Demystifying Data Subject Access Requests: A Comprehensive Guide for Individuals
Have you ever needed to correct your personal information being held by an organisation. Are you among those who are increasingly concerned about how their personal information is collected, stored, and used by organisations? To control the processing of your data and your privacy rights, data protection laws and regulations such as the NDPR (Nigeria Data Protection Regulation) and NDPA (Nigeria Data Protection Act) have been enacted. One significant provision of these laws is the Data Subject Access Request (DSAR), which grants individuals the right to access their personal data held by organisations.
Understanding Data Subject Access Requests (DSARs)
A Data Subject Access Request (DSAR) is a formal inquiry made by an individual (referred to as the “data subject”) to an organisation to obtain access to the personal data that the organisation holds about them. This right to access personal data is a fundamental aspect of data protection laws worldwide and is designed to empower individuals to take control of their personal information.
Background and Purpose of DSARs
The concept of DSARs originated from the need to address the power imbalance between individuals and organisations concerning personal data. Historically, individuals had limited visibility and control over how their data was processed by organisations. DSARs emerged as a mechanism to correct this equation by providing individuals with a means to access, review, and if necessary, correct or erase their personal data.
Legal Basis and Requirements
DSARs are legally mandated under NDPA and similar laws in other jurisdictions. These laws specify the rights of individuals regarding their personal data and impose obligations on organisations to facilitate DSARs promptly and transparently.
Scope of Personal Data Covered
The personal data that can be requested through a DSAR is broad and encompasses any information relating to an identified or identifiable individual. This may include basic identification details, contact information, financial records, employment history, online activity, and more. Organisations are required to provide access to all personal data that falls within the scope of the request.
Importance of DSARs for Individuals
DSARs play a crucial role in empowering individuals to exercise greater control over their personal information. By making informed decisions about how their data is processed, individuals can protect their privacy, rectify inaccuracies, and mitigate potential risks associated with data misuse or unauthorized access.
Step-by-Step Guide to Submitting a DSAR
Now that we have covered the background and significance of DSARs, let us explore the step-by-step process individuals can follow to submit a DSAR effectively
Step 1: Understand Your Rights
Before initiating a DSAR, it is important to understand your rights as a data subject under relevant data protection laws. Familiarise yourself with the specific provisions and requirements outlined in laws and regulations like the NDPA to ensure that your request aligns with legal guidelines.
Step 2: Identify the Data Controller
The data controller is the organisation responsible for determining the purposes and means of processing personal data. Identify the entity or entities from which you wish to request access to your personal data. This may include companies with which you have a customer relationship, employers, or any other organisation that processes your personal information.
Step 3: Locate Contact Information
Search for contact details of the data controller’s Data Protection Officer (DPO) or the relevant point of contact designated for DSARs. This information is often available on the organisation’s website or privacy policy. If you can’t find it, reach out to the organisation’s customer service for assistance.
Step 4: Prepare Your Request
Draft a clear and concise DSAR that includes the following information:
• Your full name and contact information
• Any relevant account numbers, reference numbers, or identifiers to help the organisation locate your data
• A description of the personal data you’re requesting access to (e.g., emails, transaction history, account information)
• The timeframe for the data you’re requesting, if applicable
Step 5: Submit Your Request
Send your DSAR to the data controller via the designated contact method. Be sure to follow any specific instructions provided by the organisation for submitting DSARs. Keep a record of the date you submitted your request for reference.
Step 6: Verify Your Identity
In some cases, the data controller may require you to verify your identity before processing your DSAR. Be prepared to provide additional documentation or information to confirm your identity if requested.
Step 7: Await Response
Once the data controller receives your DSAR, they are legally obligated to respond within a reasonable timeframe stipulated by relevant data protection laws. Under the GDPR, for example, organisations typically have 30 days to respond to DSARs, although this may vary depending on the jurisdiction.
Step 8: Review the Response
Upon receiving a response from the data controller, carefully review the information provided. Verify that the organisation has fulfilled your request for access to personal data and assess whether the data provided is accurate and complete.
Step 9: Take Further Action (if necessary)
If you’re dissatisfied with the response received or believe that the organisation has not complied with its obligations under data protection laws, you may have recourse to lodge a complaint to the Nigeria Data Protection Commission. Consult legal advice if you are not sure about your next steps.
Conclusion
Data Subject Access Requests enhance individuals to exercise control over their personal data. By following this step-by-step guide, data subjects can navigate the DSAR process confidently and assert their rights under data protection laws effectively. With this knowledge, individuals play a major role in shaping a transparent and accountable data ecosystem.
