Choosing the Right DSAR Platform for Your Business

With more and more data privacy laws coming into effect with some form of subject rights as part of their regulation, companies need help processing data subject access requests (DSAR) now more than ever. 

But receiving, responding to, and managing DSARs is easier said than done. When you process data from millions of people, a DSAR can feel like a daunting task. Luckily, there are ways to make handling these requests simpler. 

In this article, we’ll cover the features of DSAR software and platforms and what organizations need to know to find the best one for their company.

What Is a DSAR?

According to most regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), data subjects have the right to:

• Know what data you have on them
• Access that data at any time
• Correct the data when needed
• Have their data deleted upon request (also known as the “right to be forgotten” under the GDPR)
• Move their data (data portability)
• And more, depending on the law

The first step in exercising these rights is submitting a DSAR. Upon receiving such a request, organizations must respond as soon as possible by providing the person access to their personal data.

There are two exemptions:

• When the request is unfounded—in this case, you may suspect the data subject isn’t requesting the data to exercise their rights but to make accusations against your organization.
• When a person sends excessive requests—for instance, if the request overlaps with another recent request.

The DSAR Process

Before discussing DSAR software options, let’s take a quick look at the steps needed in an ideal access request.

• Providing a way to submit a request. Provide an easy way for data subjects to send their requests. Most laws require you to explain the process in your privacy policy and to have multiple options for contact.
• Receiving a request. After receiving a request, verify the person’s identity and let them know you’re working on their request.
• Verifying the request. You need to make sure the person requesting the data is its true owner. Do not ask for more information than needed, though. The goal is not to collect even more data, but to verify their identity.
• Finding the data. Once you’ve verified the data subject’s identity and established that the request is legitimate, you’ll need to see where their data is stored.
• Assigning responsibility. Who is the person or the team responsible for locating the data and implementing the request based on where that data is stored?
• Communicating the results. Once you’ve completed all the above steps, it’s time to respond to the DSAR.
• Recording the interaction. Recording data processing activities is a must, and the same goes for DSARs. Again, the goal is not to collect more personal data. You’ll need to record the nature of the request, the number of DSARs received, how long it took to fulfill them, and more.

This is where a DSAR platform can help. We'll start reviewing the software options by discussing what organizations have used in the past and what's available to them now.

DSAR Software—Building or Buying?

Now that you know what a DSAR is and what the process of responding to one could look like, it’s time to discuss DSAR software. When it comes to DSAR software, you have three options: using pre-existing tools( like spreadsheets and email), building your own solution, or buying one.

Using Pre-Existing Tools

For many companies, their first foray into responding to DSARs is using tools they already have—like email for getting the initial request and communicating with data subjects and spreadsheets for tracking the request and tracking down the data itself. There are a lot of problems with this solution:

• You wind up creating more data (more back-and-forth emails with a data subject equals more data you’re keeping on them within your system)
• It’s a manual effort that takes a lot of time and work to keep up with
• It’s error-prone — what happens if you miss a piece of data in your system? How do you know you’ve found all of the data you’ve collected on that subject in event of a change or deletion request?
• It places compliance squarely on your shoulders
• It’s insecure — how are you protecting that customer or employee’s data in a spreadsheet or an email system?

Building Your Own DSAR Software

So, if you’re not using your pre-existing tools, what’s next? Building your own may sound like an affordable, more attractive alternative. You know your processes, and your company, so why not build an in-house DSAR platform that answers all of the issues listed above?

This option has its downsides. Firstly, you’ll need an entire team to build the product. You'll need IT and data specialists who can connect your new software to all of the available databases your company currently uses, as well as lawyers or privacy analysts who know the ins and outs of all the laws you need to comply with. Software built in-house will also need ongoing maintenance, not just from a functional point of view, but also to keep up with any legal changes.

In other words, building your own software isn’t always the best, the easiest, or even the cheapest solution.

Buying a DSAR Solution

A DSAR automation solution can save you a lot of trouble. Privacy management companies are focused on helping you stay compliant. They’ll be faster at keeping up with legal changes and usually, updates are included in the price.

But not every DSAR solution looks the same. There are a few features you should look for, such as:

• Request submissions. Does the software allow data subjects to submit their requests? Along with this, does it include an identity verification process so your company doesn’t wind up accidentally adding more data on the subject?
• Real-time views. Does it offer a real-time view of all the DSAR requests and their status?
• Easy-understand workflows. Can the solution provide workflows that help assign DSARs to the right administrators and demonstrate next steps?
• Reporting. What reporting tools and logs are included? These will help you report and later record all the necessary information about each DSAR.

Tips When Considering DSAR Software

The data subject access request software you choose can make up the difference between a successful process and one prone to errors (which put you at risk of being out of compliance). Here are some things you’ll need to remember as you consider the right software.

Don’t let your software replace people entirely.

It may be tempting to think that once you have your DSAR software, it will do all the work for you. Yes, a good platform can automate a lot of processes and make things easier. But it can’t replace people altogether. 

You should never give 100% control over the DSAR process. Try to keep an eye on things like verification, approval, and denial of requests and other places where human intervention may be necessary to ensure people can exercise their rights. Accidentally denying a DSAR might cost you millions of dollars, so don’t let your software make all the decisions.

Find all the places where you store personal data.

A common mistake when using DSAR automation is failing to aggregate all the personal data you collect. So before using such a solution, take time to look at all the places where you store data and tie them in with your software.

Still, automate what you can.

Reading the previous two sections, you might start wondering if automation is worth it to begin with. Blindly relying on a DSAR platform can set you up for failure. But so can trying to do everything manually.

DSARs can be time-consuming. Finding a tool that can automate processes like taking requests, doing basic validation, acknowledging the request, and responding to basic access requests will be a real lifesaver.

It will make the process smoother and give you and your team time and space to focus on the more difficult part of the process: ensuring all data subjects can exercise their rights.

Include an option for opting out.

Under many regulations, such as the GDPR, allowing users to opt-out of things like profiling and automated decision-making is a must. 

This can be one of the most challenging aspects of a DSAR. So as you’re setting up your privacy platform ask yourself—do potential or current customers have the option to opt-out of certain data processing activities? If the answer is no, you have some work to do.

Conclusion

DSARs allow people to exercise their rights to access, information, deletion, portability, and more. Any person can submit an access request at any time. Upon receiving a DSAR, an organization needs to respond as quickly as possible.

The DSAR process can seem difficult, but it doesn’t have to be. DSAR software can help you automate most of it and help you stay compliant with regulations worldwide by allowing data subjects to exercise their rights.

While DSAR solutions don’t replace human intervention, they allow you to focus on the most difficult parts of the process. 

Osano’s unified Data Discovery and Subject Rights platform will help you automate data subject rights requests. Users can easily submit their requests while offering a simple way for you to verify their identity. Our DSAR software can also assign tasks to the appropriate people, and deliver all the results in the required timeframe. Sign up for a demo today.