What is a DSAR?
Laws such as CCPA and GDPR have established the responsibilities, rules, and rights pertaining to data privacy. These laws also detail the process of responding and complying with data privacy policies and Data Subject Access Requests (DSAR). So what is a Data Subject Access Request (DSAR)? In simple terms, a Data Subject Access Request refers to the formal inquiry made by a data subject to a company to inquire how they store, collect, use, and delete their personal information. Anyone can submit a request as long as they are a data subject.
What is Included in a DSAR Response?
The DSAR response depends on the data subject’s request. To understand this, you need to take a look at the most common types of DSARs.
For a data summary DSAR, you have to provide a list of the subject’s personal information. If the subject has requested specific details, you are obligated to provide that information. Here is what the data subject can request:
- Confirmation of processing of personal data
- Legal basis for data processing
- Access to personal information
- Period for which the data is stored
- Third parties you share the information with
- Relevant information on how the data was collected
- Information about automated profiling and decision-making
Consumers can submit a request to delete the data you have on them. This is often referred to as the right to be forgotten or the right to erasure. In most cases, a deletion request comes after a data summary request. The subject might see some information in the summary that they don’t want your organization storing and ask you to delete it.
In some cases, the data subject might notice an error in their personal information and would submit a request for you to correct it.
Getting their personal information used for targeted advertising purposes is a common concern for many. By submitting a DSAR, data subjects can ask you to stop sharing their information with third parties.
Opt Out of Sharing their Personal Information
Please note that this isn’t an exhaustive list, and consumers can exercise different rights provided by different laws through DSARs.
Who Can Submit a DSAR?
In most cases, any consumer can submit a DSAR. There are certain laws in place that exclude commercial partners, job candidates, employees, etc., from submitting the requests. However, businesses that are subject to CCPA, GDPR, or PIPEDA are required to acknowledge employee DSARs as well.
In some cases, a person can submit a request on behalf of someone else. Here are a few examples in which this is allowed:
- An official appointed by the court to handle someone’s affairs
- A parent or guardian requesting information on their child
- Someone working on behalf of their employer or client
In such cases, you have to ensure that the request is genuine. You can ask for supporting evidence such as a birth certificate or power of attorney documentation.
If one of your employees has submitted a DSAR, you must pay special attention to it. Collecting sensitive personal information might lead to a higher penalty. Moreover, employee DSARs are usually triggered by a perceived wrong. An employee usually submits a DSAR to know why they weren’t promoted or why they are on the performance improvement plan. A consumer, on the other hand, might submit a request out of curiosity.
Also, data privacy laws prohibit you from retaliating against an employee for making a DSAR. If they make a request and you terminate them, they might try to sue you, even if both events were unrelated.
How to Comply With Data Privacy Policies
If you want to comply with data privacy policies, there are certain steps you can take:
Why do DSARs Matter?
DSARs matter because there are data privacy laws around the world designed to make it easy for people to know what data an organization has about them. As an organization, avoiding these requests can cost you a lot.
You need to understand that laws such as GDPR have strengthened individual rights pertaining to data privacy. If you don’t adhere to these, you can be subjected to expensive penalties. This is why you need a DSAR remediation process that ensures a smooth DSAR response.
How Quickly Can You Respond to DSAR?
You must respond to a DSAR request immediately. Most laws require you to send a response within 30 days. However, according to CCPA/CCPR, you have a window of 45 days to respond to the request.
In the case of complex or multiple requests from the same subject, you get an additional 30 days (45 days under CCPA/CCPR). However, you are also required to send a response to the subject explaining why an extension is needed. If you fail to respond on time, you might face significant fines and penalties. Moreover, your reputation may be tarnished. Unwillingness to respond to the DSAR could fuel speculation that you are engaged in nefarious activities.
Refusing to Respond to a DSAR
Yes, it’s important to respond to DSARs, but you are not required to respond to every single request. There are two reasons why you can refuse to comply:
An excessive request can be one overlapping with another request submitted recently.
It’s an Excessive Request
In case the requester doesn’t plan on ensuring the appropriate use of their right to access, you can refuse to comply. An example of this is when they are planning on making an unsubstantiated claim against your organization.
