Data Subject Access Request (DSAR) – All You Need to Know

An individual (data subject) may submit a Data Subject Access Request (DSAR) to a company to find out what information has been collected and stored about them or to request that certain actions be taken with their data. A DSAR can be used to request that data be accessed, deleted, incorrect information be corrected, or that future data collection be opted out of.

What is Data Subject Access Request (DSAR)?

A Data Subject Access Request (DSAR) is a right granted to individuals by various data protection regulations globally. It provides citizens, referred to as “data subjects”, certain rights related to their data that websites and organizations collect online. The details of these rights vary from regulation to regulation. However, DSARs constitute a fundamental aspect of data privacy due to the transparency it ensures regarding how an individual’s data is collected, used, protected, shared, and sold.

Individuals can make a DSAR usually on a dedicated webpage on a website, providing details necessary to verify their request. A DSAR can include requests related to what type of data an organization has collected on individuals, types of data collected, purpose of collection, any third parties that have had access to this data, and other relevant information.

Legal sections within the CPRA and GDPR outlining businesses’/data controllers’ responsibility to adhere to DSARs:

DSARs and CPRA

Under the California Privacy Rights Act (CPRA), consumers have the right to request that a business disclose the following information regarding their personal data:

1. Categories of Personal Information collected about the consumer.
2. Categories of sources from which the personal information was collected.
3. The business or commercial purpose for collecting, selling, or sharing the personal information.
4. Categories of Third Parties to whom the business discloses personal information.
5. The specific pieces of personal information the business has collected about the consumer.

To comply with the request, the business must:

1. Make available to consumers two or more designated methods for submitting requests for information required to be disclosed including, at a minimum, a toll-free telephone number, and, for online businesses, an email address or web form.
2. Businesses must respond to verifiable consumer requests within 45 days, with a possible 45-day extension if necessary. Consumers must be informed about the extension within the first 45 days.
3. The information provided must cover the previous 12 months unless otherwise requested.
4. Not charge the consumer for the access request unless the request is excessive or unfounded. Consumers can make access requests no more than twice in a 12-month period.
5. Verify the identity of the consumer making the request. However, businesses cannot require the consumer to create an account to submit an access request.
6. When fulfilling an access request, provide information in a readily usable format that allows the consumer to transmit the data to another entity.

DSARs and GDPR

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. In this instance where personal data is being processed, the data subject shall have the to access the personal data and the following information:

1. 1. The purposes of the processing.
   2. The categories of personal data concerned.
   3. The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations. ;
   4. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
   5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
   6. The right to lodge a complaint with a supervisory authority.
   7. Where the personal data are not collected from the data subject, any available information as to their source.
   8. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
   9. Where personal data is transferred to a third country or to an international organization, the data subject should be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

To comply the request, the business must ensure that:

1. Data subjects are able to submit access requests in writing, electronically, or via other forms that are accessible.
2. The business responds to a data subject access request within one month of receiving the request. This period can be extended by an additional two months if the request is complex or if multiple requests have been made. However, the data subject must be informed of the extension within the initial one-month period, including the reasons for the delay.
3. Reasonable steps are taken to verify the identity of the individual making the request before processing it. If the request is made electronically, the response should be provided in the same format, unless otherwise requested by the data subject.
4. The personal data is provided in a structured, commonly used, and machine-readable format , especially when the request is made electronically.
5. The first copy of the information must be provided free of charge. However, for additional copies, a reasonable fee reflecting administrative costs can be charged. However, if the request is manifestly unfounded, excessive, or repetitive, the business can refuse to act on the request (but must provide a justification to the data subject).
6. The right to access personal data does not override the rights and freedoms of others, meaning that providing access should not infringe on the privacy or rights of third parties.

Who Are the Beneficiaries of DSARs?

DSARs give consumers control over their personal information stored by organizations, ranging from the right to access data to soliciting information on the data safeguards the organization provides. Under CPRA, consumers can request DSARs twice a year at no cost whatsoever.

Speedy and accurate fulfillment of DSARs substantially boosts brand image of businesses while also ensuring compliance with CPRA. However, fulfillment of DSARs can be costly since it requires data gathering across a multitude of systems, collecting data in one place, examining data records and compiling it all in a comprehensive report. Moreover, fulfilling DSARs can be a time-consuming process. This is where a solution based on automation can be a potent weapon.

Example of a Data Subject Access Request

DSARs under CCPA vs. GDPR

While both CPRA and GDPR provide consumers with mechanisms to exercise greater control over their data, there are various differences regarding the type and extent of rights a consumer has under each law. Let’s have a look:

Who Can Submit a DSAR?

