Understanding Subject Access Requests (DSAR): Best Practices and Penalties

In today’s data-driven world, the importance of data privacy cannot be overstated. One of the key components of data privacy regulations, such as the General Data Protection Regulation (GDPR), is the Data Subject Access Request (DSAR). This article delves into the best practices for handling DSARs and the potential fines for non-compliance.

What is a DSAR?

A Data Subject Access Request (DSAR) is a request made by an individual to an organization, asking for access to their personal data. Under regulations like the GDPR, organizations are required to provide this information within a specified timeframe, usually one month¹.

Best Practices for Handling DSARs

1. Establish a Clear Process: Organizations should have a well-defined process for handling DSARs. This includes identifying the request, verifying the identity of the requester, and ensuring the data is provided within the legal timeframe².

2. Use Technology: Leveraging technology can streamline the DSAR process. Automated tools can help in locating and compiling the requested data, reducing the time and cost involved.

3. Train Employees:  Regular training sessions for employees on data privacy laws and DSAR procedures can ensure that requests are handled efficiently and correctly.

4. Maintain Records: Keeping detailed records of all DSARs and the actions taken can help in demonstrating compliance during audits.

5. Communicate Clearly: Clear communication with the data subject throughout the process is crucial. Inform them of the steps being taken and any potential delays.

The European Data Protection Board published in 2023 Guidelines for Data Subject Access Requests. The Guidelines provide clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests.

Penalties for Non-Compliance

Non-compliance with DSAR requirements can lead to significant fines and penalties.

Under the GDPR, organizations can be fined up to 4% of their annual global turnover or €20 million, whichever is higher, for serious infringements. Even minor breaches can result in fines of up to 2% of annual turnover or €10 million. 

Currently  overall fines folowing breaches to GDPR has surpassed € 4.6bn and continuously increasing.  Check out the GDPR enforcement tracker for more statitics.

Conclusion

Handling DSARs efficiently and effectively is not just a legal requirement but also a crucial aspect of maintaining trust with customers. By following best practices and staying informed about the latest regulations, organizations can avoid hefty fines and protect their reputation.

EYD Subject Access Request Service provides your business the functionality needed to securely manage Subject Access Request and avoid fines. 

 Check out some Real-World Examples

Here are 15 notable breaches of Data Subject Access Requests (DSARs) along with references:

	British Airways: Fined £20 million for failing to protect customer data, including mishandling DSARs by not providing timely and complete responses.  Read more
	H&M: Fined €35.3 million for illegally monitoring employees and mishandling DSARs by collecting excessive personal data without proper consent. Read more
	Marriott International: Fined £18.4 million for a data breach that included failing to respond adequately to DSARs, affecting up to 339 million guests. Read more
	Equifax: Fined £500,000 for failing to protect personal data and mishandling DSARs by not providing requested information within the legal timeframe. Read more
	Google: Fined €50 million by the French data protection authority for lack of transparency and mishandling DSARs by not providing clear information on data processing Read more
	Cathay Pacific: Fined £500,000 for failing to protect customer data and mishandling DSARs by not responding adequately to access requests Read more
	Uber: Fined €10 million for making it unnecessarily complicated for drivers to submit DSARs and not providing clear information on data retention. Read more
	Facebook: Fined £500,000 for data breaches that included mishandling DSARs by not providing timely and complete responses. Read more
	Ticketmaster: Fined £1.25 million for failing to protect customer data and mishandling DSARs by not responding adequately to access requests. Read more
	British Telecom (BT): Fined £385,000 for failing to protect customer data and mishandling DSARs by not providing requested information within the legal timeframe. Read more
	Yahoo: Fined £250,000 for failing to protect customer data and mishandling DSARs by not providing timely and complete responses. Read more
	Wind Tre: Fined €16.7 million for mishandling customer data and DSARs by not providing clear information on data processing. Read more
	Dixons Carphone: Fined £500,000 for failing to protect customer data and mishandling DSARs by not responding adequately to access requests.  Read more
	Telecom Italia: Fined €27.8 million for mishandling customer data and DSARs by not providing clear information on data processing.  Read more
	Eni Gas e Luce: Fined €11.5 million for mishandling customer data and DSARs by not providing clear information on data processing. Read more