The General Data Protection Regulation (GDPR) gave EU residents (and anyone who does business with EU organizations) a variety of new rights in regards to how organizations collect and process their personal information.
One of those rights - the right to access - entitles people to learn what your organization knows about them and how you use that information. This is called subject access. The California Consumer Privacy Act (CCPA) established similar rights.
How do they get this information from you? By submitting a data subject access request (DSAR). In this article, we’re going to cover everything you need to know about DSARs so you can stay compliant with consumer data privacy regulations.
What is a Data Subject Access Request?
Recital 63 of the GDPR states:
“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
Section 2 of the CCPA also establishes a similar right:
“[...] It is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: [...] (4) The right of Californians to access their personal information.”
A DSAR is a request from someone you store data on (called a data subject) to your organization. They can submit this request at any time. You are obligated to respond with a copy of any relevant information you have on the subject.
DSARs aren’t new. Organizations and governments have used them for years. But recent consumer data privacy regulations introduced several changes that made it easier for individuals to make requests. The changes go a long way toward transparency in data processing, but they create some challenges for organizations like yours.
What’s Included in a DSAR Response?
A DSAR typically requests a complete list of all personal information you have on a subject. But in some cases, the subject may request only specific details. You are obligated to provide whatever information the subject requests.
Subjects can request to know the following:
- Confirmation that you process their personal data.
- Access to their personal information.
- Your lawful basis for processing their data.
- The period for which you’ll store their data (or the criteria you’ll use to determine that period, e.g. “as long as you’re a customer”).
- Any relevant information about how the data was obtained.
- Any relevant information about automated decision-making and profiling.
- The names of any third parties you share their information with.
Individuals do not need a reason to submit a DSAR. Subjects can request to see their data at any time. Organizations may only ask questions that verify the subject’s identity and help them locate the requested information.
Admittedly, this is a burden, especially if you don’t keep all of a subject’s personal information in one convenient place. You may have to implement a data mapping process to keep track of data and where it’s kept, as well as a reporting tool to pull information from multiple sources and generate a DSAR response.
Who Can Submit a DSAR?
Anyone can submit a request. They aren’t limited to customers or users. Employees, contractors, sales prospects, job candidates, and donors are just a few other groups whose personal data may be stored by an organization and have the right to submit a DSAR.
In some cases, an individual may submit a DSAR on behalf of another person. This usually happens when...
- Someone with parental/guardian responsibility requests information on a child.
- Someone appointed by a court is managed to handle someone else’s affairs.
- Someone requests information on behalf of their client or employer.
- The data subject requests help from a friend or relative.
As the organization, it’s your responsibility to make sure the person making the request is genuinely doing so on behalf of the data subject. You are allowed to request supporting evidence of the relationship, such as a birth certificate that names parents, guardianship paperwork, or power of attorney documentation.
Can You Refuse to Respond to a DSAR?
While it’s important to respond to most DSARs, you don’t have to respond to everyone. Your organization can refuse to comply for two reasons:
- The request is manifestly unfounded, meaning the requester doesn’t intend to exercise their right of access appropriate. For instance, they might plan to use the request to make unsubstantiated claims against the organization.
- The request is excessive. For instance, an excessive request is one that overlaps with another recently submitted request.
That said, be careful about refusing to respond to a DSAR. It’s difficult to prove whether a DSAR is unfounded or excessive, and there aren’t any specific definitions or examples of what qualifies for those exceptions, and the exceptions apply differently to each organization.
For example, submitting a DSAR every month to a global business intelligence company that tracks hundreds of data points may not be excessive, but submitting at that frequency to a local gym that only has names and email addresses would be excessive.
Additionally, you aren’t allowed to create a blanket policy that sets criteria for “acceptable” DSARs. You must instead consider each request on a case-by-case basis. If you decide to refuse a DSAR, you should be absolutely confident in your ability to explain the reason for the refusal to authorities.
Do You Have to Provide Everything?
No. You only need to provide information that’s considered personal data. You do not need to include everything that mentions or refers to the data subject. For instance, you do not need to provide internal memos or notes about the subject’s sales account.
Furthermore, some information can be redacted. You should redact private organization information and anything that isn’t within the scope of the DSAR. Most importantly, redact any information that relates to another person. Otherwise, you would be committing a data breach.
How Long Do You Have to Respond to a DSAR?
You should respond to a DSAR “without undue delay," but at the latest within one month of the request. If their requests are numerous or complex, you can extend the deadline by two months, but you are still expected to respond to the request within the first month and explain why the extension is necessary.
Failure to respond to the DSAR within 40 days opens you to significant fines and regulatory penalties. It also tarnishes your reputation. You don’t want to be known as an organization that won’t be transparent about subject data. The assumption, of course, is if you aren’t willing to be transparent, you must be up to something nefarious.
Can You Charge a Fee for a DSAR?
