Luckily, more and more regulators are creating legal frameworks for how to deal with privacy, including the game-changing legal framework known as General Data Protection Regulation (GDPR). GDPR gives citizens more rights surrounding how their personal information is processed by businesses and other entities.
One of those rights — the right of access, or “subject access” — allows the public to learn what your organization knows about them and how you use that information. They learn this via a data subject access request (DSAR) or subject rights request.
DSARs are both nuanced and complex and may require a little finesse to navigate. In this guide, we’ll explain how to stay compliant with data privacy regulations while appropriately responding to a DSAR.
Table of Contents
- What is a DSAR?
- What's included in a DSAR response?
- Who can submit a DSAR?
- Can I refuse to respond to a DSAR?
- Do I have to provide everything?
- How quickly do I have to respond to a DSAR?
- Can you charge fees for a DSAR?
- Who should respond to DSAR within my organization?
- Okay, but how do we handle a DSAR?
- What makes responding to a DSAR so challenging?
- Get compliant with Osano
What is a DSAR?A person can submit a data subject access request (DSAR) to an entity and, upon receipt, the entity must provide respective information. The GDPR officially explains a DSAR like this:
“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
The California Consumer Privacy Act (CCPA), and its follow-up, the California Privacy Rights Act (CPRA), uphold similar rights. Here’s how the CCPA explains it:
“[...] It is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: [...] (4) The right of Californians to access their personal information.”
In short? When a person (or “data subject”) submits a DSAR — which they can do at any time — your organization must respond with a copy of any information you have on the subject.
DSARs aren’t new; organizations and governments have used them for years. But recent consumer data privacy regulations introduced several changes that made it easier for individuals to make requests. The changes go a long way toward transparency in data processing, but they can create challenges for companies and organizations.
What’s included in a DSAR response?In responding to a DSAR, your organization would typically provide a complete list of all personal information you have on a subject. In some cases, the subject may request only specific details. You are obligated to provide whatever information the subject requests.
Subjects can request the following:
- Confirmation that you process their personal data
- Access to their personal information
- Your lawful basis for processing their data
- The period for which you’ll store their data (or the criteria you’ll use to determine that period — i.e., “as long as you’re a customer”)
- Any relevant information about how the data was obtained
- Any relevant information about automated decision-making and profiling
- The names of any third parties you share their information with
Individuals don’t need a reason to submit a DSAR. In response to a request, the only questions an entity may ask are those that verify a subject’s identity and help locate the requested information.
Admittedly, this can be a burden — especially if you don’t keep all of a subject’s data in one convenient place. If necessary, we suggest implementing a data-mapping process to keep track of data and where it’s kept, as well as a reporting tool to cull information from multiple sources.
Who can submit a DSAR?Anyone can submit a request; they aren’t limited to customers or users. Employees, contractors, sales prospects, job candidates, and donors are all people who may submit a DSAR to organizations that store their personal data.
In some cases, an individual may submit a DSAR on behalf of another person.
This usually happens when:
- A parent or guardian requests information on a child
- A court-appointed official is handling someone’s affairs
- Someone requests information on behalf of their client or employer
- The data subject requests help from a friend or relative
If this is the case, it’s your organization’s responsibility to ensure the request is genuinely on behalf of the data subject. In response to this DSAR type, you’re allowed to ask for supporting evidence of the relationship, like a birth certificate that names parents, guardianship paperwork, or power of attorney documentation.
Can I refuse to respond to a DSAR?While it’s important to respond to most DSARs, you don’t have to respond to everyone. Your organization can refuse to comply for two reasons:
- The request is manifestly unfounded. The requester doesn’t intend to exercise their right of access appropriately. For instance, they might plan to use the request to make unsubstantiated claims against the organization.
- The request is excessive. For instance, an excessive request is one that overlaps with another recently submitted request.
That said, be careful about refusing to respond to a DSAR. It can be difficult to prove whether a DSAR is unfounded or excessive, and there are few solid definitions or examples of what qualifies. Plus, the exceptions apply differently to each organization.
For example, submitting a monthly DSAR to a global business intelligence company that tracks hundreds of data points may not be excessive, but submitting that many to a local gym that keeps only names and email addresses would be excessive.
And according to GDPR, organizations can’t create a blanket policy that sets criteria for “acceptable” DSARs. Instead, you must consider each request on a case-by-case basis. If you decide to refuse a DSAR, be confident in your ability to provide a reason to authorities.
Do I have to provide everything?No, you only need to provide information that’s considered personal data. Organizations don’t need to include everything that mentions or refers to the data subject. For instance, you don’t need to provide internal memos or notes about the subject’s sales account.
Additionally, some information can be redacted. You should redact private organization information and anything that isn’t within the DSAR’s scope. Most importantly, redact any information that relates to another person. Otherwise, you’d be committing a data breach.
