What is a DSAR?
Laws such as CCPA and GDPR have established the responsibilities, rules, and rights pertaining to data privacy. These laws also detail the process of responding and complying with data privacy policies and Data Subject Access Requests (DSAR). So what is a Data Subject Access Request (DSAR)? In simple terms, a Data Subject Access Request refers to the formal inquiry made by a data subject to a company to inquire how they store, collect, use, and delete their personal information. Anyone can submit a request as long as they are a data subject.
What is Included in a DSAR Response?
The DSAR response depends on the data subject’s request. To understand this, you need to take a look at the most common types of DSARs.
Please note that this isn’t an exhaustive list, and consumers can exercise different rights provided by different laws through DSARs.
Who Can Submit a DSAR?
In most cases, any consumer can submit a DSAR. There are certain laws in place that exclude commercial partners, job candidates, employees, etc., from submitting the requests. However, businesses that are subject to CCPA, GDPR, or PIPEDA are required to acknowledge employee DSARs as well.
In some cases, a person can submit a request on behalf of someone else. Here are a few examples in which this is allowed:
-
An official appointed by the court to handle someone’s affairs
-
A parent or guardian requesting information on their child
-
Someone working on behalf of their employer or client
In such cases, you have to ensure that the request is genuine. You can ask for supporting evidence such as a birth certificate or power of attorney documentation.
If one of your employees has submitted a DSAR, you must pay special attention to it. Collecting sensitive personal information might lead to a higher penalty. Moreover, employee DSARs are usually triggered by a perceived wrong. An employee usually submits a DSAR to know why they weren’t promoted or why they are on the performance improvement plan. A consumer, on the other hand, might submit a request out of curiosity.
Also, data privacy laws prohibit you from retaliating against an employee for making a DSAR. If they make a request and you terminate them, they might try to sue you, even if both events were unrelated.
How to Comply With Data Privacy Policies
If you want to comply with data privacy policies, there are certain steps you can take:
Why do DSARs Matter?
DSARs matter because there are data privacy laws around the world designed to make it easy for people to know what data an organization has about them. As an organization, avoiding these requests can cost you a lot.
You need to understand that laws such as GDPR have strengthened individual rights pertaining to data privacy. If you don’t adhere to these, you can be subjected to expensive penalties. This is why you need a DSAR remediation process that ensures a smooth DSAR response.
How Quickly Can You Respond to DSAR?
You must respond to a DSAR request immediately. Most laws require you to send a response within 30 days. However, according to CCPA/CCPR, you have a window of 45 days to respond to the request.
In the case of complex or multiple requests from the same subject, you get an additional 30 days (45 days under CCPA/CCPR). However, you are also required to send a response to the subject explaining why an extension is needed. If you fail to respond on time, you might face significant fines and penalties. Moreover, your reputation may be tarnished. Unwillingness to respond to the DSAR could fuel speculation that you are engaged in nefarious activities.
Refusing to Respond to a DSAR
Yes, it’s important to respond to DSARs, but you are not required to respond to every single request. There are two reasons why you can refuse to comply:
Please note that proving that the request is excessive or unfounded is difficult. You cannot have a blanket policy stating acceptable criteria for DSARs. Each request must be considered separately. If you are refusing a DSAR, make sure that you can confidently provide a reason to the authorities.
Who Should Respond to DSARs in the Organization?
The responsibility of responding to DSARs in an organization falls under the purview of a Data Protection Officer (DPO). They must be familiar with data protection and privacy regulations. While they are not personally responsible for compiling a response for every case, they must oversee the entire process. It is their job to ensure eDiscovery compliance, accuracy, and timely submission. Also, they must have the DSAR response process documentation so that anyone in the organization is able to comply.
Challenges of Handling a DSAR
Handling a DSAR request isn’t an easy task. It comes with its own set of challenges. Let’s take a look at some of them:
Steps for Creating a DSAR Response Process
Every organization needs an effective, efficient, and lean DSAR response process. You also need a team that can handle this effectively. Here are a few steps that can help you with this:
In order to protect the interests of your organization and show good faith, you must be able to prove that the request has been completed. So, if there are any questions, you will be required to provide documentation stating that the requested information was delivered.
Exemptions for DSAR Fulfillment
There are certain potential exemptions for fulfilling DSARs. Let’s take a look at these:
-
The request will make someone else’s information visible to the requester without their consent.
-
The information is under
-
The request is inaccurate or excessive
-
The requested data has confidential references that can’t be redacted
-
The request includes information regarding your business’ planning or forecasting and can’t be redacted
It can be diffiucult to determine if the request falls within the scope of any of these exceptions. In the case of gray areas, you must have a justifiable reason for declaring an exemption.
Conclusion
Organizations need technology solutions such as Casepoint for managing DSARs in a timely fashion. With these solutions, they can create a simple workflow for collecting and submitting information. Such platforms ensure that you have automated, streamlined data privacy management. By relying on an innovative solution, you can increase your transparency and more effectively handle data privacy requests.