Data Mapping: Frequently Asked Questions
Most people find data privacy compliance to be complicated enough....Read Now
September 19, 2023
When you’re feeling curious about what a business is doing with your personal data, what do you do?
You could head down to their brick-and-mortar offices and demand to speak with a manager—but aside from maybe going viral on social media, that approach isn’t likely to amount to much.
If you’re protected by a data privacy regulation, however, you can make a data subject access request, or DSAR. And if you’re a business on the receiving end of a DSAR, there are steps you can take to make this process easier for everybody involved. One of which is developing a clear, compliant, and well-designed DSAR form.
A DSAR, or data subject access request, is a legal right granted to individuals under data privacy laws. It enables them to make certain requests of the businesses that process their personal information.
As you might guess from the name, a DSAR usually refers to a request for access to their personal data—if a data subject makes a summary request, then you’ll have to provide all of the information you’ve collected and processed that relates to that individual.
DSARs enable individuals to verify the accuracy of their data, identify any potential misuse or errors, and ensure that the processing of their data complies with applicable laws and regulations. Thus, DSARs play a vital role in overall data protection.
When an individual submits a DSAR, the organization is legally obligated to respond within a specific timeframe, usually within 30 days. During this time, the organization must gather and review all relevant data, ensuring that any sensitive or confidential information is appropriately protected.
(Technically, it is possible to request an extension if the request is unusually complex or of high volume, but the burden of demonstrating the need for an extension falls on the organization).
By responding to DSARs in a timely and efficient manner, organizations can build trust with their customers and demonstrate their commitment to data protection and privacy. They also allow organizations to identify and rectify any potential data breaches or security vulnerabilities, thus mitigating the risk of regulatory fines and reputational damage.
Furthermore, DSARs provide an opportunity for organizations to enhance their data governance practices. By thoroughly reviewing and documenting the personal data they hold, organizations can gain valuable insights into their data processing activities. This analysis can help identify areas for improvement, such as updating data retention policies, implementing stronger security measures, or enhancing data-sharing agreements with third parties.
Now that we’ve talked a bit about the basics of DSARs, let’s zoom into the specific requirements around DSAR forms.
In reality, however, businesses have a great deal of leeway in how they structure their DSAR forms. In fact, you don’t explicitly need a form to accept DSARs—forms just happen to be one of the most convenient approaches to processing DSAR.
But just because there are very few specific requirements around DSAR forms doesn’t mean you can do anything at all, nor does it mean that there are no best practices to apply. As a rule of thumb, think about the intention behind the data privacy regulations that provide DSAR rights. They’re meant to support:
If you apply similar principles when designing a DSAR form, odds are you’ll be on the right side of the law. That means hiding your DSAR form, using vague language, misleading requesters around timelines and expectations, always charging a fee or otherwise retaliating against requesters, and the like is going to land you in hot water.
That said, let’s dive into specific DSAR form requirements for some of the major data privacy laws.
Like most data privacy laws, the CPRA doesn’t explicitly lay out specific requirements for a DSAR form. However, the law does have a few general guidelines.
For one, the phrase “designated methods for submitting requests” appears a number of times in the text of the law. The CPRA defines this phrase as meaning:
a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.
Thus, you aren’t strictly limited to using a form for accepting DSARs. Using a form is still recommended, however, since you can configure it in such a way that data subjects provide all requisite information in advance.
The CPRA also requires that you provide at least two or more methods for submitting requests, at least one of which is a toll-free phone number. This doesn’t apply, however, if your business is online-only, in which case an email address may suffice instead. If your business has a website, the CPRA states that there must be a method for accepting DSARs on your website—again pointing to the benefit of a form.
The GDPR has even fewer specific requirements for DSAR forms than the CPRA, merely stating that “the controller [i.e., you, or the organization that determines the purpose behind the data collection] shall facilitate the exercise of data subject rights.”
That’s because if a data subject makes a request on any channel, controllers must honor them—whether that’s a form, a phone call, a verbal request, a fax, or Morse code. The only requirement that the GDPR lays out is the need to verify the data subject’s identity first—if their identity can’t be verified, then you can’t act on the request.
It should be noted that most other data privacy laws also require you to acknowledge requests regardless of channel so long as the data subject’s identity is verified, but at least the CPRA provides a definition for subject rights request submission methods.
Since legal requirements around DSAR forms aren’t very clear, let’s look at some best practices for what to include on your form and how to operationalize form-based DSARs.
The following are fields you may want to include on a DSAR form:
Knowing the requirements and best practices for a DSAR is one thing; how do you actually implement a form? Broadly, there are two approaches.
It is possible—even straightforward—to build your own DSAR forms. You could:
However, all of these approaches suffer from the same fundamental issues. For one, they put compliance on your shoulders. You’ll have to stay abreast of legal developments, new rulings, and audits from advocacy groups and data protection authorities.
The biggest issue, however, is that the DSAR form itself isn’t the most difficult part; the overall DSAR workflow is the real challenge. That’s why businesses use automated DSAR solutions.
An automated DSAR solution solves for both the DSAR form creation and maintenance as well as the workflow after a request is made.
Having the right fields and language is one thing—it’s translating that information into speedy and error-free request fulfillment that matters most.
Depending upon the law at hand, DSARs must be fulfilled within 30 to 45 days. If you have a simple form on your website and a spreadsheet to manage your tasks, then you’ll likely be able to handle small volumes of DSARs—it will take time away from the rest of your duties, and the consequences of errors will be significant, but it is certainly feasible.
As DSAR volumes pick up, this approach becomes increasingly fraught. DSAR workflow solutions automate key components of the process and keep all relevant stakeholders in the loop about outstanding tasks and deadlines. Osano Subject Rights, for instance:
While a clear and compliant DSAR form matters, especially from the customer perspective, the workflow automation that comes afterward is the key to your privacy program’s sustainability and scalability. If DSAR management is a challenge you’re facing, schedule a demo with an Osano expert to see how we can help.
Looking to build a scalable, sustainable DSAR process? In this checklist, we show you how to lay the groundwork, execute a subject rights request, manage the process on an ongoing basis, and more.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.