Why your organisation should be worried about DSAR non-compliance

Has your organisation been receiving more DSARs (data subject access requests) than usual? If so, you’re not alone. In fact, one report has found that there was a 66% increase in requests last year.

Although the pandemic may have contributed to this increase, with furloughed staff wanting to know what information their employer stores on them, that probably only partially explains what’s going on.

A much bigger factor the public’s growing awareness of data privacy and their rights under the GDPR (General Data Protection Regulation).

Since the Regulation took effect in May 2018, there have been several high-profile instances of organisations misusing people’s personal data, and discussions on the effects those practices have.

Just last month, Amazon was hit with a €746 million fine for allegedly failing to meet the GDPR’s consent requirements when obtaining people’s personal data.

Without oversight on the purpose of that data collection, it’s impossible for individuals to understand if their information is being used reasonably.

But the GDPR isn’t just about disciplining organisations that suffer data breaches or fail to meet documentation requirements. It also enshrines certain rights for data subjects, and makes it easier for them to exercise those rights – which they can do via a DSAR.

How do DSARs work?

DSARs are the result of the GDPR’s right of access – one of eight data subject rights included in the Regulation.

When an individual submits a request, organisations must provide a copy of any relevant information about them.

A request might refer to specific personal details or processes for which the organisation processes that information, in which case you only need to provide relevant information.

Organisations are obliged to fulfil the DSAR “without undue delay”, and within one month of receipt.

Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.

Preparing for DSARs

If you don’t already have a set procedure for responding to DSARs, now is the time to act.

Although the process is one of the more straightforward aspects of the GDPR, it is still fraught with complications.

Indeed, the Irish Data Protection Commission found that 27% of all complaints it received last year related to DSARs, demonstrating how many organisations struggle to meet their compliance requirements.

EU general data protection regulation documentation toolkit

Those looking for advice on how to prepare for DSARs should look at our GDPR Toolkit.

It contains everything you need to comply with the Regulation, helping you to formalise your approach to compliance while saving time and money.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.