When dealing with data subject access requests (DSAR) under GDPR:
  1. Take your time and think about the response.
  2. Document and audit your response process.

These are the key takeaways from a panel at the recent International Association of Privacy Professionals privacy summit in Washington DC.

Take the time and communicate:
  • Reading over the inquiries thoroughly is important in determining whether the information falls within the scope of the request.
  • Engage with the data subject and show that you have a process in place.
  • Sending a receipt that says you received the request and shows you have a good process in place. It will be better received than silence up until day 29 or 30 and then blasting a subject with only part of the information.
Keep track and audit:
  • Keep track of your DSAR processes.
  • Be able to show regulators all of the requests you have been able to fulfill in the event even one is not properly executed.

Details from the IAPP.