Charging fees for data requests used to be permitted, but that’s no longer allowed in most cases. You can only require payment if you feel the request meets one of the two exceptions: manifestly unfounded or excessive. You can only base your fee on the real administrative cost of answering the request. You aren’t supposed to profit off DSARs.
Remember: You should only declare a DSAR unfounded or excessive if you’re absolutely sure you can defend that position in court. In most cases, it’s simpler and cheaper to respond to the DSAR rather than risk penalties.
Who Should Respond to a DSAR?
It helps to designate someone in your organization as a data protection officer (DPO). This should be someone who is familiar with the different data privacy regulations and data protection and takes responsibility for responding to DSARs.
Your DPO doesn’t necessarily have to compile a response for each subject's personal data, but they should oversee the process to ensure that it's completed timely, correctly, and in compliance with the consumer data privacy regulations. In fact, it’s smart to document your DSAR response process so anyone in your organization can comply. This ensures that requests aren’t forgotten because your DPO took a holiday or fell ill.
If you deal with a large volume of DSARs, consider automating a process to compile responses. It’s far simpler and cost-effective to generate a DSAR response with a push of a button than to compile each response manually.
What’s the Process for Handling a DSAR?
There is no formal process for handling a DSAR. In fact, data subjects have a lot of freedom here. An individual might request their data over the phone, ask someone on your team in-person, or click a “Submit DSAR” button in an app.
That said, it’s typically more efficient for subjects to submit requests in writing. This creates a record of the request for both parties, including the date it was made, the types of data they are requesting (or simply “all data”) and other relevant information.
Subjects don’t have to use the term “DSAR” or “data subject access request.” A subject might simply say, “I’d like to see the data you have on me” or “Show me the information you keep on me.” You are expected to understand what subjects mean whenever they ask to see the information you store.
Fortunately, responding to a DSAR is fairly straightforward. Follow these steps:
Step 1: Verify the Subject’s Identity
Your first step is to verify the identity of the requester so you can 1) determine whether you have the information they’re looking for, and 2) safely distribute the information. If you send subject data to the wrong person, you may commit a data breach.
Step 2: Clarify the Nature of the Request
Review the DSAR to determine what the requester wants to know. In most cases, subjects simply want to see all the data you have on them, but they may invoke other data privacy rights at the same time. For instance, a subject may request rectification - the correction of inaccurate data.
This is also when you determine if you can reply to the request within the one-month timeframe. If you’ll need more time to generate a response, explain this to the subject.
Step 3: Review the Data
Before you send the personal data to the subject, you’ll want to review it carefully. Make sure it doesn’t include anyone else’s personal information or you’ll commit a data breach. For businesses purposes, it also helps to add explanations for why you have that information.
Step 4: Collect and Package the Data
Next, gather all of the subject’s data into a response. The format of this response will depend on the information you’re providing. The actual file type of the response must be something common and easily accessible. Where possible, the GDPR encourages you to give data subjects remote access to a secure system that would provide them with direct access to their personal data.
If the subject asks for everything, make sure your response is as comprehensive as possible. If you hold anything back, you could be accused of violating the subject’s rights.
Step 5: Explain the Subject’s Rights
At the end of your response, include a section that reminds the subjects of their data privacy rights. Remind them that they have the right to object to the processing of their data, can request the rectification of their data, and/or lodge a complaint with a supervising authority.
Step 6: Send the Data to the Subject
Your final step is to submit a response to the subject. Document your communications with requesters so there’s an audit trail to demonstrate accountability and compliance.
What Makes Responding to a DSAR so Challenging?
At face value, responding to a DSAR sounds straightforward. The challenge, however, is finding the personal information you’re supposed to turn over. There’s been a massive growth in data collection and proliferation over the last decade, but organizations tend to pay little attention to data governance and management. Basically, data is everywhere, but most organizations don’t have it inventoried.
For instance, a single payment transaction may trigger a dozen systems, each with their own unique data points. Someone has to be aware of all of those systems so they can dig through each in order to respond properly to a DSAR. And like most companies, you probably rarely get rid of any of your data, so there’s a lot to sort through.
Responding to DSARs, therefore, requires a careful understanding of what personal information you store, where it’s located, and its purpose. You may have to implement data governance policies to ensure you respond to DSARs appropriate and can defend yourself if you’re ever brought before regulators.
Get Compliant with Osano
Think you’re too small to get the attention of the EU supervisory authorities? Think again. EU authorities fine even the smallest local stores. The US and EU have a cooperative agreement, so even if you and your company are solely in the US, the GDPR can be enforced against you.
Osano can help you manage your Data Subject Access Requests. Our tools can help you verify the data subject’s identity, assign tasks to the appropriate owners, and deliver results to the data subjects in the time required by law. We also have tools to help automate this process, to save you and your teammates time. Get compliant now.