When dealing with data subject access requests (DSAR) under GDPR:
- Take your time and think about the response.
- Document and audit your response process.
These are the key takeaways from a panel at the recent International Association of Privacy Professionals privacy summit in Washington DC.
Take the time and communicate:
- Reading over the inquiries thoroughly is important in determining whether the information falls within the scope of the request.
- Engage with the data subject and show that you have a process in place.
- Sending a receipt that says you received the request and shows you have a good process in place. It will be better received than silence up until day 29 or 30 and then blasting a subject with only part of the information.
Keep track and audit:
- Keep track of your DSAR processes.
- Be able to show regulators all of the requests you have been able to fulfill in the event even one is not properly executed.