DSAR Process: The Ultimate Guide for Businesses
Running a business includes collecting personally identifiable information (PII) from customers, whether selling something, scheduling an appointment, or offering customer service.
Regulations designed to protect personal customer information change along with data collection technologies.
Legal regulations differ from country to country, but most rules have one thing in common: Data Subject Access Requests, or DSARs.
It’s time for your company to prepare to respond to Data Subject Access Requests (DSAR) due to the various new data privacy rules going into effect.
A Data Subject Request (DSAR), often known by other names, is a request made by an individual to exercise their rights over the personal information that you collect about them.
These rights include accessing, correcting, or deleting their data.
Setting up an authentic and transparent DSAR process for employees to handle these customer requests can help your company comply with relevant data protection laws and gain customers’ trust.
Make a reliable, compliant with the law, and user-friendly DSAR process for your business and customers by following this comprehensive guidance.
Understanding DSAR
When people submit requests to exercise their rights to data privacy as provided by various data privacy laws, it’s known as a Data Subject Access Request, or DSAR.
Although specific rights differ, generally speaking, individuals protected by these laws have the right to request the following:
· Access the personal information you’ve collected about them and be informed about their intended usage.
· Correct or edit their personal information.
· Delete the information you have about them.
· Obtain a portable copy of the information you’ve collected about them.
· Refuse to be part of specific data processing activities, such as targeted advertising, data sales, or profiling.
Since the General Data Protection Regulation (GDPR), a necessary data privacy regulation that protects individuals within the European Union (EU) and the European Economic Area (EEA), was introduced, data subject access requests have grown in number.
Therefore, simplifying this process and helping you meet this legal obligation more quickly and efficiently is made possible by creating a DSAR process or workflow for your company that all relevant employees can understand and follow.
Important terms in the DSAR process
Let’s begin by understanding a few essential terms you and your company staff should know while developing your DSAR process.
· Data controller: The person in charge of deciding what personal data you collect from users and how it is used.
· Data subject: People covered by data privacy regulations and from whom you collect data are data subjects.
· Data processor: A third-party organization you employ to help with data processing is your data processor. It can be required to help you comply with customer requests and protect their privacy rights.
· Data Protection Officer (DPO): A person you appoint to ensure that all data you process, from customers to employees to any data subject, is all done legally.
· Verifiable consumer request: This is the process to make sure you can verify that the person requesting to exercise their right to privacy over data is, infact, the person in question or has legal permission to act on behalf of the data subject.
· Data Subject Access Request Form: This is the online form you post on your platform so users can quickly request to exercise their right to privacy.
Importance of the DSAR process for businesses
Businesses must develop an adequate DSAR process since handling customer requests can include multiple steps and because there are legal deadlines, such as those set forth by the CCPA and GDPR, for responding to and fulfilling requests.
Verifying the consumer’s identification, securely locating their data, and offering them an appeals process for your decision based on their request are a few of the essential DSAR steps.
It’s also important to note that you are typically not permitted to collect any fees for the entire DSAR process; therefore, it’s critical that your company reasonably meets these standards.
This article will guide you through the processes your company’s DSAR workflow needs to include.
How much time does your company have to respond to a DSAR?
The jurisdiction determines how long an organization has to respond to and fulfill a DSAR.
As per most regulations, businesses must respond to requests within 30 to 45 days.
Nonetheless, in specific regulations, businesses can ask for extensions; under GDPR, they may extend up to two months.
To comply with regulatory requirements and deadlines, your company must set up a system for processing and recording DSARs.
Legal action may be taken against your company if a deadline for completion, response, or extension is missed.
Who can conduct a DSAR?
Because most of the data privacy laws are relatively new, it’s possible that your company hasn’t yet developed a standard operating procedure (SOP) for the DSAR process.
Depending on which employees can access information on your company’s network, only some employees can have the authority to handle the data subject requests.
To fulfill a DSAR, an employee should have the authority of the following:
· Access all of a customer’s data.
· Have direct conversations with DSAR enquirers.
· Communicate with third parties to whom the company may have sold the customer’s data.
Depending on factors such as employee access to your data privacy platform, the size of your IT department, and the network structure of your company, your business must choose between the following two methods when drafting a DSAR SOP:
· Provide all employees with the appropriate permission so they can fulfill requests.
