Your Guide to Data Subject Access Requests (DSARs)

As our lives and the internet become more entwined, our personal information becomes less private, more vulnerable, and up for grabs. And consumers are growing wise to the amount of attention their data receives.

Ninety-four percent of consumers want more control over the data they share with companies and more insight into how that data is used. What’s more, 77% of consumers say they factor transparent data practices into their purchasing decisions, with 30% only buying products that have demonstrated transparency.

What’s behind this increase in data privacy awareness? In part, it’s due to the ever-growing number of data privacy laws that grant consumers data privacy rights. 

The game-changing legal framework known as General Data Protection Regulation (GDPR) came first, forever changing how the world treats EU citizens’ data. From then on, the floodgates were opened: today, there are over 130 data privacy laws. While a U.S. federal data privacy law is still in the works, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give data protection rights to a massive number of U.S. citizens—not to mention the alphabet soup of other U.S. privacy laws.

Businesses need to understand all of these new rights, especially the rights surrounding data subject access requests (DSARs).

What is a data subject access request (DSAR)?

DSAR rights allow the public to learn what your organization knows about them and how you use that information. Even though “access” is in the term, DSARs allow consumers to delete their data, modify it, dictate with whom you share it, and more.

DSARs are both nuanced and complex and may require a little finesse to navigate. In this guide, we’ll explain how to stay compliant with data privacy regulations while appropriately responding to a DSAR. 

A person can submit a DSAR to an organization and, upon receipt, the organization must provide the respective information or take certain requested actions. Essentially, when your business receives a DSAR from a person (or “data subject”), you need to take the appropriate action with any information you have on the subject.

Think of it this way: A data subject’s personal information doesn’t really belong to you. They just give you permission to collect and use it, either by explicitly clicking “I Agree” on a cookie banner or by continuing to use your website or application after being presented with a data privacy disclosure. Since that personal information belongs to the data subject, they can dictate how you use it. When they make a request in that regard, it’s a DSAR.

DSARs aren’t new; organizations and governments have used them for years. But recent consumer data privacy regulations introduced several changes that made it easier for individuals to make requests. The changes go a long way toward transparency in data processing, but they can create challenges for companies and organizations. Let’s look at some of the major regulations that mandate DSARs.

Individuals don’t need a reason to submit a DSAR. In response to a request, the only questions an entity may ask are those that verify a subject’s identity and help locate the requested information.

Admittedly, this can be a burden — especially if you don’t keep all of a subject’s data in one convenient place. If necessary, we suggest implementing a data-mapping process to keep track of data and where it’s kept, as well as a reporting tool to cull information from multiple sources.

DSARs and the GDPR

As the first modern, omnibus data privacy regulation of its kind, the GDPR has afforded consumers DSAR rights the longest. The GDPR officially explains a DSAR like this:

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

Under the GDPR, businesses have 30 days to respond to a DSAR request (with the option of a 30 day extension under certain circumstances). It does not stipulate whether DSARs need to be made in any particular format—if a consumer calls your help line and requests access to their data, you’d have to grant it. If you’re particularly interested in GDPR compliance, check out our guide, How to comply with the General Data Protection Regulation (GDPR).

DSARs and the CCPA/CPRA

The California Consumer Privacy Act (CCPA), and its follow-up, the California Privacy Rights Act (CPRA), uphold similar rights. Here’s how the CCPA explains it:

(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: (1) The categories of personal information it has collected about that consumer. (2) The categories of sources from which the personal information is collected. (3) The business or commercial purpose for collecting, selling, or sharing personal information. (4) The categories of third parties to whom the business discloses personal information. (5) The specific pieces of personal information it has collected about that consumer.

The CCPA/CPRA differs from the GDPR in a few ways. For one, it provides a 45-day window to respond to a DSAR, with the possibility of another 45-day extension. It also stipulates that data subjects must be offered at least two ways of submitting a request, one of which must be a toll-free phone number. If the CCPA/CPRA is of particular interest to you, check out our blog, CCPA vs. CPRA: New rules for data subject access requests.

What are data subject rights?

Before we dive into the actual content of different kinds of DSARs, let’s review the different rights that grant data subjects the power to make DSARs.

Data privacy laws grant citizens various rights. Some rights simply exist and require action on the part of the business (like the data subject’s right to be informed) while others require the data subject to actually exercise them (like the right to access data). DSARs fall into the latter category.

