Data Subject Access Requests – what is it, and how to prepare for one?
Data Subject Access Requests (DSARs) are important under the General Data Protection Regulation (GDPR). They give individuals the right to request access to their personal data held by the school. This right is known as the right of access, and it allows individuals to understand what personal data is being processed, why it is being processed, and who it is being shared with.
Under the GDPR, schools must respond to DSARs within one month of receipt. This response must include a copy of the personal data being processed, as well as information about the purposes of the processing, the recipients of the data, and the retention period for the data.
It is essential for schools to be prepared for DSARs and to have processes in place to respond to them in a timely and accurate manner. This includes having a clear understanding of what personal data is being collected and processed and having a system in place for securely providing this information to individuals upon request.
Staff training and systems can help
To respond to DSARs, schools may need to implement measures such as training staff, mapping data to identify what personal data is being processed and where it is being stored, and implementing access controls to ensure that only authorised individuals have access to personal data.
Schools should also be prepared to handle requests for rectification, erasure, and data portability, which are other rights granted to individuals under the GDPR. It is important to note that DSARs are not the only way individuals can exercise their rights under the GDPR, and school should be prepared to respond to other types of requests.
Overall, DSARs are an essential part of the GDPR, and schools should ensure that they are prepared to respond to them in a timely and compliant manner. This includes clearly understanding what personal data is being processed, implementing appropriate access controls, and having processes in place to respond to requests for rectification, erasure, and data portability.