Navigating DSARs together

Since GDPR came into place in 2018, we have all been more mindful of what our requirements are and what position we play in terms of storing and sharing data. A lot of charities (and businesses) are still very nervous around this legislation and how it impacts them, so I wanted to host an event, bringing together charities from across the sector to network, ask questions and share best practice.

I was delighted to be joined by Stuart March, Head of Data at Stonewall who chaired this week’s event. Stuart talked us through practical steps on how they manage Data Subject Access Requests (DSARs) at Stonewall with contributions from other Data Managers across the sector.

As this is such a tricky subject, I wanted to share 5 top tips and advice from Stuart’s presentation.

Requests for data can be phrased in various guises: 

• It’s important to encourage your teams to understand the different varieties that requests can be worded

Applicants are entitled to receive:

• Copy of personal data, purpose, categories of data being processed, recipients of data (esp. overseas), source of data, the existence of profiling, and other automated processing 

Ask for a form of ID:

• Passport, driver’s license, birth certificate, utility bill, bank statement
• Be careful you don’t end up collecting more data on an individual during this process

Be aware that the 30 day period doesn’t start until you have confirmed the identity of the individual

• Ensure this doesn’t delay the process, make sure you document reminders
• Manage their expectations
• Schedule a meeting with a 5-day buffer from the deadline if exemptions/redactions occur

Shared accountability and shared governance is important 

• One person should not be responsible for the end-to-end process
• Always keep a full unredacted copy – password protected on a hard drive, as well as an intranet page

Hopefully, these tips will be helpful for your teams as and when these requests come up