All You Need to Know About Data Subject Access Requests (DSARs)

What is DSAR?

Data Subject Access Requests (DSARs) are a common requirement in privacy regulations including the CCPA and GDPR. These regulations provide individuals with the right to request a copy of all information a company has about them, make changes to the information, and even demand its deletion.

An individual who makes a DSAR is entitled to receive a confirmation that you are processing their personal data, a copy of that data, your privacy notice, and supplementary information.DSARs aren’t new. Organizations and governments have used them for years. But recent consumer data privacy regulations introduced several changes that made it easier for individuals to make requests. The changes go a long way toward transparency in data processing, but they create some challenges for organizations.

DSARs are not limited to customers; anyone whose personal data you collect — including employees and contractors — has the right to submit one.

Types of Data Subject Requests

DSARs can be grouped into four categories, according to the rights involved.

  • Access Requests

The Right of Access

  • Portability  Request

The Right to Portability

  • Change Request

Right to Rectification

Right to Erase

Right to Request Delete

  • Objection Request

Right to Restriction of Processing

Right to Object Data Processing

Right to Opt-out

Right to Object to Automated Decision Making and Profiling

What Should be in a DSAR Response?

Individuals do not need a reason to submit a DSAR. Subjects can request to see their data at any time. Organizations may only ask questions that verify the subject’s identity and help them locate the requested information.

Steps in DSAR

  1. Get Request
  2. Request Logging
  3.  Identity Verification
  4.  Prioritization
  5.  Data Collection
  6.  Validation
  7.  Communication

Get Request

Unless you give your customers an easy way to submit DSARs, they are likely to use the first company email address they find. It’s smart to have an online DSAR form since it helps ensure that requests go to the correct place and contain all the required information.

 

Request Logging

Assign responsibility for creating and updating a record of each DSAR to an individual or department. You might have them develop a spreadsheet that shows the date of the request, its status, and other essential information for tracking progress.

 

Identity Verification

Verify the identity of the person making the request before responding. You may not ask for protected data you don’t already have, but you can ask the requester to provide personal information you do have to authenticate the request. The data you request for verification must be proportionate to the request.

Prioritization

Process the requests according to factors like complexity or degree of legal or business risk to ensure that work is prioritized properly and ensure that response deadlines are met.

Data Collection

Collect all records containing the individual’s data, along with the following supplementary documentation

  1. Your privacy notice
  2. A statement of the purpose for processing private data
  3. The categories of personal data collected
  4. The recipients (or categories of recipients) with whom you shared the personal data
  5. How long you hold personal data
  6. Advice on any additional rights the user has, such as the right to object to processing or the right to request erasure or rectification or to lodge a complaint with a supervisory authority
  7. Where you obtained the data, if it was not directly from the subject
  8. The existence of any automated decision-making that took place using the data
  9. Security measures you use when transferring data to a third part

Validation

Review each response for completeness and accuracy. You may decide to require review by legal counsel before sending the response to the requester.

Communication

Share the response securely and confidentially with the requester. Remember that you must respond within the timeframe defined by the applicable regulation which is 30 days of the request received.

The Challenge

The challenge, however, is finding the personal information you’re supposed to turn over. There’s been a massive growth in data collection and proliferation over the last decade, but organizations tend to pay little attention to data governance and management. Basically, data is everywhere, but most organizations don’t have it inventoried.