Different laws grant different rights, but we’ll list out the data subject rights offered by the GDPR since it has served as the basis for most other data privacy laws. They are: 

• The right to be informed about the collection and use of personal data. If you collected it from the subject yourself, you have to notify the data subject at the time of collection.
• The right to access personal data and how it's processed. This is the most common sort of DSAR, and it’s why DSARs are referred to as access requests.
• The right to rectify inaccurate or incomplete personal data. If an individual requests rectification (verbally or in writing), you have one month to comply.
• The right to erase data. Also known as the right to be forgotten, this rule permits data subjects to request that you erase their personal data within 30 days. 
• The right to restrict the processing of personal data. Under this request, you have to stop processing a data subject’s data, though you can still store it.
• The right to data portability. Data subjects must be allowed to take their data from one platform to another and do so easily, safely, and securely.
• The right to object. Data subjects can object to how their information is used for marketing, sales or non-service-related purposes. Generally, you’ll have to comply with this request, but there are some exceptions—such as if the processing is being carried out for the public benefit.
• The right to object to automated decision-making and profiling. Data subjects have the right to say no to solely automated decisions—including profiling—being made about their data that could have a legal or similarly significant effect on them. 

This is just a summary of the rights afforded to EU citizens by the GDPR. If you want to review this and other features of the GDPR in more detail, check out the ultimate guide to the GDPR.

What's included in a DSAR response?

It actually depends on the request that the data subject makes. Let’s look at some of the most common types of DSARs. Note that this isn’t an exhaustive list. Different laws provide different rights that consumers can exercise through DSARs—these are just some of the most common and/or significant ones.

DSARs for data summaries

In responding to a data summary DSAR, your organization would typically provide a complete list of all personal information you have on a subject. In some cases, the subject may request only specific details. You are obligated to provide whatever information the subject requests.

Subjects can request the following:

• Confirmation that you process their personal data
• Access to their personal information
• Your lawful basis for processing their data
• The period for which you’ll store their data (or the criteria you’ll use to determine that period—i.e., “as long as you’re a customer”)
• Any relevant information about how the data was obtained
• Any relevant information about automated decision-making and profiling
• The names of any third parties you share their information with

But again, different laws will have different requirements, and listing out every permutation is beyond the scope of this article. The above list is a good start, but make sure to review your relevant law to see what you need to provide.

DSARs for deletion

Consumers can also request that you delete all the data you have on them, commonly referred to as the right to erasure or the right to be forgotten. 

A data subject might also request the deletion of certain types of data. Usually, they’ll have requested a data summary first. If they see something in the summary they aren’t comfortable with your organization storing, they might ask you to delete just that specific data from your systems.

DSARs for correction

Sometimes data subjects don’t mind that you have collected their personal information, but they’ve noticed an error in the data, or their personal information has changed. In this case, they might make a DSAR to ask you to correct the erroneous information.

DSARs to opt out of the sale or share of personal information

A particular feature of the CCPA/CPRA, consumers can ask that you stop any transfers of their personal information to third parties—unless you have a contract in place with that third party ensuring they’ll treat the consumers’ personal information compliantly. Notably, this excludes sharing personal information for targeted advertising purposes, which is a common concern for data subjects.

Who can submit a DSAR?

Most data privacy laws allow any consumer to submit a DSAR. Some laws exclude employees, commercial partners, job candidates, and the like from submitting DSARs, but that’s not the case with some of the largest jurisdictions covered by data privacy laws. Specifically,  businesses subject to the GDPR, CCPA/CPRA, or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) must acknowledge employee DSARs in addition to consumer DSARs.

In some cases, an individual may submit a DSAR on behalf of another person. 

This usually happens when:

• A parent or guardian requests information on a child
• A court-appointed official is handling someone’s affairs
• Someone requests information on behalf of their client or employer
• The data subject requests help from a friend or relative

If this is the case, it’s your organization’s responsibility to ensure the request is genuinely on behalf of the data subject. In response to this DSAR type, you’re allowed to ask for supporting evidence of the relationship, like a birth certificate that names parents, guardianship paperwork, or power of attorney documentation.

Employee DSARs

When an employee submits a DSAR, you need to pay special attention to the request.

For one, your business will likely collect more personal information and more sensitive personal information from your employees. Under certain laws, sensitive personal information (like social security numbers, ethnicity, sexual orientation, and driver’s license numbers) carries higher penalties for any associated violations

Furthermore, employee DSARs are more likely to be triggered by a perceived wrong. A consumer might make a DSAR out of curiosity; an employee might do so to see why they were passed over for promotion or why they’ve been put on a performance improvement plan. 

