What is a Data Subject Access Request (DSAR)?
The aim of the General Data Protection Regulation (GDPR), which went into effect in 2018, was to give people control over their data by giving eight rights to data subjects.
The right of access enables people to learn about the information organizations have on them and understand the purpose and methods adopted to use that information.
Although the right to access is not new, the GDPR makes it easier for people to submit requests, access personal data, and obtain information by adding new categories of information that the business must share.
One of the most common requests that organizations get is access requests; thus, eventually, as a business, you will have to respond to DSAR.
People ask organizations for access to their personal data or related materials and details on how that data is used by submitting Data Subject Access Requests (DSARs).
These requests need to be seen as a form of each person’s right to privacy, as outlined in the General Data Protection Regulation (GDPR) of Europe and, lately, in other privacy laws such as the California Consumer Protection Act (CCPA).
These verbal or written requests can be made to an organization through any verified channel and submitted by a third party acting on behalf of an individual.
To comply with the GDPR and other similar data privacy laws, data subject rights, and obligations, the organization must fulfill the DSAR within a specified time unless a valid exemption or restriction applies or a request is irrational or unreasonable.
With this article, we will guide you and help you know everything you need about the Data Subject Access Request (DSAR).
People often tend to get confused between the two terminologies or use them interchangeably, that is, DSR and DSAR.
Let’s start by understanding the nuances between the two.
What is a Data Subject Request (DSR)?
By submitting a data subject request (DSR), a user can request access to, modify, or delete the data held by a company.
People now have the legal ability to make these requests thanks to increasing regulations, such as the CTDPA in Connecticut, the CCPA in California, and the GDPR in the European Union.
To avoid fines and other penalties, companies must adhere to specified standards when fulfilling requests from data subjects.
What is a Data Subject Access Request (DSAR)?
A specific kind of data subject request is a data subject access request (DSAR), a user’s request to access personal information about them that the company has processed.
Companies usually have to provide explanations of how and why the data was processed in addition to the data itself.
Different laws have different obligations for businesses, including what kinds of personal data are covered and how immediately an organization must respond.
Meeting the data subject and access requests is a way to demonstrate to the customers that your company’s data practices are trustworthy and reliable.
The primary objective of teams is to respond to requests for data subjects promptly, accurately, and thoroughly.
It seems easy enough. However, as data systems get increasingly complex, locating every piece of information a user requests to be shared, modified, or deleted can become challenging.
On the other hand, your team may be ready for compliance success by being aware of the fundamental needs and processes for data subject requests.
DSARs in Regulations worldwide
The GDPR has impacted how data subject requests are integrated into privacy laws worldwide.
Brazil’s Lei Geral de Proteção de Dados (LGPD) likewise gives the rights of access, erasure, and correction.
In the US, California’s CCPA and Virginia’s CDPA give users the right to access and delete, and CDPA even includes the right to correction.
In California, a right to correction has already been established under the passed CPRA, which took effect at the start of 2023.
The CCPA likewise encodes requests from data subjects under the “Do Not Sell My Personal Information” option.
To put it simply, a resident of California has the right to seek to opt out of a company’s sales of personal data.
It is essential to remember that the CCPA interprets “data sales” broadly, meaning that exchanges of personal information that don’t include monetary transactions are also covered.
Analyzing each regulation in more depth shows that data subject requests are a crucial component of worldwide privacy compliance; the laws mentioned above were all brought into effect less than five years ago, and several state and federal bills are currently being considered.
Who can submit a DSAR?
Anybody whose personal data the organization is processing can submit a DSAR. The people are not required to give any reason for submitting it and can ask for a copy of their data.
Contrary to common belief, contractors, partners, and customers are also covered by DSAR, not just the employees.
As per certain studies, most of these requests come from customers instead of employees.
In the US, this is particularly true.
However, compared to other parts of the world, employees of EU companies request personal data at a far higher rate.
If the data subject gives authorization, another person may submit a DSAR on their behalf. A few examples would be:
· A parent requesting on their child’s behalf
· An attorney requesting on the client’s behalf
· A friend or a relative
· An individual appointed as a guardian
The organization has the right to request authorization in writing or other supporting documentation, which is also required.
What is the purpose of submitting a DSAR?
· Privacy goes beyond compliance concerns alone.
As per a finding, 79% of individuals wish to have control over how a company uses their data.
· Data Privacy Concerns
If a person wants to know what information a company has about it and how it uses it, they might like to submit a DSAR.