The Reason for the Request is Unfounded
Please note that proving that the request is excessive or unfounded is difficult. You cannot have a blanket policy stating acceptable criteria for DSARs. Each request must be considered separately. If you are refusing a DSAR, make sure that you can confidently provide a reason to the authorities.
Who Should Respond to DSARs in the Organization?
The responsibility of responding to DSARs in an organization falls under the purview of a Data Protection Officer (DPO). They must be familiar with data protection and privacy regulations. While they are not personally responsible for compiling a response for every case, they must oversee the entire process. It is their job to ensure eDiscovery compliance, accuracy, and timely submission. Also, they must have the DSAR response process documentation so that anyone in the organization is able to comply.
Challenges of Handling a DSAR
Handling a DSAR request isn’t an easy task. It comes with its own set of challenges. Let’s take a look at some of them:
If the person responsible for handling the requests can’t identify the location of the data, they won’t be able to confirm if they have retrieved all the relevant data. Having an updated data inventory is a must to legally fulfill the DSARs.
It is important to ensure that the request is transferred to the right department, where it is remediated properly. In the case of large organizations, this can become challenging, especially if customer data is collected and stored in multiple areas.
If you are still relying on the manual collection process, you are leaving more room for process. An automated solution will cost you more, but it will ensure that the request is fulfilled accurately and timely. eDiscovery solutions such as Casepoint are capable of handling DSAR requests.
Manual Collection Process
In 2018, Microsoft received 18 million DSAR requests on its self-service DSAR portal. Not every organization has the reach and scope of Microsoft. However, most large and mid-sized organizations are receiving a growing number of requests. Technology can help you through this process.
High Volume of DSARs
Steps for Creating a DSAR Response Process
Every organization needs an effective, efficient, and lean DSAR response process. You also need a team that can handle this effectively. Here are a few steps that can help you with this:
To do this, there are a few things you need to consider:
- How has the request been made?
- How can you verify the identity of the person?
- Is it possible to automate this process?
It is your responsibility to ensure that the request is genuine. You can authenticate their identity by verifying their personal information.
Identify the Identity of the Data Subject
For this step, you must know what the data subject is asking for and where in the organization you can find that information. If you are unsure of the request, confirm it with the data subject. Then, based on the request, route it to the correct team. For more sensitive information such as payroll details or medical records, it is recommended that you allow access by privileged employees.
Confirm the DSAR's Type and Route it
If you have an updated data inventory and a platform such as Casepoint capable of pulling data from interconnected data sources of your organization, this will be a simple step. If you don’t have a central data repository or a solution that can pull data, you will have to request the information from IT. Depending on the request, it might take some time.
Collect the Required Personal Information
After relevant data has been collected, you must review it to ensure that you are delivering the requested information. Also, you need to block company-sensitive and privileged information. You can use a review solution that will help you redact information.
Review the Data and Package it
Once the documents have been reviewed, they should be sent to the data subject in a secure way. If the data is being sent digitally, it should be secured and encrypted. The internal teams should also be notified that the request has been fulfilled.
Send the Results
In order to protect the interests of your organization and show good faith, you must be able to prove that the request has been completed. So, if there are any questions, you will be required to provide documentation stating that the requested information was delivered.
Exemptions for DSAR Fulfillment
There are certain potential exemptions for fulfilling DSARs. Let’s take a look at these:
- The request will make someone else’s information visible to the requester without their consent.
- The information is under legal hold
- The request is inaccurate or excessive
- The requested data has confidential references that can’t be redacted
- The request includes information regarding your business’ planning or forecasting and can’t be redacted
It can be diffiucult to determine if the request falls within the scope of any of these exceptions. In the case of gray areas, you must have a justifiable reason for declaring an exemption.
Organizations need technology solutions such as Casepoint for managing DSARs in a timely fashion. With these solutions, they can create a simple workflow for collecting and submitting information. Such platforms ensure that you have automated, streamlined data privacy management. By relying on an innovative solution, you can increase your transparency and more effectively handle data privacy requests.