Transcript: Understanding and Handling DSARs
Transcript
Monika Gorska: Today we've got our data protection team, Stephanie, Rebecca and Jack, who will be talking to us about the very interesting subject of data subject access requests. So, without taking any further time, I'll hand over to Stephanie who will kick us off today.
Stephanie Baker: Thanks so much, Monica, and good morning, everyone. Thank you very much for joining us on this Thursday morning. We're really happy to have you with us and discussing today's very exciting topic, which is DSARs.
The purpose of the session today is to provide you with an overview of the DSAR process and hopefully equip you with the knowledge you need to effectively manage your DSARs.
But firstly, just a few introductions. As Monica said, my name is Stephanie and I'm joined by my colleagues Rebecca and Jack, and together we're part of PwC's Digital and Data team, which is headed up by Chris Cartmel.
So what do we do? Our team basically advises clients on digital laws and regulations, including those in relation to personal data, which is what we're focusing on today.
We like to think of ourselves as thought leaders. We've got a strong track record of working with a wide range of clients that includes governments, regulators and businesses, and we provide support to our clients on a very broad range of matters as well.
We generally assist on the UK and EU GDPR, which probably doesn't come as much of a surprise given today's topic, digital and direct marketing, commercial contracts, data subject rights handling, and also everyone's favourite topic at the moment, artificial intelligence.
So the agenda for today's session: we'll start off with what you need to know as in-house counsel, including a quick overview of what a DSAR is and why timely and effective responses to them matter. We'll then introduce a mock DSAR and we'll take you through four phases of the DSAR process.
Firstly, triage and review, followed by conducting searches, then on to review and redaction. We'll then have a couple of breakout sessions as well after that section. And then finally, we'll finish up with issuing the response.
We thought it might be helpful just to have a little bit of a refresher on what data protection is and a couple of our kind of key terms that we use.
The data protection laws govern the processing of personal data, and they apply to all sectors in the economy with the aim of protecting the rights and the freedoms of individuals.
The intention behind our data protection laws is to essentially put people in control of their data and to improve how their personal data is handled and used.
The General Data Protection Regulation, which you've probably heard of as the GDPR, is the cornerstone piece of legislation in the EU that governs how personal data can be processed and used.
And now we've also got UK GDPR, which is essentially the same as the EU GDPR, but it was incorporated into UK law following Brexit, just with a few technical amendments to make sure that it actually works in that UK context.
We also have the Data Protection Act of 2018, which was the UK's implementation of the GDPR and still supplements UK GDPR by filling in details of the areas where the GDPR has actually allowed for those national variations.
The DPA also covers processing of personal data by law enforcement agencies, intelligence services and also other areas that are actually covered by the GDPR.
We've got supervisory authorities as well that monitor and enforce the GDPR. So, in the UK you may have heard of the Information Commissioner's Office or the ICO and you'll definitely be hearing us refer to them throughout the session today.
On to some key definitions. So one we've already used quite a lot: personal data. Personal data is any information that relates to an identified or an identifiable natural person.
So it's a very broad definition. It can include basic information such as your name and e-mail address, but there's also special category data, which is personal data with a little bit more of a sensitive element, so it requires a higher standard of protection.
So that would include things like race, sexual orientation, religion, and genetic or health data.
Another term you've probably already heard me use is processing, which is any operation that's performed on personal data, including collecting it, storing it, using it, disclosing it, and then a couple of times we'll use throughout today a data controller and a data processor.
So the controller is the organisation that determines the purposes and the means by which the personal data is processed, and the data processor is the organisation that is processing the personal data on behalf of the controller.
And the last one that we have there is a data subject. That's just what we call individuals to whom the personal data relate.
And then the last point there, under data protection legislation, you may already know that data subjects have a number of rights in relation to their personal data.
So you might have heard of some of these before. There's the right to be informed. There's the right of erasure—you might have also heard of that as being referenced as the right to be forgotten.
Today, however, we're focusing on DSARs. So the right that we're most interested in for the purpose of today's session is the right of access.
Stephanie: And I'll pass over to Rebecca to take us through what a DSAR is.
Rebecca Vernon: All right, lovely. Thank you, Steph, and good morning everyone. It's lovely to see so many people joining us today.
So some of you may not be familiar with this area or some of you may be very familiar, but some of you might be wondering what exactly is a DSAR or what does it stand for?
So DSAR is short for a data subject access request. And this is a request made by an individual to an organisation simply asking for their personal data, basically.
And as part of the right of access that Steph's just taken us through, individuals have the right to know what personal data is being held about them, how that personal data is being processed and for what purposes.