· Data Deletion & Erasure
Rather than submitting an access request, a person may choose to have the data that a company has about them deleted. In this case, they would file a data subject request for deletion.
· Data Breach Recovery
People can be concerned that their data might have been involved in a security breach.
· Data Correction and Management
A DSAR is the best way to obtain a complete data summary for verification purposes, as information maintained by a company may be inaccurate or out-of-date.
· Summary of data collection
It is the responsibility of organizations to give a complete summary of all the personal data they have.
What to include in a DSAR response?
To fulfill a DSAR that crosses regulatory requirements, a company must give the verified requester the following information:
· A copy of the personal data that the company has.
· What is the purpose of the processing?
· The categories of personal data collected (name, past purchases, etc.)
Specific laws, such as the GDPR, require that businesses share additional data, such as:
· The intended or domestic recipients of the personal information
· The duration of time the business plans to keep the data
· If automated decision-making is used while processing this data, how important are such operations for the user?
On receiving the deletion request, companies must retain the relevant personal data for taxation.
However, companies must respect the deletion request if no legitimate interests exist.
Guiding principle for DSARs
A few principles for DSARs stay the same across all legislation. DSRs have to be:
· Simple to understand for users
To comply with GDPR, businesses must communicate personal information to users in an understandable manner in response to their requests for access.
· Promptly completed by the business:
Every regulation has a deadline that must be followed, usually between 15 and 45 days for the LGPD and CCPA, respectively, with predetermined extensions allowed.
· Supported by identity verification
Under GDPR, since a DSAR naturally entails sharing personal data, companies must verify the requester’s identity (GDPR Recital 64).
Companies can avoid sharing a user’s personal information with third parties in this way.
Worldwide, similar verification procedures are mandated by other regulations.
How can the data subject submit a DSAR?
DSARs can be submitted verbally or in writing, for example, over the phone or by filling out the online form.
Via any medium, such as social media, and to any staff member within the company (e.g., the marketing department).
Furthermore, the request does not need to be referred to as a DSAR request, mentioning GDPR or any specific right.
A person can request information about how the data is processed or insight into their data; the organization must acknowledge the request and promptly respond.
For this reason, departments and key individuals must understand data subject rights, recognize DSARs, and know what to do if they get one of these requests.
Verifying the identity of the individual requesting a DSAR
Recital 64 of the GDPR states that an organization must take all reasonable steps, including online services and online identifiers, to verify the identity of the individual requesting access.
Organizations mostly rely on the two most common methods of confirming the data subject’s identity: email and photo identification; they also rely on challenge questions, identity proofing systems, and email and password login.
During the verification process, the organization should only ask for necessary information.
Instead of asking for formal identification documents, an organization should use other suitable verification methods, such as an identity-proofing platform, email address, and password login.
Who is responsible for responding to a DSAR?
While some companies are required to appoint a Data Protection Officer (DPO), others are not.
In any case, the company should appoint someone to handle compliance who will have a high-level overview of DSAR processes and record all requests to ensure timely resolution.
This does not imply that the DPO must personally respond to every request.
On the other hand, the DPO needs to be in charge of the processes and ensure compliance the whole time.
By automating the process, you can handle DSAR more effectively and avoid requests being mistakenly missed or disregarded.
Automation can be critical if your privacy department comprises a single person or a smaller team of employees.
What is the deadline for responding to a DSAR?
The organization should respond to a DSAR within a month of receiving it without undue delay.
If the request is complex or the company has received many requests from the same person, the deadline may be extended by two months.
For example, the person simultaneously submitted a DSAR and exercised their right to be forgotten.
If that’s the case, the organization must inform the person of any such extension and the reason(s) for the delay within a month of receiving the request.
The deadline is determined by calculating from the day of request, fee, or other information received to the corresponding calendar date of the following month.
How to fulfill a DSAR?
A single request from a data subject may interfere with your team’s work.
For example, the following actions must be taken if an EU resident requests to see all the personal data you have on them:
· Verify the requester’s identity.
· Locate every location in your data systems and third-party applications where the user’s data is stored.
· Combine all relevant personal data in an easily readable and understandable manner.
There may be a constant flow of requests coming in from people all around the world, each with deadlines of its own.
It is evident that for your systems to process the request, they must be in sync.
Can a company charge a fee for a DSAR?
Companies are not allowed to charge any fee for a DSAR.
