How to respond to DSAR?

A DSAR, which stands for “Data Subject Access Request,” is a written inquiry that individuals can submit to an organization to gain insight into the personal information the organization holds about them. It is a legal right under data privacy laws, such as the The California Consumer Privacy Act of 2018 (‘CCPA’), EU General Data Protection Regulation (‘GDPR’), Lei Geral de Proteção de Dados (‘LGPD’), Consumer Data Protection Act (‘CDPA’), Colorado Privacy Act (‘CPA’) that allows individuals to request access to their personal data that an organization or company holds. When someone submits a DSAR, they are essentially asking to review, receive copies of, or even request the deletion of their personal information that the organization has collected and is processing. DSARs are a fundamental part of data privacy regulations, as they empower individuals to have greater control over their personal data.

The three steps to the DSAR response process include identifying and classifying the request, performing data discovery to collect the requested information, processing the request by sending a comprehensive response, and documenting all stages and steps of the request. Additionally, it’s crucial to evaluate and mitigate the risks associated with responding to a DSAR. While the data subject access request procedure (GDPR or CCPA data subject access request) may vary under different data privacy regulations, having a structured process is important to ensure compliance with the law.

1. Identify and classify request

First, identify the modes of how organization or company receives subject rights request.

While many use online forms, some may prefer sending an email or using other methods. Make sure all these ways are working properly so you can keep track of and handle the requests effectively. These requests can have different names like ‘consumer data access request,’ ‘right of access request,’ or ‘data access request.’

After identifying the request, perform identity verification of the requestor. If your company offers services online, customers might have to log in and confirm who they are. For regulations such as GDPR, which also covers employees and vendors, you’ll need to make sure the person is part of your system and find the right information to give them.

2. Data Discovery

Data discovery is a critical step in the GDPR DSAR process and the CCPA DSAR process (Data Subject Access Request CCPA). It involves the systematic and thorough search for an individual’s personal data within an organization’s data ecosystem. The goal is to identify, collect, and prepare the requested data for a comprehensive DSAR response.

Key aspects of data discovery for DSAR response include:

Identifying Data Subject: The process begins by identifying the data subject for whom the DSAR is made. This step helps determine the scope of the search and which systems or databases may contain the requested information.

Defining Data Categories: Data discovery includes categorizing the types of data associated with the data subject. This categorization can encompass personal information as defined under the CCPA and GDPR, such as names, contact details, financial information, and more.

Locating Data Sources: Organizations must identify the systems, databases, and repositories that may contain the relevant data. This can include customer databases, email archives, document management systems, and more.

Data Retrieval: Once the potential data sources are identified, the next step is to retrieve the requested information. This process can involve searching and exporting data from various systems while ensuring the data remains accurate and unaltered.

Data Validation: The data discovered needs to be validated for accuracy, completeness, and relevance to the DSAR. This includes verifying that the data pertains to the specific data subject and corresponds to the request.

Throughout the data discovery process, it’s crucial to maintain the security and privacy of the data. Encryption, access controls, and other security measures should be in place to safeguard the data.

3. Process and document request

Once the documents have been reviewed and exported, they should automatically be made available to the data subject by the organization, website, or online portal in an easy but secure way. If the data package is to be sent to the subject, it should be encrypted or secured. Then, you’ll want a process to close out the DSAR and notify your internal teams that the request has been completed.

Organizations must keep all the process records and documentation, and all data subject notifications, in a single, central location. This should be a robust business continuity system, which is designed to support your compliance activities, and can be replicated across every location in your company. This will help minimize the amount of time you are required to take in-depth action to address the data subject’s request.

Readymade response templates can help ensure an efficient and consistent DSAR fulfilment process. All communications and activities should roll into a reporting dashboard and audit trail to demonstrate accountability, compliance, and progress towards resolving requests.

How long do you have to respond to a DSAR?

Various regulations mention different timelines for responding to Data subject requests. For example, in CCPA its 45 days whereas in GDPR its 30 days, etc. If requests are numerous and burdensome, you are provided with an option to extend the request after informing the reason of extension to data subject.

Failure to respond to DSAR requests within the prescribed time can result into hefty fines and penalties. It also affects your reputation.

Can you charge a fee for a DSAR?

As per most of the privacy regulations, you cannot charge any fee to respond for DSAR requests. However, in some situations, for example: when the request is manifestly unfounded or excessive then you can charge a reasonable fee to cover your cost. The burden to demonstrate the request as manifestly unfounded or excessive is on the Controller.

Who should respond to a DSAR?

It’s always helpful if you authorize a person for the specific responsibility, it can be the Data Protection Officer (DPO). This can be the one with the knowledge of various privacy regulations and ready to take this responsibility. The main role of your DPO can be to complete the data subject requests timely and document the procedure for future reference.

You can also adopt an automated process to compile responses if you deal with a large volume of DSARs. This can be a time saving and cost-effective alternative.