So this right empowers individuals to gain insight into the data held by organisations and to ensure their data is being handled lawfully.
It's very important to note that anyone can make a DSAR and this is obviously a huge pain point for organisations, particularly if those DSARs are made by current employees or former employees, because in that context they often can be quite contentious and triggered by grievances, for example, investigations, tribunals, redundancy processes, etc.
So it's very important for organisations to have a process in place for recognising, handling and responding to DSARs effectively as responses are generally required within one calendar month.
Similarly, you do not need to use the word DSAR when making requests and it can be sent to anyone in the organisation.
In some cases, the time frame can be extended up to three months where the request proves to be particularly complex. But we will come to this a little later on.
Next slide please.
OK, so what should we know about DSARs? So essentially what we're asking here is, why is this relevant to us as lawyers and to maybe you, some of you guys as in-house lawyers?
So the role of in-house lawyers can differ in every organisation. So some of you on this call may have your specialties and you might have particular areas of expertise, whereas some of you might just be a jack of all trades, general counsels, etc.
So some of you may be thinking why would I need to be involved in fulfilling DSARs, especially if, for example, your organisation has a dedicated privacy team or if DSARs might be outsourced to third parties to deal with.
So in many cases, the in-house legal team will want to be involved in DSARs, particularly those DSARs that are being made by employees and former employees because there's broader corporate risks that are involved.
So for example, a potential employment tribunal claim could come out of a DSAR. So it's something that you definitely want to be involved in. More broadly, as the in-house team, you will have an interest and responsibility in ensuring that your organisation complies with its legal obligations under UK GDPR and under the Data Protection Act.
As non-compliance can result in significant fines of up to, as you can see by the slide there on the second point, £17.5 million or 4% of annual turnover, including reputational damage, etc.
So it's something you definitely need to have on your radar.
On the flip side, responding to DSARs effectively will also demonstrate your organisation's commitment to transparency and data protection, which will in turn foster trust with your employees and your data subjects.
So ultimately, DSARs definitely deserve their time in the spotlight. And we know this because the right of access is the area that the ICO, who is our regulatory body, our supervisory authority in the UK, this is the area that they receive the most complaints about.
So as you can see from the slide, in 2024, for example, DSAR complaints to the ICO rose by 15%. And this is why there is just basically so much regulatory focus on DSARs and organisations will likely be liaising with the UK regulator about DSARs more than any other data protection topic.
Similarly, since the establishment of the GDPR, individuals have become much more aware of their rights as data subjects and it has been enhanced by certain noteworthy events in the news and the media.
Some of you might remember a particular story relating to Nigel Farage, who's now the leader of Reform UK and his bank, in which he claimed that his account was closed because of his political views and he asked for a DSAR to confirm that information.
So this type of publicity has resulted in a substantial increase in the number of DSARs received by all financial institutions across the UK and it's become poignant in the media.
OK, so I'm very aware that Steph and I have been ambushing you with some information for quite some time. So let's just take a little bit of a breather and test some of your knowledge so far.
So, true or false: You can designate a single e-mail address in your privacy notice where all DSARs must be sent, otherwise they will not be deemed valid.
So a poll should have popped up on the right hand side of the screen. And please tick true or false for this tester. And believe me, the answers are anonymous, so don't feel like we're marking you. And yeah, thank you very much. Give me a couple of seconds more for that.
OK, and can we get the answer?
It is of course false. Individuals can send a DSAR to anyone they like, as I mentioned, and they don't even actually have to say "I would like to send a DSAR." They don't even have to mention the word DSAR in that right. And they don't have to say "I'd like to exercise my rights." They don't even have to be that clear at all.
It's actually the responsibility of the business to recognise a DSAR when it comes in and to respond to it appropriately and within the correct time period.
Thank you very much and back over to Steph.
Stephanie: Thanks, Rebecca. So we're moving on to our mock DSAR scenario now.
Let's set the scene. Imagine you are a commercial lawyer in a UK company with around 2,000 employees. You've just got off the phone with a colleague in HR who's been handling an employee grievance, and things aren't really looking that good.
The employee, Sally Smith, has included the following wording in her latest e-mail to HR: "I'm extremely disappointed in the way you've handled my grievance. I'm now asking for a copy of all the information that this company holds about me, including everything in my personal file. I also want all written communications between anyone at the company for the entirety of my employment, including over e-mail, Teams or WhatsApp. You should search for my name and any nicknames including Smithy."
Sally Smith's been working at the company for the past ten years in various different capacities and her e-mail is dated the 20th of January 2025.