However, if the request is excessive or unfounded, then, in that case, a reasonable fee can be charged for administrative costs.
A company can ask for a nominal charge on repeated or excessive requests to stop individuals from repeatedly submitting needless DSARs.
However, the fee should never become a source of profit for the organization.
Your company should create criteria for determining a reasonable cost before charging.
This will help if you need to explain it to the supervisory authority.
The company should clearly state the criteria and walk the person through the charges.
However, depending on these exceptions has proven risky because we’ve seen how the Dutch DPA issued 830K euro GDPR fines for charging fees for accessing information.
What happens if a DSAR is not responded to timely?
A functional DSAR fulfillment model is essential to the business’s long-term success.
Prioritizing request fulfillment makes sense for several reasons, but these three are the most important ones:
· GDPR Compliance Issues
Do you want to stay out of trouble and avoid paying hefty fines and penalties? To comply with the GDPR, DSARs must be immediately fulfilled.
· Reduced Customer Loyalty
DSARs provide consumers control over how businesses use their personal information.
A company may be seen as ignorant of the privacy rights of data subjects if it does not offer a prompt and transparent fulfillment process.
· Concerns about Security
Log jams affecting the entire system may result from companies receiving exponentially increasing DSARs.
An organization may be vulnerable to a Denial of Service (DoS) attack if requests pile up and overwhelm internal staff, mainly if it uses a manual process of DSAR fulfillment.
Can a company refuse to respond to a DSAR?
In certain situations, the organization may choose not to respond to DSAR if an exception is applicable or if
· The request is baseless
It means that someone is not intending to use their right or that the request is malicious and only intended to cause trouble.
· The request is clearly unreasonable.
The DSAR is unreasonable and out of proportion to its expenses or other responsibilities.
Ensure you are prepared to defend your decision to the supervisory authority if you do not comply with a request.
Additionally, you must explain why you are rejecting their request, inform the person of their right to file a complaint with the supervisory authority, and have the option to enforce their right through the courts.
Automating data subject requests
Data Subject Access Request is just one of the eight rights granted by the GDPR, and companies are required to comply with all of them.
It is unlikely that most companies are prepared to handle DSAR effectively, given that they still take requests by phone or email, manage DSAR manually, and use some front-end submission form.
In a broader sense, manually handling data subject rights will result in handling errors made by humans and expose companies to significant risks.
GDPR compliance, the organization’s reputation, CCPA compliance, and customer transparency are the main business factors for fulfilling DSARs.
As a result, many businesses worldwide are spending money on privacy tools that help them manage DSARs.
Common DSAR Response challenges
Responding to DSARs is no cakewalk; companies face several challenges while doing the same.
Some of the common challenges are:
· Lack of Expertise
It can be challenging to fulfill DSARs, especially without a dedicated privacy team. Organizations that lack empowerment and expertise often find themselves flooded with DSARs.
· Complex rules
The rules and laws about privacy that DSARs must abide by can be complex, particularly as the law is evolving rapidly along with the privacy industry.
Challenges may also arise from different deadlines and requirements in other jurisdictions.
· Creating a streamlined workflow
Developing an effective process for DSAR fulfillment can be challenging, mainly if most of the process is done manually.
An organization has vast amounts of data scattered throughout it, and without automated methods to help, streamlining the DSAR process can be a challenge.
· High costs with manually responding to DSARs
There can be severe bottlenecks, compliance-related fines, and penalties if the team in charge only employs manual procedures to handle and complete all DSARs.
According to Gartner, manual DSR fulfillment typically costs $1,524 per request.
· Managing multiple requests
Organizations may receive hundreds of requests yearly, depending on how many “identities” they store.
According to research, some companies can expect to receive about 650 requests for every million identities. Some large companies could be expecting much more.
Subjects find it quite simple to submit DSARs, and with the low entry barrier and rising privacy awareness, people may submit requests just because they can.
Conclusion
In addition to regular business operations, your privacy team may receive a stream of data subject requests from users worldwide.
Keeping track of the requirements laid out by various regulations on the nature of each request and the time frame within which it must be fulfilled may be challenging.
PrivacyPillar is a platform that arranges and manages data subject rights, making it one of the best privacy solutions.
The entire process is automated, allowing the IT systems that store the data to process user requests quickly and correctly.
The process turns into an automated workflow that provides you with complete insight at every stage, from registering a user request to processing data and approving it to notifying the user of the outcome of the request.