What is a data subject request policy?
The basics: This data subject request policy sets out how a business handles data protection requests. Data subjects (or individuals) are granted various rights under data protection laws, and businesses must ensure that they have appropriate policies and procedures in place to be able to comply with those rights:
- The right of access (sometimes known as a “SAR” or “DSAR”) - to request a copy of personal data held by the business about them;
- The right to rectification - to correct any errors in data;
- The right to erasure - for data to be deleted;
- The right to restrict processing - to limit the ways in which the business is using their data;
- The right to data portability - to request that their data be transferred to a third party; and
- The right to object - to ask that their personal data is no longer used by the business.
Data subject requests: Individuals can make requests to a business in respect of each of these rights. This data subject request policy sets out how to spot these requests and how to handle them in accordance with UK data protection laws.
Why is it so important for my business to put in place a data subject request policy?
Comply with data protection laws: It is a legal requirement for a business to handle data subject requests in accordance with data protection laws, so this policy aims to provide important and practical guidance for the staff of the company, setting out procedures like who to contact in the company, how to identify the person making the request, when requests can be refused, and re-iterates the importance of handling requests quickly.
Don’t miss legal deadlines: Generally, you are required by data protection laws to respond to a data subject access request without delay and within one month of receipt of the request. You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the same individual. Having a clear subject access request policy in place can help your business to ensure that these deadlines are met.
Respond to requests efficiently: Data subject access requests can be long and complex tasks, especially where your business holds a lot of personal data about an individual. Having a clear policy and procedures in place can ensure that data subject requests are dealt with quickly and efficiently, to minimise the impact on the day-to-day activities of your business.
How do I use this data subject request policy?
This data subject request policy should be used alongside and in addition to the company's other policies on data protection (such as its internal data protection policy and employee privacy notice). Whilst it is a very useful tool to help your business compliantly handle data protection requests, it is not enough on its own to ensure that your business is compliant with all relevant data protection laws - it is vital that staff are trained on the policy so that it is implemented into your business’s day to day activities.
What does Docue’s data subject request policy include?
Docue’s dynamic data subject request policy can easily be adapted to suit your business’s needs - you can choose to include the following sections:
- Why the company has the policy in place;
- Spotting and acting on data protection requests - including examples of what different requests can look like;
- What happens once a data protection request is received - the different departments and individuals who should be involved;
- Identifying the person making a data protection request - under data protection laws, to avoid personal data about one individual being sent to another, you need to be satisfied that you know the identity of the requester. You can ask for enough information to judge whether the requester is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requestor's identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual;
- What happens if someone makes a request on behalf of another person;
- Documenting data protection requests - the information to be recorded on a data subject request register;
- How to manage a data protection request - who at the business is responsible;
- Denying a data protection request - there are also a number of exemptions that can be relied upon to refuse to comply with a data subject request.
- Responding to data protection requests - the process for responding to different types of data subject requests;
- Training and awareness - to ensure that the policy is implemented in practice.
How can Docue help my business?
We support you through the document creation process Docue’s platform allows you to create and store a compliant data subject request policy at the touch of a button using a lawyer-grade data protection policy template as a starting point. Lawyer-drafted guidelines and information boxes are there to steer you in the right direction from start to finish.
Easily customisable: You can easily amend Docue’s data subject request policy template to fit your organisation's requirements, so that it is adapted to your business operations.
Tags: subject access request policy, DSAR policy, data access request policy, data subject request policy