have difficulty.  
When GDPR was new, I think it was a common reaction for employers to say: “I’m not going to respond to that data subject access request because the employee is suing or they’ve filed an employment tribunal case.” That is not an appropriate response. There’s nothing in the GDPR that says data subject access requests are invalid when there is also a tribunal case going on. You still have to fulfil that request. 
Now that we’re deep in the GDPR era, it could be that employees are more likely to make those data subject access requests because they are more aware of those rights. But those rights have been around for a while. Data subjects have had the right to ask for access to their data, and it’s always been theoretically possible for an employee to turn to their employer and say: “Give me the personal data you have about me.” – they just haven’t been doing it. 
I think what solicitors for employers are seeing more and more is that this is becoming a, I wouldn’t say an automatic thing, but more and more solicitors are telling the employees to do this as one of the first steps. Whether the employee has been made redundant or they’ve been terminated with cause, or there’s been a grievance or disciplinary process that the employee has been through, there are going to be records from that. And there should be records so show why this person was terminated and what the steps of that process was. The employee could be wondering what the HR member wrote about them or what other people said about them – if that information is sitting in the employer’s files, the employee has a right to see it [unless the employer can point to a valid exception]. 
 
DR: Is there a time limit on this? What if I wanted to ask a company I was made redundant from years ago?  
 
TF: Good question. For you as a data subject to go to your ex-employer and say: “I want to see what personal data you have about me”, there is no time limit on that. The limit is whether or not they still hold information about you.  
Anyone at any time can go to any organisation and say: “Here’s my name. Are you processing any personal data about me?” And by the way, “processing” doesn’t mean they have to be doing anything with your data – just having your information in their file is a form of processing.  
Ok, so your questions to the organisation would be: “Do you have information about me? If so, what do you have?” Anybody can ask that about any organisation. The answer will either be yes or no, we have information about you or we don’t have information about you.  
Dayle, in your case since you worked for them, it’s pretty clear they did have personal information about you at some point, and they may or may not have deleted that information, or anonymised it, or purged it from their records somehow. You always have that right. 30 years from now you could go to them, identify yourself, and ask them to look through their files and see if they have anything about you. 
 
DR: Ok, so how would that work? Would that entail them sending me a whole ton of paperwork or batches of emails to look through? From an employer and HR perspective, I can imagine looking through everything would be pretty time-consuming for them? 
 
TF: You’re right, there is a certain point where the employer can say: “Look, the effort required here is disproportionate”, or if the request is abusive or repetitive from the data subject. At a certain point the employer can say: “We’re not doing this because of these reasons.” But those reasons are fairly difficult exemptions to rely on.  
The presumption is the employee is entitled to that information – you at least have to try to do a search through your filing cabinet and your emails. Search for the person’s name and see what you come up with.  
And that’s just it – the employer then has to document somehow that they’ve actually looked through their records before they reply. They can’t just give a boilerplate response and say: “We’ve searched our records and we can’t find anything about you.” If that’s the response they send, they better have searched their records, they better have done what they said they did in that letter.  
If a response a data subject access request isn’t credible and the employee complains to the Information Commissioner, the employer will need to demonstrate what they did exactly to respond to your request, that is, the steps they took to look for and supply the information. 
 
DR: But how would you do that? How could you prove you did what you said you did?  What about looking through the server log? Would that be the easiest way? 
 
TF: I suppose? This is definitely where you are exceeding my IT and cybersecurity expertise. Let’s think about it though. Could you lie about what you’ve done and get away with it? Well, I imagine people do that all the time. 
 
DR: Ok, I guess my question was less about ‘lying’ and more about, you know, the employer saying: “I sent Margie down to the filing cabinet. She had a look and didn’t find anything. What more do you want me to do?” That kind of thing. 
 
TF: I would guess the ICO (Information Commissioner’s Office) would probably say: “Well, let’s have a chat with Margie then.” But I think we’re kind of going down a bit of a rabbit hole here. (laughing)  
I think the principle really is: if a data subject asks you to look for information, you need to have a process for doing that, and demonstrate you’ve actually followed that process. You normally do this by keeping records. Employers should have a written process that says: “When a DSAR comes in, it goes to this department; these are this steps this department takes; these are the different places they need to look.” 
 