How quickly do I have to respond to a DSAR?You should respond to a DSAR “without undue delay," but at the latest, within one month of the request. If a subject’s requests are numerous or complex, you can extend the deadline by two months. That said, you must respond to a request within the first month, explaining why an extension is necessary.
Failure to respond to a DSAR at all within 40 days opens you up significant fines and regulatory penalties. It can also tarnish your reputation: The assumption, of course, is if you aren’t willing to be transparent about data, you must be up to something nefarious.
Can you charge fees for a DSAR?While charging fees for data requests was once permitted, it’s no longer allowed in most cases. Requesting payment is allowed only if you feel it meets one or both of the exceptions listed earlier: The DSAR is manifestly unfounded or excessive.
Remember: Only declare a DSAR unfounded or excessive if you’re absolutely sure you can defend that position in court. In most cases, it’s simpler and cheaper to respond to the DSAR rather than risk penalties.
Who should respond to DSAR within my organization?It helps to designate someone as a data protection officer (DPO). This person should be familiar with data privacy regulations and data protection.
Your DPO doesn’t have to compile a response for every request, but they should oversee the process to ensure responses are accurate, timely, and compliant. In fact, it’s smart to document your DSAR response process so anyone in your organization can comply.
If your organization fields a lot of DSARs, consider automating a process to compile responses. It’s simpler and more cost-effective to auto-generate a DSAR response than to compile each response manually.
Okay, but how do we handle a DSAR?There is no formal process for handling a DSAR. In fact, data subjects have a lot of freedom here. An individual might request their data over the phone, in person, or by clicking a “Submit DSAR” button in an app.
That said, it’s typically more efficient for subjects to submit written requests. This creates a record of the DSAR for both parties, including the date it was made, the types of requested data (or simply “all data”), and other relevant information.
People don’t have to use the term “DSAR” or “data subject access request.” They could say things like, “I’d like to see the data you have on me” or “Show me the information you keep on me.”
Despite a lack of formal processes for handling DSARs, the following steps are considered industry standard:
Step 1: Verify the subject’s identity.Verify the identity of the requester so you can a) determine whether you have the information they’re looking for, and b) safely distribute the information. If you send subject data to the wrong person, you may commit a data breach.
Step 2: Clarify the nature of the request.Review the DSAR to determine what the requester wants to know. In most cases, people simply want to see the data you have on them, but they may also invoke other data privacy rights. For instance, a subject may request “rectification,” or the correction of inaccurate data.
Once you’ve gained clarity around the subject’s request, decide whether you can reply within a month. If more time is needed to generate a response, explain this to the requester.
Step 3: Review the data.Before you send requested data to the subject, review it carefully. Make sure it doesn’t include anyone else’s personal information to avoid accidental data breaches. Additionally, it helps to explain why you have particular information on a subject.
Step 4: Collect and package the data.Next, gather all of the requested data into a response; the format will depend on the information you’re providing. The actual file type must be common and easily accessible. Where possible, the GDPR encourages providing data subjects with remote access to a secure system that would give direct access to their personal data.
If the subject asks for everything, make sure your response is as comprehensive as possible. If your organization holds anything back, it could be accused of violating the subject’s rights.
Step 5: Explain the subject’s rights.At the end of your response, include a section that reminds individuals of their data privacy rights. Mention their right to object to data processing and their right to request data rectification. Additionally, mention their ability to lodge a complaint with supervising authorities.
Step 6: Send requested data to the subject.Submit your organization’s response to the subject. Document your communications with requesters so an audit trail exists for accountability and compliance.
What makes responding to a DSAR so challenging?On paper, responding to a DSAR sounds straightforward. The challenge, however, is locating the personal information you’ve been asked to provide. Over the last decade, we’ve seen massive growth in data collection and proliferation, but organizations tend to pay little attention to data governance and management.
In other words, data is everywhere, but most entities don’t have it inventoried.
For instance, a single payment transaction may trigger a dozen systems, each with its own unique data points. To sift through each system, someone has to be constantly aware of its data actions. And most organizations don’t get rid of data, making the search that much harder.
Thus, responding to DSARs requires a careful understanding of the personal information you store, where it’s located, and why you have it. Consider implementing data governance policies to ensure appropriate DSAR responses.
Get compliant with OsanoIf you think your organization is too small to get noticed by EU’s supervisory authorities, think again. EU authorities fine even the smallest local stores. Together, the United States and the EU share a cooperative agreement: Even if your company is based solely in the U.S., GDPR laws still apply.
But Osano can help. When it comes to DSAR responses, our tools help verify a data subject’s identity, assign tasks to appropriate owners, and deliver results in the required time. We also have tools to help automate this process, saving you, the team, and your organization precious time. Get compliant now; we’re here to simplify it.