Lastly, most data privacy laws prohibit businesses from retaliating against somebody for making a DSAR. If an employee makes a DSAR and their role is later terminated, they might try to sue—even if the two events were honestly unrelated!

Can I refuse to respond to a DSAR?

While it’s important to respond to most DSARs, you don’t have to respond to everyone. Your organization can refuse to comply for two reasons:

• The request is manifestly unfounded. The requester doesn’t intend to exercise their right of access appropriately. For instance, they might plan to use the request to make unsubstantiated claims against the organization.
• The request is excessive. For instance, an excessive request is one that overlaps with another recently submitted request.

That said, be careful about refusing to respond to a DSAR. It can be difficult to prove whether a DSAR is unfounded or excessive, and there are few solid definitions or examples of what qualifies. Plus, the exceptions apply differently to each organization. 

For example, submitting a monthly DSAR to a global business intelligence company that tracks hundreds of data points may not be excessive, but submitting that many to a local gym that keeps only names and email addresses would be excessive.

And according to GDPR, organizations can’t create a blanket policy that sets criteria for “acceptable” DSARs. Instead, you must consider each request on a case-by-case basis. If you decide to refuse a DSAR, be confident in your ability to provide a reason to authorities.

Do I have to provide everything?

No, you only need to provide information that’s considered personal data. Organizations don’t need to include everything that mentions or refers to the data subject. For instance, you don’t need to provide internal memos or notes about the subject’s sales account.

Additionally, some information can be redacted. You should redact private organization information and anything that isn’t within the DSAR’s scope. Most importantly, redact any information that relates to another person. Otherwise, you’d be committing a data breach.

How quickly do I have to respond to a DSAR?

You should respond to a DSAR “without undue delay," but most laws require you to respond within 30 days. The CCPA/CPRA, however, allows for a 45-day response time.

If a subject’s requests are numerous or complex, you can extend that timeline up to an additional 30 days (or 45 days under the CCPA/CPRA). That said, you must respond to a request within the first month, explaining why an extension is necessary.

Failure to respond to a DSAR at all before the deadline opens you up to significant fines and regulatory penalties. It can also tarnish your reputation: The assumption, of course, is if you aren’t willing to be transparent about data, you must be up to something nefarious.

Can you charge fees for a DSAR?

While charging fees for data requests was once permitted, it’s no longer allowed in most cases. Requesting payment is allowed only if you feel it meets one or both of the exceptions listed earlier: The DSAR is manifestly unfounded or excessive. 

Remember: Only declare a DSAR unfounded or excessive if you’re absolutely sure you can defend that position in court. In most cases, it’s simpler and cheaper to respond to the DSAR rather than risk penalties.

Who should respond to DSAR within my organization?

It helps to designate someone as a data protection officer (DPO). This person should be familiar with data privacy regulations and data protection.

Your DPO doesn’t have to compile a response for every request, but they should oversee the process to ensure responses are accurate, timely, and compliant. In fact, it’s smart to document your DSAR response process so anyone in your organization can comply.

Okay, but how do we handle a DSAR?

While there are certain requirements around how you handle DSARs—such as verifying the requester's identity and responding within a certain timeline—a great deal of the process is left up to businesses. In fact, data subjects have a lot of freedom here. An individual might request their data over the phone, in person, or by clicking a “Submit DSAR” button in an app.

That said, it’s typically more efficient for subjects to submit written requests. This creates a record of the DSAR for both parties, including the date it was made, the types of requested data (or simply “all data”), and other relevant information.

People don’t have to use the term “DSAR” or “data subject access request.” They could say things like, “I’d like to see the data you have on me” or “Show me the information you keep on me.” 

Despite a lack of formal processes for handling DSARs, the following steps are considered industry standard:  

Step 1: Verify the subject’s identity. 

Verify the identity of the requester so you can a) determine whether you have the information they’re looking for, and b) safely distribute the information. If you send subject data to the wrong person, you may commit a data breach.

Step 2: Clarify the nature of the request.

Review the DSAR to determine what the requester wants to know. In most cases, people simply want to see the data you have on them, but they may also invoke other data privacy rights. For instance, a subject may request “rectification,” or the correction of inaccurate data.