Building off the true or false question, we can see that this request is quite clear. You'd hope that it would have been recognised as a DSAR.
There are a few points that stand out to me initially. You've got a long-serving employee who seems to have had a lot of different roles. There's the added complexity of a grievance process happening. She's asking for a lot here: all of her personal data, specified over e-mail, Teams, and WhatsApp, and wants us to search for her nickname as well, which could be a little bit difficult. From her request, we can gather she really just wants to know what anyone in the company has been saying about her.
Before we dive into Sally Smith's DSAR, let's just take a high-level look at how we would generally recommend breaking down that practical DSAR process.
The first step is triage and review of the DSAR. At this stage, we review and assess the scope of the data subject's request. Then we move on to actually carrying out our searches—setting search terms and parameters to help us find the information requested under the DSAR. That might also require us to engage with other stakeholders.
Next is review and redact. Here, we review the output of those searches and potentially redact or withhold any information that should not be disclosed as part of the response. The final step is responding to the data subject: preparing the final response, including any supplementary communications, and sending that to the data subject in a secure format.
We'll now go through each of these stages in a little more detail, with reference to Miss Smith's DSAR. I'll hand over to Jack.
Jack Pickering: Starting off with the triage and review process, we'll be looking to assess the scope and feasibility of the DSAR itself. There are six key questions to consider.
The first step is verifying the data subject's identity, so we know what data they're entitled to. If Sally was a former employee sending this from a personal e-mail address, that would be pretty hard to do. In that case, we'd need her to send a photo of her ID, for example, but that might not be necessary if she's a current employee using her work e-mail address.
Next, we need to consider why the DSAR has been made. It's good to know if this DSAR came as a result of a work-related grievance or other kind of incident. That way, we can look for any "hot documents" like details of complaints and proceedings.
One of the most important things to do is to check whether we can clarify the request in any way. That helps us narrow down the scope of information we have to look for, reducing the time and cost of the DSAR process, and ensuring the right information for Sally is found.
Looking at Sally's e-mail, she's asked for all written communications between anybody. "Between anybody" is potentially quite an unmanageable amount of data. So we can look for key individuals she works with, people involved in the grievance, anything like that. To narrow down the scope, we should also consider date ranges. In this case, Sally's asked for documents relating to the entirety of her employment—that again, might cause an unmanageable amount of work.
A key benefit of asking for clarification from the controller's perspective is that it stops the clock and pauses the time frame for us to submit our response until they respond.
Next, we'll look to take a view on anything we can flag at this stage. One thing I notice is that the name Sally, and especially Smith, might be particularly common at the company. That will result in a huge number of search results. The best thing is to see if we can accompany those words with additional search terms, such as Smithy, to narrow the scope.
Even if Sally doesn't provide further details, you don't have to use only the specific search terms she's suggested. We can look for reasonable additional keywords. The key thing to remember is that the searches we're obligated to do need to be reasonable and proportionate.
That leads to the next question: can you actually refuse to respond to a DSAR? Technically, yes, but only in situations where the DSAR is manifestly unfounded or excessive. That's a particularly high threshold to meet, but there are some factors to look out for.
To be manifestly unfounded, the individual needs to clearly have no intention to exercise their right of access. For example, if Sally makes a request and then the next day offers to withdraw it in return for a payout or other benefits. You might also come across a request that is vexatious and being used to harass an organisation, which can happen with disgruntled ex-employees.
Manifestly excessive, on the other hand, is when it's clearly unreasonable, based on whether the request creates a disproportionately high burden or cost.
Finally, we have to identify the deadline for the response. The standard DSAR deadline is one calendar month starting from the day we receive the request. That's the corresponding day the following month. There are a couple of ways to extend that deadline. We can stop the clock by seeking clarification, but the deadline can also change if the DSAR is particularly complex.
What is complex will often depend on whether there are technical difficulties in retrieving that information, particularly high amounts of sensitive information, or if any specialist work will need to be involved. In general, a large data set by itself is not sufficient to be complex; you'll need that sensitive or specialist layer.
Just before we move on to the next phase, which is carrying out the searches themselves, we have another quick true or false question.
So, true or false: you must do everything that you can to locate the personal data that has been requested.
The answer is false, because we're only obligated to conduct searches that would be reasonable and proportionate. Rather than doing everything in our ability, we must make reasonable efforts to locate the personal data.
OK, on to the next part of Mrs Smith's DSAR story.
Rebecca: As Jack said, on we go with Mrs Smith's DSAR story.
After the triage and review section, we decided to ask Miss Smith to clarify some aspects of her DSAR to help us locate the information she's requested. Helpfully, she has provided a clarification, which is always useful.
