Back to top
State of Cookies September 2021 Are you making international data transfers?
Data Protection Pitfalls Updating Website
Impact of Cookie Guidance on Web Developers
Introducing the Cookie Check Tool
Cookies: your digital first impression
Data Protection from the Outside
Living with COVID Tracker Ireland
Forty Years of Privacy
Relationships
Data Protection Programme

Small Data Requests

Service
Data Subject Access Request
DSAR
Rights
SME
Small Data Requests

Photo by Andrea Piacquadio from Pexels

As a small business you may not expect many data subject access requests. Your may not collect large amounts of personal data from your customers and only process contact information to supply your products or service. How complex can it be to respond to the (perhaps very rare) data subject access request?

The Ask

You and a customer have worked on a project with for a period of six months. During this time you collected personal data and correspondence through email, minuted meetings and project documents.

The customer requests copies of personal data that you collected.

Find

Find the personal data of this customer. Collect the data from the various data stores (email servers, file stores).

Challenges:

  • Which email boxes need to be searched
  • Which document stores were used

Review

Once all of the data has been gathered, remove duplicates and restricted data from the response. Add the information required by the GDPR and Data Protection Act.

Challenges:

  • Time
  • Knowing the restrictions that can apply
  • Data Protection expertise to correctly formulate response

Secure

The final request should not be the source of a data breach by providing personal data without the consent of the data subjects. Typically, this means redaction of images, videos and text.

Challenges:

  • Redaction tools
  • Technical expertise
  • Time for redaction services

Records

You need to maintain records of the process and track each action so that you can demonstrate that a process was followed in preparing response and that the deadlines set by the GDPR were met.

Challenges:

  • A process is expected by GDPR
  • Requests must be registered as this starts the clock for deadline
  • Response deadlines must be met

Planning

Planning for a request in advance is helpful, particularly as you must respond within one month of receiving the request. Prepare a process in advance and practise so that you can execute it against the clock when required.

Staff should help find the data required and need to understand the urgency of the task. Investment in tools (or use of existing features) is also helpful.

During review a understanding of both the business and legal requirements is essential.

Redaction is more than simply obscuring the text or image as you need to be assured that the redacted data is not still stored in the electronic document. Third party services may be required for redaction, particularly of video. These suppliers need to be identified in advance to ensure that services can be delivered within the short response window.

We can help you establish a Data Protection Programme and prepare to receive data requests or if you already have a request assist you ensure that your response meets the requirements of legislation and protects your business.

Request a call to discuss