Extract from Martin Bonney’s article “Using Nuix Discover to Help Law Firms with Data Subject Access Requests”
A couple of years back, when the GDPR was about to come into force, there was a great deal of talk about Data Subject Access Requests (DSARs)[1]. While European residents had long held the right to request their data, the fact that it was now free, and that there were potentially significant penalties for non-compliance meant that many organizations expected a tsunami of DSARs. There was an increase but perhaps not a tidal wave. Recently there has been speculation (in the wake of the COVID-19 pandemic and the associated job redundancies) that we are likely to see another surge.
It is important to understand that DSARs are about the rights of a data subject. A data controller must not only confirm whether it is processing the data requested and provide a copy, but also document:
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipient to whom the data has been disclosed
- The retention period for storing the personal data or, where this is not possible, the criteria for determining how long it will be stored
