Update: Guide for Organizations to Respond to DSARs During Pandemic

Since the organizations are struggling to survive during the COVID-19 pandemic, they are restricted to operate daily tasks due to limited resources and workforce restrictions. With many other problems, organizations are also bound to be compliant with GDPR and respond to DSARs irrespective of the pandemic situation. Most employees are working from home, and the workforce has been reduced due to illness and leaves. In such times, it is challenging to meet the DSARs response deadlines.

However, there is some good news for struggling organizations to cope with this challenge.

Organizations Must Follow GDPR

The lawmaker authorities around the EU have posted guidance on how organizations should follow the GDPR during the COVID-19 pandemic.

They have acknowledged that it is not possible to extend the compulsory requirement of the GDPR as it has become the law. Since regulators know the challenges the organizations are facing, they will not impose any penalty if the organizations cannot comply with the law.

Suggested Alternatives

It is possible to respond to DSARs (Data Subject Access Requests) in stages. If there are employees whose responsibility is to handle the requests and they are working from home, they can still communicate with relevant authorities on the steps which need to be taken.

If there is a problem due to which employees cannot perform the step, they should document the problem when responding to DSARs.

One example where this rule can apply is when personal information exists in physical form in the office. In this case, employees are not required to go to the office to acquire the data, as their physical safety should number one priority during the COVID-19 pandemic.

Instead, the organizations can leave this data for the time being and inform about the reason for the data subject.

When the restriction on traveling is lifted, employees shall go to the office and follow up with the data and provide copies of any physical data they have.

Extended DSAR Deadlines

Organizations are provided with another option in which they can extend the DSARs deadline for up to one month. In the GDPR, it is stated that upon placing a request, the organizations can ask permission for an extra month to provide the necessary information to concerned authorities.

In Short

Whatever procedures organizations may take, they have to document the reason behind it and let the data subject know. The DSAR must be reported to the concerned authorities now or later.

GDPR CCPA Compliance Management