· Delegate DSAR processing to employees who have the necessary access.
How much does a DSAR cost?
The solution to this question isn’t universal because every company has its own method of handling DSARs. Sources of DSAR expenses include:
· Salaries for the privacy team
· Expenses for an attorney if one is required
· Penalties for delays or grievances from customers
Each expense depends on how many DSARs are submitted in a given time and how long they take to complete.
A well-thought-out, fully automated DSAR strategy can bring significant benefits to organizations.
A business can save money on employee pay by automating as much as possible. A more efficient
An easy DSAR process also reduces the need for legal counsel, which saves the business money.
Furthermore, professional and prompt responses to requests may significantly reduce the possibility of receiving a fine from privacy authorities.
Preparing for a DSAR
No, let’s see how you can prepare your business to fulfill the DSAR from a customer.
Before receiving a data privacy request from one of your users, take these preparatory steps to streamline the entire process for all the stakeholders.
1. Appointing a DPO
For your company, you should first and foremost appoint a Data Protection Officer or DPO.
It is your DPO’s responsibility to ensure that your business collects and uses data in a way that complies with the law.
They will either respond to DSARs or supervise and help manage the process, depending on the size and nature of your company.
For example, smaller businesses typically need one DPO to fulfill regulatory requirements.
When appointing a DPO, ensure your DPO understands your company’s operations and is adept with data privacy laws.
2. Making DSAR policies and processes
After appointing a DPO, you should set up your DSAR policies and processes and how you allow customers to submit requests for data.
Remember that many regulations, such as the CCPA, require two or more systems.
Suppose you implement DSAR forms on your website or mobile application and provide customers with a functional email address and a phone number connecting them to your DPO.
In that case, you must include a clause in your privacy policy explaining how to use each tool.
Additionally, you must explain how people can appeal your decisions on their request, especially under regulations like the CCPA and the VCDPA.
But the DSAR process doesn’t end there.
It would be best to plan how your company will respond to the requests, how your DPO or team will locate the personal data, how you’ll communicate with the data subject, and more.
3. Employee training
Lastly, it would be best if you decided how you would train employees and create awareness of the DSAR process your company uses and best data privacy practices.
Providing privacy literacy training to the employees will improve the effectiveness and efficiency of your DSAR process.
At the least, every employee must be able to identify a DSAR and report it to the relevant teams.
Step-by-step DSAR response process
Although we’ve discussed DSARs, how can the process work specifically for your company?
Let’s look at four steps that might help organize your SOP to fulfill DSAR requirements.
Step 1: Collecting and logging requests
1. It is your first responsibility to formalize the request collection process for DSAR fulfillment. People need to be aware of their data rights and have a simple means to make requests.
You can do this in several ways, one of which is to set up customer-facing web forms.
These forms should be branded, accessible, user-friendly, and compatible with all devices to make the process as simple as possible.
2. A specified time range must be adhered to by organizations when accommodating DSARs, and maintaining an inquiry log is essential to effective request management.
Privacy leaders must create a framework to handle DSARs, including:
o Consumer request channels include an online form, a dedicated email address, a phone extension or hotline, and an in-person request.
o Standard operating procedure for intake and logging.
o A logging system for recording metrics (such as the consumer’s identity, the date of the request, the deadline, and more)
Step 2: Verifying Data subjects’ identity and reviewing requested information
1. Before processing a request, verifying the requester’s identity to protect personal information is essential.
2. Both caution and restraint are crucial. Organizations are advised by the Irish Data Protection Commission’s (DPC) instructions to proceed cautiously when responding to a DSAR, noting that:
o Proof of identity should only be asked when it is appropriate and proportionate.
o Controllers should only ask for the minimum amount of additional information required.
3. While verification is necessary, businesses should refrain from forcing clients to provide more information or resubmit their IDs and passports. Thus, how can you protect data subject privacy and prevent unfounded DSR requests? Requesting two-factor authentication and using pre-existing data is the least intrusive verification approach. For example, to complete a request, an organization might ask the data subject to:
o Provide their phone number.
o Get a text message or phone call at that number with a verification code.
o Enter the verification code.
o Choose a security question.
o Provide a precise answer.
4. As soon as the requester’s identity has been verified, the person or team in charge of the DSAR fulfillment procedure knows the exact request.
