What is a Data Subject Access Request?
If you’ve been paying attention to the world of data privacy, and particularly the broad privacy laws that have been proposed, passed, or enacted, then you definitely will have heard of both the GDPR and the CCPA. While both of these laws, one in the EU and one in California, changed the game for how organizations can (and cannot) collect, process, and sell residents’ personal data.
One key way they began the “privacy revolution” as it could be called is by giving residents the express right to access, meaning that they can request and receive information on what data organizations have on them and how they are using that data. This is known as subject access. However, in order for this right to be given, and for organizations to comply with it, there needs to be some set process for it. That is where submitting a data subject access request (DSAR) comes into play.
Since GDPR and CCPA came about, Data Subject Access Requests have become a topic that has prompted a lot of questions to be asked on both sides. Individuals wonder how to submit one and organizations wonder how to receive them and fulfill them quickly and efficiently. In this DSAR guide, we’ll walk you through all of the FAQs on the topic, hopefully answering the questions that you have, too!
It is worth noting that DSARs are not an entirely new concept created by either the GDPR or CCPA, but rather is an existing concept that different organizations or governments have used before. But with these two key pieces of legislation have made them more commonly understood and easier for individuals to submit. Plus, residents beyond California and the EU can reasonably expect that DSARs will be a common requirement and practice all over in the coming years.
Who Can Submit a DSAR?
Anyone! That is why we find it so important to make all individuals aware of their rights through DSARs. Any customer, user, contractor, job candidate, employee, sales prospect, donor, or another role who has interacted with an organization in a way where they may store your information can submit a DSAR.
Beyond submitting a DSAR on behalf of their own person, there are a few instances where a request can be made on behalf of another person. This includes a request being submitted by a parent or guardian on behalf of their child, an individual on behalf of someone who they have the power of attorney over, or on behalf of an employer or client.
It is the responsibility of the organization to verify that the person making the request is submitting a legitimate and genuine request if on behalf of another person. This verification process can include requests for evidence such as birth certificates, guardian or power of attorney documentation as necessary.
Do I have to respond to a DSAR?
There are two (and only two) exceptions for DSARs that your organization can refuse to fulfill and those are manifestly unfounded or excessive requests.
- A Manifestly Unfounded request is one where the requester has no clear intentions to access the information that they have requested or has malicious intent for the organization upon receiving the data.
- On the other hand, an excessive request is one that adds upon a request that has already been submitted. In this case, you are only responsible for responding to and completing the initial request.
Although the rules of DSARs do allow for these two breaks for organizations to not have to respond to the request, both of these exceptions can be a bit tricky to prove especially in that neither situation comes with many examples or details in order to guarantee that a situation you have falls underneath the exception. If you as an organization choose to deny a request, it is best to be absolutely sure that you can prove without a shadow of a doubt that the situation falls under one of these exceptions. A key thing to note here is that you must evaluate these exception requests on a case-by-case basis rather than via a blanket policy.
What do I need to provide in response?
You need to provide all of the information that is considered personal data, but that doesn’t necessarily mean every single thing that refers to the individual at all. For example: You DO need to provide that person with any name, contact information, payment information, or other related information that you have. However, you DO NOT have to provide them with internal notes or memos that you may have on the individual’s sales account or profile that you have.
You are also able to redact any private organization information that may be attached to the individual’s records. It is key that you redact any personal data of any individual aside from the one who requested it, or else you could be opening yourself up to a data breach rather than data protection.
How long do I have to respond?
As an organization, you should work to respond to all data subject access requests without delay, and as quickly as you are able to fulfill them. However, the requirement under GDPR is that you respond to the request within one month (30 days) unless it is a particularly large or complicated request in which case you are allowed one extension. Still, you have to reply within 30 days to the request to say you need an extension and provide a reason why. Contrarily, the CRPA requires that businesses must disclose within 45 days of the verifiable request. Businesses may exercise one 45-day extension when reasonably necessary if they notify the consumer within the first 45-day period.
Can I charge for a DSAR?
Charging a small fee to offset any costs associated with preparing the DSAR used to be allowed, however that is no longer allowed. There are only two situations in which you can charge for a DSAR, which are the same as the exceptions from having to respond at all, are if that request can be proven to be manifestly unfounded or excessive. And even in these cases, you can only do this to offset a cost, but never to make a profit off of fulfilling a data subject access request.
Who should handle DSARs?
This is one of the aspects of this process that can vary a bit between the CCPA and the GDPR. On a high-level overview, neither of these regulations require that a specific person or role is the one who manages the full process of the DSAR requests that come through the organization. However, GDPR does have to require you to appoint a certain officer so we will touch on that now.
