Extract from Martin Bonney’s article “Using Nuix Discover to Help Law Firms with Data Subject Access Requests”
A couple of years back, when the GDPR was about to come into force, there was a great deal of talk about Data Subject Access Requests (DSARs). While European residents had long held the right to request their data, the fact that it was now free, and that there were potentially significant penalties for non-compliance meant that many organizations expected a tsunami of DSARs. There was an increase but perhaps not a tidal wave. Recently there has been speculation (in the wake of the COVID-19 pandemic and the associated job redundancies) that we are likely to see another surge.
It is important to understand that DSARs are about the rights of a data subject. A data controller must not only confirm whether it is processing the data requested and provide a copy, but also document:
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipient to whom the data has been disclosed
- The retention period for storing the personal data or, where this is not possible, the criteria for determining how long it will be stored