Data Subject Access Request (DSAR)

The General Data Protection Regulation (GDPR) provides data subjects with a number of data protection and privacy rights, including the ‘right of access’, i.e., the right to receive a copy of all of their personal data that is held by a particular organisation.  This right is exercised by data subjects making a data subject access request (DSAR), which organsiations are, in almost every circumstance, obligated to fulfil.  

Responding to and fulfilling DSARs in full compliance with the GDPR can often be an extremely complicated process; the data subject cannot be provided with any data that identifies another living individual, and any information that does (directly or indirectly) identify another living individual will need to be redacted.  Certain elements of the data may also need to be redacted in line with the legal exemptions (circumstances where you do not need to provide a data subject with their data) defined in Schedule 2 of the Data Protection Act 2018 (DPA 2018).   Due to the extensive data protection knowledge and specialist skills required to compliantly perform such a task, and the time limit of (in most cases) 30 days to fulfil these requests, responding to DSARs can be an extremely arduous and inconvenient process for organisations.

URM can provide these skills through its knowledgeable and experienced Data Protection Team, offering an outsourced DSAR management service.  Our consultants are able to apply the appropriate redactions to any documents supplied, delivering a human, rather than an electronic solution, which is strongly believed to be more effective and appropriate.  As guided by the Information Commissioner’s Office (ICO), it’s essential to understand the context of a DSAR and this can only really be achieved where the raw material is read by a human eye.  

URM’s data protection experts can manage the whole DSAR process; once the raw data has been gathered, URM will sift through, remove duplicates, and identify the correct documents for redaction and disclosure.  Following the redaction service, URM is able to package the DSAR together for disclosure – all within the time limit defined by the Regulation.  If required, URM is also able to act as your representative with the UK regulator where a DSAR is contested.

Meanwhile, if you would like to develop your internal teams to become more confident and compliant in their management of DSARs, URM delivers a 1-day ‘How to Manage DSARs’ training course which provides clear and practical instruction and guidance on dealing with all aspects of a data subject access request (DSAR).

Why URM?

Track record

URM’s DP and GDPR consultants have extensive ‘real world’ experience as both practitioners and subject matter experts working at a senior level within business and in their data protection consulting roles advising organisations on best practice.  With a 19-year track record assisting organisations to comply with legislation such as the Data Protection Act, the GDPR and local country-specific legislation, URM has earned a reputation for adopting a pragmatic and business appropriate approach.

Flexible service offerings

A key differentiator between URM and other data protection service providers is our flexible service offerings.  Our virtual DPO service can be customised to your precise requirements, in terms of the type of support you require and the frequency of site days (remote or on site) etc. Equally, with our remediation support, URM can assist you address any gaps identified and achieve full GDPR compliance. We can also help you maintain that compliance with GDPR auditing services.

Knowledge transfer

URM prides itself on its knowledge transfer philosophy and training expertise which helps to ensure that you not only understand what the principles and requirements of the GDPR are but how to best meet them.

‍