She said to us, "I still want my entire personal profile, but I'm actually only looking for emails, Teams messages and WhatsApp messages within the last year. In particular, I want any communications to or from Adam Anderson, Jessica Jones, Catherine Campbell and Danny Davies. I don't need anything else."
As you're in the legal team, you don't have access to a number of the systems in which Mrs Smith's personal data is stored, so you're not sure how to obtain it. Your company does not provide work mobile phones and you're feeling quite nervous about potentially asking your colleagues to share their WhatsApp messages from their personal phones. A quick call to HR confirms that there are 36 other employees at the business with the surname Smith.
There are a number of things you can do in advance of a DSAR which can save you work and definitely headaches in the future when you're trying to find information requested.
First, consider the scope of the DSAR itself. We know that Sally Smith has asked for her personal file, her emails, her Teams messages and her WhatsApp specifically. The interesting one here is WhatsApp. The company in question doesn't give staff work mobile phones and they don't use WhatsApp for work respondents on their personal phones. This means the company is not the controller for any personal data that its employees may have in WhatsApp on their personal phones. So the WhatsApp messages are out of the scope of the DSAR and no search would be required.
Second, you need to identify who your internal stakeholders are—who is going to help you export data from the system and who will help you run those e-mail searches, for example. In some cases, you might need to identify external stakeholders, such as a service provider acting as your data processor, to export data directly from their platform. Ideally, this is something you would carry out prior to actually receiving a DSAR, so you know exactly who to contact because you're still under that time pressure.
In Sally Smith's case, we need someone who can obtain her personal file and someone who can run an e-mail and Teams search.
The next important step is to identify the appropriate search parameters. These could include keywords, date ranges, names of other relevant individuals—line managers or people working in the same team. Applying this to Miss Smith's DSAR, asking her to clarify the scope has really helped us because we now have a better understanding of the information she's actually looking for.
Some good search parameters would be Sally Smith or Smithy, as she mentioned, a key date range, and the names she's mentioned: Danny Davis, Catherine Campbell, etc.
The controller will then need to carry out the searches across their identified systems using those parameters.
Importantly, a controller's obligation is to carry out reasonable and proportionate searches. It's very important to remember those two words: reasonable and proportionate. That does not mean you need to leave absolutely no stone unturned. As with many aspects of data protection, there's no one-size-fits-all approach. When you do these searches, document the searches you have carried out so you can justify why you believed, in your organisation, that the searches you carried out—putting in Sally Smith or Smithy, for example—were reasonable and proportionate in the circumstances, just in case you are challenged in the future by the ICO.
Finally, some top tips to reduce your search results. We see a lot of clients at this stage of the process who are struggling because they tend to find ridiculously large data sets. In one case I worked on, there were 14,000 spreadsheets in one DSAR, so it can be literally thousands and thousands of documents.
Here are our top three tips:
- Do not be afraid to refine your searches. If you spend a little more time going through the search results, you can identify easy wins quickly. For example, for Miss Smith, you might find that Adam Anderson frequently emails someone called Sally Sharp. We know Sally Sharp is not our data subject. So you might want to exclude all of Sally Sharp's emails. Other easy wins could be excluding service messages, calendar invites, things like that, depending on the scope of the DSAR.
- For DSARs from employees, agree with the employee that you won't include any emails that they have sent or received directly. Given that they've already sent or received these emails, they know what's in their personal inbox and probably don't want to see them again.
- Consider your data retention practices. The less data you hold, the less data you will need to disclose in the future. It could also be a bad look if someone puts in a DSAR and you start releasing documents that are 10, 20, or 30 years old without justification for holding them that long. This could be alarming for the data subject and cause them to question your data protection practices further.
That concludes conducting searches. Back to Jack, on to phase four, which is review and redaction.
Jack: Reviewing and redacting is often the most time-consuming and labour-intensive part of the process. Many organisations, including PwC, develop and adopt technology specifically for this space.
As a general rule, if the personal data falls within the scope of the DSAR and there's no exemption, then it will need to be disclosed. So we need to know what the exemptions are.
Here are the most common exemptions relevant to DSARs, especially for employee-related matters. If an exemption applies, you are permitted to redact or withhold the personal data.
- Legal professional privilege: communications subject to litigation or legal advice privilege, such as correspondence with legal counsel regarding employment tribunal claims.
- Management forecasting: information which discloses future business strategies, such as redundancy plans.
- Negotiations: details of ongoing contract negotiations or those in settlement agreements.