5. It’s advised to respond to the contact after reviewing the request. The data subject might feel more at ease knowing that the DSAR arrived and that the proper measures will be taken after the request has been validated. Several laws specify how soon an organization must acknowledge and respond to a request.
Step 3: Collecting and reviewing the data
1. When it comes to manual DSAR fulfillment, standard operating procedures should specify:
o Different network locations where employees will have to look for the stored data.
o In which place do the employees compile the data subject’s information.
o Which employees have access to the compilation document and stored data?
2. Data is often fragmented or duplicated among a business’s networks, systems, and operations. Organizations must take responsibility for all personal data used, processed, and stored in a CRM, PDF file, or application.
3. Specific permissions may be needed to collect the requested data and information, depending on your industry or the type of customer submitting the DSAR. A few examples are:
o According to their jurisdiction’s counsel-client confidentiality regulations, only specified employees can access information submitted by a former law firm client.
o Customer data may be temporarily stored digitally and physically if your business transitions from paper files to an electronic system. Different employees may have access to each type of storage.
o If you work in the healthcare industry, you and your employees must also abide by medical confidentiality laws, such as HIPAA for US-based businesses.
4. Reviewing the collected data is essential: It is crucial to ensure that it satisfies internal standards to approve or deny the request. For example, information cannot be made public if doing so violates another person’s privacy rights.
5. A logging system must be able to handle the several workflows involved in the DSAR fulfillment process. When employees finish requests, they must record:
o The time and date the task was completed.
o The authorization they asked for and got to complete the task
o The locations from which they accessed the data
o Communications that took place both inside and outside the company needed to address the request.
6. The most crucial aspects of the DSAR process are meeting legal requirements and customer requests, but logging the steps taken will help a business be transparent during a regulatory audit or future requests from the same customer.
Step 4: Providing the data to the requester
1. After logging and collecting all required details, the request should be completed and the requester’s data submitted.
2. Present information in clear, simple terms to make the report easy for users to understand. This may consist of:
o A copy of the personal data
o The purpose behind processing that data
o The categories of personal data that are collected
o The time frame of data retention
3. Remembering that different laws provide specific guidelines for the acknowledgment process is crucial. For example, unless the customer
wishes otherwise, the GDPR mandates that requests made electronically be acknowledged electronically only.
4. You can now mark the request as “complete.”
Step 5: Handling appeals
Even after responding to a DSAR, you still have a few responsibilities.
Most data privacy laws require you to give data subjects a simple way to appeal any decisions you make about their requests.
For example, if you refuse someone’s request to have their information deleted, they have the right to file an appeal.
Regulations like the VCDPA require the appeals process to be as simple and similar as the one you used initially for customer requests.
The law governing your company will determine how long you must respond to an appeal.
Step 6: Record keeping and documentation
Maintaining accurate, secure records of your DSARs and responses is crucial for internal organizational needs and if a regulator or other authority conducts a privacy audit.
Per the GDPR, you must maintain an in-depth record of all the processing you do, which you must provide to any regulator or authority upon request. This includes responding to consumer appeals and DSAR requests.
This is called a Record of Processing Activities, or RoPA, under Article 31 of the GDPR.
Keeping this information on record is a best practice even if other regulations do not require you to because it might assist you in verifying compliance with the law if a problem emerges.
Adhere to all applicable data privacy rules when keeping DSAR records and protect the data against breaches or unauthorized access.
Conclusion
The time has come for your company to create a uniform, effective DSAR process. Following the laws that apply to you and your customers would be best.
After all, developing a DSAR process helps you comply with applicable legal requirements for data protection and unifies your team on the same vision.
Even a small accidental violation of one of those laws could result in publicity damage and hefty fines that quickly mount up.
Customers will also see that your business is dedicated to safeguarding their privacy regarding data if your DSAR process is effective.
Data privacy statistics show consumers are more concerned about what happens to their online personal information than ever before.
Show them you are concerned about them by respecting their privacy and implementing a structured DSAR workflow.
PrivacyPillar offers innovative data privacy solutions for today’s businesses.
Our comprehensive data privacy platform lets you outsmart business risk, maintain compliance with global regulations, and foster brand trust.
With its DSAR software, PrivacyPillar can assist in transforming your data privacy operations, regardless of how long your company has used digital technology