Skip to main content
CCH Software User Documentation

Simplifying Data Subject Access Requests (DSAR)

  1. Last updated
  2. Save as PDF

Product Help Banner.png

 

What are an individual’s rights, how can they exercise them and how is your organisation making it possible for them to do so?

An individual (or a Data Subject) has the right to enquire whether you’re using his or her personal data, to be informed as to the why what, who and where of the processing, to request a copy of the data, to have it rectified or deleted and even to have it transferred to a different organisation. Can you guarantee these rights?

Exercising rights should be as simple as picking up the phone, sending an email or filling out a form. Your employees should be able to recognise and escalate a data subject access request (DSAR), but only staff who have been trained on how and when to respond to a DSAR should respond to them.

Step 1: Receiving a DSAR

First, decide how you want to receive requests. CCH GDPR Compliance provides you with an online form. You can customise it and direct all DSARs requests to the form. By collecting and logging all DSARs centrally, you can ensure none go missing. This is extremely important given that the regulation stipulates you reply to them within 30 days. The form is available under the Settings tab in the DSAR section. It can be fully customised, including the URL. Any requests generated by this form are logged as a request in the Subject Access section. Whoever in your organisation is responsible for that section will receive a notification as soon as the request comes in.

Step 2: Make sure it’s a valid DSAR

Our DSAR tool, helps you validate the request and document how you identified the requester. If you have doubts about the identity of the person making the request, you can ask for more information. However, it’s important that you only request the information necessary to confirm who they are. If you need more information to verify their identity, let the individual know as soon as possible. Once the information has been used to verify the identity it’s best to destroy it but make a note against the DSAR as to what was used, when it was received and who verified their identity. The period for responding to the DSAR begins when you receive the verification information.

Step 3: Responding to the request

Depending on the type of request, the software’s DSAR tool will make sure that you consider and respond to the request appropriately by prompting you to consider and take specific actions. Against any DSAR request, you’ll be able to add notes and comments or additional documentation. You can see if the individual has made previous requests. And you can easily see what types of data you might be holding on that individual, where that data resides and whether it’s been shared with any third parties. You can assign the ticket to someone on your IT team to action it, in the event that data needs to be deleted or corrected.

When you feel you’ve appropriately responded to the inquiry and the data subject is satisfied, you can close the ticket. After two weeks it will be archived on CCH GDPR Compliance, so your resolution of the request can be accessed in the event that that becomes necessary.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Product
    CCH GDPR Compliance
  2. Tags
    This page has no tags.