What Construction Companies Need To Know About Data Subject Access Requests
If you hold people’s personal information, they have the right to ask to see what information you have – and you should be able and know how to respond.
It could be a client, contractor, employee or supplier – known as the ‘data subject’ – and they can ask for a copy of their information as a ‘Data Subject Access Request’ (DSAR). The information you hold could cover multiple formats such as emails, digital files, messages, printed documents, and even CCTV recordings. Responding appropriately is a legal requirement and must be done within one calendar month, which in practice, could mean as little as just 20 days.
GDPR & data specialist Judith Andrews from Business Tamer explains what’s involved.
“A DSAR can create a lot of work, especially if you’re unprepared. It’s usually used to check what information is held, how long it’s been kept, why, if it’s been shared with a third party, where it came from and who can access it. There is no formal process for making such a request– a simple verbal request from a data subject is sufficient to trigger DSAR.
“Despite the effort involved, the law states that businesses cannot charge for gathering and supplying this information. It must also be provided in a clear, concise and secure format.
“I recently helped a construction business respond to a DSAR from a dissatisfied client disputing an invoice. The request was potentially being used to delay the outcome and making payment, but the company was still legally obliged to respond.
“Here’s what you need in place to pre-empt such a request – well-organised records and documents are vital to make this job easier.
- Keep detailed records of where all personal information is stored – such as Microsoft, G-Suite, Dropbox. A clear filing system is invaluable for grouping personal data together and easy retrieval.
- Be able to say how and where information is being shared, and with whom; remember, personal information should be shared with people in your organisation who need access to it.
- Have a clear retention policy stating how long you keep personal information. Data should be kept no longer than necessary and then securely deleted.
- Ensure you have client contracts that also cover data protection so that clients clearly understand what they can expect from you when it comes to handling their data.
- Make sure personal information is not being shared across messaging apps (WhatsApp, Facebook Messenger etc) as these are easily intercepted.
Judith can advise you on handling a DSAR, as well as how to collect, store and use data with confidence – and in a way that makes future DSARs easier to respond to.