Once you’ve gained clarity around the subject’s request, decide whether you can reply within a month. If more time is needed to generate a response, explain this to the requester.

Step 3: Review the data.

Before you send the requested data to the subject, review it carefully. Make sure it doesn’t include anyone else’s personal information to avoid accidental data breaches. Additionally, it helps to explain why you have particular information on a subject.

Step 4: Collect and package the data.

Next, gather all of the requested data into a response; the format will depend on the information you’re providing. The actual file type must be common and easily accessible—data privacy laws refer to this as “portability,” and it’s a requirement for compliance. Where possible, the GDPR encourages providing data subjects with remote access to a secure system that would give direct access to their personal data.

If the subject asks for everything, make sure your response is as comprehensive as possible. If your organization holds anything back, it could be accused of violating the subject’s rights.

Step 5: Explain the subject’s rights.

At the end of your response, include a section that reminds individuals of their data privacy rights. Mention their right to object to data processing and their right to request data rectification. Additionally, mention their ability to lodge a complaint with supervising authorities.

Step 6: Send the requested data to the subject. 

Submit your organization’s response to the subject. Document your communications with requesters so an audit trail exists for accountability and compliance.

What makes responding to a DSAR so challenging?

Data proliferation

On paper, responding to a DSAR sounds straightforward. The challenge, however, is locating the personal information you’ve been asked to provide. Over the last decade, we’ve seen massive growth in data collection and proliferation, but organizations tend to pay little attention to data governance and management. 

In other words, data is everywhere, but most entities don’t have it inventoried.

For instance, a single payment transaction may trigger a dozen systems, each with its own unique data points. To sift through each system, someone has to be constantly aware of its data actions. And most organizations don’t get rid of data, making the search that much harder. 

Thus, responding to DSARs requires a careful understanding of the personal information you store, where it’s located, and why you have it. Under the GDPR, businesses are required to develop a document that stores this information called a Record of Processing Activities, or RoPA. And while RoPAs aren’t required by other laws, they are an indispensable aid for data privacy compliance activities—like fulfilling DSARs.

Another way to address this challenge is to use data discovery tools. These solutions will help you track down different data across the different stores in your organization. While standalone data discovery tools exist, the best solutions will come packaged in a compliance platform. That way, you’ll gain a tool that not only discovers data, but also manages the DSAR workflow and guides you toward compliant activities. This ensures that you’ll have to spend minimal time developing, refining, and reinforcing your own DSAR process and can instead focus on execution.

Vendor relationships

Even still, one of the difficulties with fulfilling DSARs is that many laws require you to pass DSARs along to the third parties with whom you’ve shared the data subject’s personal information. You won’t be able to integrate with third-party’s systems and tools in most cases, which makes the creation of a RoPA even more important. It also underscores the importance of choosing vendors, partners, contractors, and other third parties wisely—if they don’t care about your consumers’ data privacy, many data privacy laws may hold you liable.

Sheer volume

If your organization is one of the few that doesn’t receive many DSARs, then your DPO will likely be able to handle fulfillment themselves. However, if your business is like 44% of California businesses that report receiving at least 10 DSAR requests a week, (or like the 9% that receive more than 500 requests a week!) then you’ll want to consider automating the process a bit more. 

Regardless of the volume of DSAR requests your business handles, using a tool to provide guidelines and manage the workflow associated with DSARs is a good idea. Compliance can be high stakes; using a third-party solution is the best way to minimize your risk.

DSAR Compliance With Osano

These days, more and more businesses are subject to data privacy laws. Between the CCPA/CPRA, GDPR, and others, it’s almost impossible for a digital business to not need to become compliant. While many of these laws are new, we’ve seen with older data privacy laws like the GDPR that data protection authorities can and will levy penalties against the full spectrum of businesses—whether it’s a one-man shop or a multinational enterprise.

But Osano can help. When it comes to DSAR responses, our platform:

• Provides a secure communications portal to verify identities, receive requests, and send DSAR deliverables
• Connects the different data stores in your organizations and enables you to search for fields relevant to the data subject’s request for easy data discovery
• Notifies data store owners of individual tasks and keeps stakeholders on track to fulfill their responsibilities before the DSAR deadline
• Recommends actions based on the data subjects’ request and given data fields
• Streamlines the end-to-end DSAR process within one tool, minimizing the potential for risk and interruptions to your daily work

DSAR compliance can be complicated; we’re here to simplify it. Schedule a demo of Osano today.