Who is in charge of handling data subject access requests? 

Every company that falls within the scope of GDPR will need to identify a data protection officer (DPO). The DPO is charged with making sure data processing activities are compliant with GDPR, but the DPO must not be directly involved with the data processing. This is so the DPO can remain objective in his/her evaluation of data processing activities. This means the DPO may not be involved with processing DSARs, but s/he may be involved in supervising the progress of DSARs.

Each company (whether the company is a data controller or data processor) is in charge of determining who within the organization is responsible for implementing a DSAR. The person in charge of implementing DSARs should be an employee of the data controller or data processor. While responding to a DSAR, one person does not need to be wholly responsible for completing each step of the DSAR. Rather, one person can coordinate a team of people working together to fulfill a DSAR.

In practice, there are broadly two ways DSARs can be fulfilled. The first is that an individual within an organization has access to all of the relevant systems and is able to fulfill a DSAR by themselves, and then report back to the DPO once the DSAR has been completed. The second is that one person can coordinate with a team of different database/system administrators to have each administrator act on the relevant data subject’s information in their system, and then report back to the coordinator once their responsibilities have been completed. Once the coordinator’s team has fulfilled the DSAR, s/he can report back to the DPO who can then communicate with the data subject.

While not explicitly mentioned as part of a DSAR, there is an implicit understanding than an organization must know where all of the data in their organization is in order to fulfill a DSAR. You can learn about conducting a data audit under GDPR here.

Download the GDPR Guide



This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.