GDPR - Data Protection Officer
One of the many requirements of GDPR is that you appoint a Data Protection Officer (DPO) whose job is to monitor internal compliance and ensure the company or organization processes personal data in accordance with the applicable data privacy laws. This individual is then responsible for ensuring that the organization is compliant with GDPR by serving as the data protection expert within the organization and serving as the link between the employees and the members of the public who may find their information used and processed by the organization. To be clear, the DPO does not have to be the one who gathers and completes every DSAR, but they do maintain responsibility for the process as a whole being accomplished on time and in compliance.
Even though the GDPR requires a Data Protection Officer and the CCPA does not, both indirectly require the organization to have a clear, organized system for receiving, compiling and completing these requests in a timely manner. Regardless of the job title that they have, make sure that the person managing your organization’s DSAR requests is detail-oriented and prompt.
Is there a specific process that should be followed?
Neither the CCPA nor GDPR mandate a formal process for handling these requests which give organizations to create their own set of steps that work best for them while still fulfilling the requirements. As you are creating your organization’s method of completing the following steps, make sure that these account for all of the types of requests and methods of making a request that an individual can use. Here are the steps that need to be completed in order to successfully respond to a DSAR:
Authenticate User’s Identity
The very first step of the process must be verifying the identity of the individual who is requesting information so that you can safely complete the request without opening the company up to a potential data breach.
Determine Nature of Request
There are different types of requests that individuals can make in respect to their information including requesting it to be deleted, not to be sold, sent to them to download, or to be correct in the event of a mistake. In order to properly complete a request, you must first know clearly what type of data that person is requesting.
Before any information is sent off, you need to collect all of the information that is being requested. Whether the subject wants their information sent to them or deleted entirely, you will need to have all of that data gathered in order to be able to complete either request. The way that you gather this information may vary based on the request type you are fulfilling, however, regardless it should be compiled in a way that is easy to access but entirely secure.
Once the information has been gathered into one file or report, be sure to carefully review each and every part of the data. This must be done to guarantee that you are not sharing any confidential company information or any other subject’s personal information.
Explain Rights to Individual
Whether through your internal system or a DSAR platform of some sort, it is always key to remind the subject of their rights with respect to either GDPR or CCPA. This type of interaction also helps to reassure the individual that you are aware of your requirement to respect their rights which contributes to building brand trust.
Send Report to Subject
The final, and probably most obvious step, is to complete the report by either sending them the data, deleting it entirely, or ensuring that the data will not be sold. Make sure that this process is done within 30 days unless an extension has been justified and granted, and that it is documented in case your methods are questioned at any point. Once that is completed, you can count that request as done and move on to the next!
Can the DSAR process be automated or simplified?
One of the most common questions that is likely to be asked about the DSAR request process is how it can be shortened, simplified, or even automated. Even though there are only six steps, it can be a complicated process and the stakes are certainly high for it to be completed properly and efficiently. Luckily there are companies that help to streamline this process, such as Privacy Page, which allows organizations to create their own branded privacy page through which they can easily receive, track, and respond to all their DSARs. If you are evaluating solutions to help with this process, you should make sure that they have the capability to complete each of the six steps of DSARs before you choose to trust them as a partner.
Privacy Page, the DSAR solution mentioned above, requires that the subject complete a two-factor authentication before they submit their request which saves your organization the time and stress of having to verify the identity. They also clearly separate the requests as they are incoming into the different forms of DSARs so that you can easily see what action needs to be taken on each request. Some solutions can automate this process to varying degrees, but out of an abundance of caution and responsibility it is best to at minimum have someone within your company approve the result of the request process before it is sent off. Especially if your organization receives a large quantity of DSARs, looking into a platform to help you manage this system might be a great option for you!
Is this only for individuals in the EU or California?
At the time of this guide being written in August 2021, the right of individuals to have access to their information through DSARs and the mandate for companies to respond in a given way in a timely manner is technically only set out by the GDPR and CCPA. Only companies that fall subject to these regulations are required to do this.
However, it is the widely held belief among data privacy experts that this process and right is something that will be a part of most, if not all, of the upcoming regulations throughout the world. What we mean by this is that even if you are not currently mandated to do these things, it is reasonable to expect that the time is coming shortly where you will be required to follow the DSAR process. Plus, even if you aren’t forced to do this at the moment, it builds great trust with the subjects whose information you store, and fosters a reputation of corporate social responsibility. So why not start now, and have that process running like a well-oiled machine by the upcoming day where it becomes a requirement for you!