How to respond to DSARs (data subject access requests) during the COVID-19 pandemic

As organisations adjust to the chaos that the 2019 novel coronavirus (COVID-19) has brought, they are bound to be limited in the business processes they can perform.

Among the problems they face is the ability to comply with the GDPR (General Data Protection Regulation) – and in particular to respond to DSARs (data subject access requests).

With many employees working from home – and the increasing prospect of workforces facing depleted staff through illnesses or furloughs – it can be challenging to meet the Regulation’s DSAR response deadlines.

Luckily, there’s good news for those struggling to cope.

Organisations have more leeway

Regulators across the EU have published guidance on how organisations should handle their GDPR compliance requirements during the COVID-19 pandemic.

They state that although it’s not possible to extend the statutory requirements – because they are written into law – regulators understand the problems organisations face and won’t penalise those who are unable to comply.

That is, provided they perform certain actions. For example, it may be possible to respond to a DSAR in stages. If various employees who share responsibility for handling requests are all working from home, they should still be able to communicate on the steps that need to be completed.

If there’s a reason that organisations can’t do this, they should document their reasoning when responding to the data subject.

One instance where this would apply is if personal information is only available in physical form in the office. Employees shouldn’t be expected to go into work specifically to get this data – your physical safety should always be the priority during this pandemic.

Instead, organisations can omit this information for now and explain the situation to the data subject. Once travel restrictions are lifted and employees can go back into the office, they should follow up with the data subject and provide copies of any physical records they have.

Organisations also have the option of extending the one-month response deadline. The GDPR states that if a request is complex, organisations can request an extra month to provide the necessary information. Under these circumstances, being unable to access your files is likely a legitimate reason to use this exception.

Whatever way you proceed, you must document your reasoning and let the data subject know. Effective communication is always important when it comes to the GDPR, and there is so much uncertainty surrounding COVID-19 that you must let individuals know that you’ve acknowledged their request and are dealing with it as best as you can.

Want more GDPR advice?

As the COVID-19 crisis wages on, GDPR compliance is more important than ever. Cyber attackers are already trying to profit from the disruption and uncertainty, and it can hard for you and your team – isolated in their homes – to navigate these risks.

Fortunately, we have everything you need to cope with these disruptions. Most of our products and services are available remotely, so you can address your cyber security worries without jeopardising your physical security.

Those who want guidance on how to manage their data protection requirements in this time should take a look at our Certified GDPR Foundation Distance Learning Training Course.

This one-day course provides a comprehensive introduction to the Regulation, explaining how it works and the steps you can take to comply.

Find out more

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.