Managing data subject access requests (DSARs), data protection complaints, and other individual rights requests can be challenging at the best of times. It is even more so in today’s climate of greater data protection awareness, use of AI , tight internal resourcing and the statutory time limits for your response
If you’re receiving complex or high volumes of requests and you don’t have suitable processes in place to manage them and provide appropriate responses, it can quickly put pressure on your organisation’s internal resources. This is increasingly the case where requests are generated or expanded using AI tools, or where individuals submit repeated or wide-ranging requests using template wording.
At the other end of the scale, if you have never received a request or complaint, or very few, it can be difficult to know what a compliant response looks like. Whether the number is large or small, add in the tight statutory timeframe and the fact that you can’t charge a fee (in most cases), and things can get pretty tense and difficult to manage.
We are often asked to step in where organisations are facing repeated, wide-ranging or technically difficult requests, or where they need support in documenting a reasonable and proportionate, and ultimately defensible approach.
Why not let us share the load? We can help you take a practical and proportionate approach. Our extensive data protection law experience means that we can support you in handling requests efficiently, while keeping an eye on risk, scope and regulatory expectations. This may include helping you to assess the scope of the request, seeking appropriate clarifications, and advising on reasonable and proportionate searches, exemptions and defensible response strategies in light of current law and regulatory guidance.
Likewise, if you’ve received a complaint in relation to your data-processing activities, we can help you to respond with confidence .
Then, when the dust has settled, if you need a hand with designing or reviewing your policies and processes on handling individual rights requests or with training your staff on how to respond, we can work with you to put in place a clear and workable approach, for triage, scoping, escalation and record-keeping.
Don’t forget that DSARs are often made exponentially more complex where the organisation has been hoarding data well beyond its use by date. Getting your house in order before the DSAR lands should be treated as a high priority. For example, make sure you understand what data you process and where, which third parties are involved, what your security measures look like, and what your retention policies are. This will all help greatly, alongside ensuring up-to-date privacy notices are in place to help provide supplemental information required alongside the DSARs and other rights requests.
Case Study