- Confidential references: when companies request a reference on a prospective employee, if it's stated to be confidential, it needs to remain so.
- Information that compromises the prevention or detection of crime or taxation: for example, investigations into tax evasion.
- Third party personal data: if there is personal data relating to third parties, this should be redacted unless you have that individual's consent for it to be disclosed or if it's reasonable for non-consensual disclosure.
In Sally Smith's case, this means the senders and recipients of the emails containing her personal data should be redacted.
As best practice, always record the rationale behind withholding or redacting information. Different controllers may adopt slightly different approaches towards redactions, some more or less risk averse. Importantly, embarrassment is not an exemption. That was the case for what happened with Nigel Farage that Rebecca referred to earlier.
So before you send that Teams message complaining about your boss or about the political opinions about clients, just know that it might have to be disclosed in the future should they come knocking.
Now we're going to move to the redaction exercise, which will take place in breakout sessions. While that gets sorted, you'll either have myself, Steph, or Rebecca in one of those with you to talk you through some exercises.
As we are being moved to breakout rooms, you'll get a pop up on your screen asking if you'd like to join the breakout room. Please say yes, and we'll automatically take you there.
But hopefully you found them useful.
Stephanie: Perfect. All right.
So we're now moving on to the last stage of the DSAR process, which is issuing the response to the data subject. Next slide, please.
Although it is the last session we're going to talk about today, unfortunately DSARs don't always end as neatly as this slide might suggest. But first things first.
When providing a response to a DSAR, the controller needs to provide some supplementary information, which can generally be found in your privacy notice. Often, a controller will draft a response letter which could either set out that information again or simply provide a link to their privacy notice or a copy of it. Some organisations go one step further and provide the data subject with an FAQ sheet to provide additional context around the DSAR process or answer commonly asked questions, such as why some information has been redacted from the response.
In terms of the format of the response, generally we see controllers export data from their chosen review platform and provide it to the data subject electronically, either via a secure link or by sharing a password-protected file. However, I have had occasions where data subjects have insisted on receiving a hard copy of the response, in which case the controller would need to print out the response, package it up, and send it via registered post. That can be quite a big task depending on the size of the response.
Once the data subject has received and had a chance to digest the content of the response, they'll often have some follow-up queries, which is why having something like that FAQ document can be really helpful. It's also why it's so important to ensure that you have documented your decision-making process throughout preparation of the response, including any justifications for relying on certain exemptions to withhold or redact information.
Hopefully, something you gathered during the breakout sessions is that it's not always an exact science and there are some grey areas. If you are making a certain decision, it's always helpful to have that documented in case it's challenged.
Unfortunately, despite best efforts, a lot of DSARs will result in a complaint to the ICO. As we saw with some of the stats shared earlier in the session, data subjects are often quite unhappy when the response doesn't include that "smoking gun" they were hoping to find.
If you do find yourselves in a situation where a complaint has reached the ICO, you can generally expect them to ask you questions around your process and approach. For example, what searches were carried out? Why was certain information withheld? It's always very helpful to be upfront and as helpful as possible in those communications with the ICO. A good way of looking at it is that it's an opportunity to actually collaborate with the ICO, as hopefully both of you have the same aim in wanting to resolve the issue.
That brings us to the final update in Sally Smith's DSAR story. Let's imagine you've now completed your review of the data set. You've drafted the response letter, included a link to your company's privacy notice (which you've confirmed includes all the supplementary information you need to provide), and the response is packaged up and sent via a secure FCP to Sally Smith. You breathe a sigh of relief because you think it's all over now. Hopefully it is. But as we've just learned, there could definitely be some additional queries from Sally which you should be prepared to address if needed.
Given the context of this DSAR, relating to a grievance, I potentially wouldn't be so optimistic about this being the end of the matter. Even if it is, we'd always recommend taking a moment to look back on your approach. Were there any issues you could avoid for future DSARs? Did some things work well? Did some work badly? Taking that opportunity to review your process can hopefully make your lives a little easier in the future.
That brings us to the end of today's Legal Academy. You've got our details up on the screen in front of you. Please find us on LinkedIn if you're interested in anything we've talked about today. We're always posting thought leadership—it's not always on DSARs, but sometimes it is. We've also got a free privacy newsletter you can sign up for. Get in touch if any of those sound interesting to you. Thanks again so much for joining.
Monica: Thank you, Stephanie, Rebecca, and Jack. We do hope you found this session interesting. If you have any follow-up questions, please feel free to reach out to us and we'll see you in February for our next session.
Thank you.
Stephanie/Rebecca/Jack: Great. Thanks everyone. Thank you. See you in February.