DR: Ok, so should people have DSAR training? What if I, as an employee or former employee, called up reception at my current or old company with a data subject access request, and the receptionist says: “Hi Dayle. You want your data? Sure, just leave it with me.” The company, not just the receptionist, has to do this within a certain amount of time, right? My request can’t just sit there in reception? 
 
TF: Correct. I wouldn’t go so far as to say that everyone needs DSAR training, but that’s part of the process we talked about before that the organisation needs to have in place. They need to think about where these requests are likely to arrive from.  
So, if they’ve got a properly set up privacy notice on their website, for example most organisations have their own website, it will say: “If you’ve got questions about the personal data we have about you, contact privacy@xyzcompany.com or what have you. Here’s also a postal address and phone number – ask for the Data Protection Officer or the Privacy Team”, for example. If you provide that kind of information on the website, then that’s great.  
The next step is, every member of staff should know that when someone is asking about personal details or about privacy or about what the company knows about them, then they should know the place to point them to. If it’s an employee, I would point them to the people team or HR. And absolutely every organisation’s HR team should have, if not a GDPR expert, certainly a GDPR champion – somebody who’s got enough awareness to be able to flag issues, recognise that what we’re dealing with is a personal data issue, that it needs to be routed within the company correctly, and knows where and who to turn to.  
That GDPR champion within HR would then work with the privacy team. But maybe you’re a smaller organisation and don’t have a separate privacy team – you need to have one person who understands enough about privacy issues to be able to handle the issue for the company. Whether that means referring it out, going out and finding some expertise when needed, or whether they’ve got enough expertise to handle it in-house, either way you need a ‘privacy point-person’, and everyone else in the company needs to know who that is. Everyone needs to know who and where to route these requests. 
 
DR: I assume the privacy person could get some kind of badge? 
 
TF: Maybe a sash? Or a tabard like a fire warden? 
 
DR: If it were me, I’d want a cloak and a sceptre. A data sceptre. It would be like a large USB stick with a hand-hold. 
 
TF: An encrypted one, I hope. So yeah, you were asking about GDPR and how that plugs into DSARs (data subject access requests), how DSARs come up and why an employee would ask or file a DSAR. I think the most common scenarios would be redundancy, discipline, possibly even that they didn’t get a promotion that they thought they should get – DSARs can come from people who are still working for you. Maybe they’ve received a poor performance rating and they want more information.  
There are all sorts of different scenarios that people could suddenly think up that this company or someone within this company has written something about me or has got something in their records that says something about me, and they want to know what it is. 
 
DR: These are things that I would never have thought about, if I’m honest. 
 
TF: And honestly, I’d never thought about it either until I actually saw it happen. A company I was working for, probably a year or so after the GDPR came into effect, we had at least two of these ex-employee data subject access requests going on at the same time. And this was an organisation that had resources. It’s not like it was a small operation; it was a big company.  
So, it had the resources to handle it, but that doesn’t mean it had the processes to handle it efficiently and, specifically, in making sure that the request was actually routed to the correct place so the request could be dealt with in a timely fashion.  
You know, you only have 30 days to respond to a data subject access request, and that sounds like a lot of time but it’s not. It’s not, especially if the request gets lost for the first 15 days because someone didn’t know they needed to forward it someone else. 
 
DR: 30 days – is that working days or calendar days? 
 
TF: It’s calendar days. 
 
DR: So, Saturday, Sunday, Bank Holidays – they’re all included? 30 days, that’s it? 
 
TF: 30 days. It’s quick. 4 weeks functionally, so it disappears in a hurry. 
The point is the importance of having a DSAR process in place before a DSAR comes in. It doesn’t have to be a massive training programme that everybody goes through to learn about data subject access requests. But what everybody probably does need to know within probably every organisation: everybody should understand what personal data is, they should be able to flag when they’re handling it, and they should definitely be able to flag when they’ve been asked to provide information that involves personal data. 
--- 
transcript end 
 

 

Back to top