A Data Subject Access Request (DSAR) is a formal inquiry made to a company by a data subject inquiring the kind of data subject's personal information which has been collected, stored, and used. Anyone who is a data subject can submit the DSAR.

A third party may also submit a DSAR on the basis of the data subject’s consent. Examples include:

• The parent making a request on the child's behalf;
• Legal advisor making the request on the client's behalf;
• Family member or friend; or
• An individual appointed to act as a guardian.

In the event a third-party is requesting DSAR, the request for written authorization or other supporting documentation may be required by the organization.

How to Prepare for DSARs under CPRA

The number of DSARs submissions have increased significantly after the enactment of CPRA. Therefore, it is imperative for organizations to understand their responsibilities regarding DSARs:

• Responding to a Data Subject Request

Organizations have 45 days to respond and fulfill a customer’s data subject request, in a transferable electronic format. These obligations may vary depending on the customer’s request and how their information is handled.

• Communicating with the Consumer

CPRA requires the disclosure of rights and communication about DSARs.

Responding to Data Subject Access Requests

The following are the steps required to process and fulfill a DSAR:

1. Register, log and authenticate DSAR
   

   Organizations must register data requests, log them in a system of record, and authenticate the user before starting work on their fulfillment, either manually or automatically.

2. Collect personal information
   

   For organizations to prepare for DSARs, they will need to discover and categorize the personal data they process and store. This data is often stored on an array of systems within an organization and externally as well. The personal data must also be mapped to the individual owner of that data to facilitate the processing of DSARs. Leveraging a People Data Graph can help streamline this process. The collection of this data must also be done in a safe manner to avoid additional data sprawl which could result in greater liability.

3. Review and approve the information
   

   After gathering the necessary information, organizations need to review the data and make sure it meets the DSAR requirements without disclosing proprietary information or the personal data of any other data subject.

4. Safely deliver customer information
   

   The final response must then be delivered to the consumer securely. If a data breach or leakage occurs, it can cost as much as $750 per leaked record.

Here are several risks associated with fulfilling a data subject request you must watch out for:

• Requesters cannot be trusted without authentication.
• Managing deadlines is crucial to fulfilling DSARs.
• Data scanning should be automated, and done in a way that does not replicate copies of the data.
• Data processing should be centralized in a safe workplace to avoid personal data sprawl.
• Consumer responses should be encrypted to avoid data breaches.
• The activity must be tracked to keep a record for validating compliance.
• Data delivered to the wrong recipient can lead to significant liability.

One important factor to consider is that using traditional means will do more harm than good. For example, using emails to deal with DSARs can be dangerous as the risk of data sprawl increases when sending and receiving data over a system that is not secure. Moving personal information in an unencrypted system increases the risk of data breaches. It takes an average of 196 days for an organization to pick up on a data breach, making it essential for enterprises to fortify and automate their systems to protect themselves from any data breach.

How to Verify the Identity of the Person Submitting the Request?

For organizations, verification of a DSAR is a critical aspect of responding to and complying with such a request. A thorough and effective DSAR verification process is necessary to ensure the privacy, security, and integrity of personal data.

A typical DSAR verification process involves asking the individual making the request a set of questions and details to verify their identity. These can include government-issued identification that matches the details the individual provided as part of their request or a series of security questions.

While the timelines for such verification processes vary under different regulations, organizations are expected to carry out this process as soon as possible.

Who Responds to a DSAR?

If the organization has designated a data protection officer (DPO), they will often be in charge of fulfilling DSARs. If an organization does not have a DPO, the responsibility lies with a staff member knowledgeable in the domain of data protection and DSARs.

Time Limit to Respond to DSAR?

The exact time limit when responding to a DSAR will depend almost entirely on the regulation in question. For example, under the GDPR, organizations have a period of 30 days to respond with the possibility of a two month extension depending on various circumstances.

As explained earlier, each regulation has different provisions related to timelines to respond to DSARs. Therefore, organizations may find themselves having to tailor their compliance measures based on their relevant jurisdiction. However, a good rule of thumb is to ensure that such requests are honored as soon as possible.

Impact of Not Responding to DSAR on time?

Failure to respond to a DSAR carries significant implications for organizations as it opens them up to non-compliance risks under most data privacy regulations. The most immediate of these repercussions are the financial penalties an organization may face. Additionally, an organization may find its reputation severely compromised as well as diminishing trust among various stakeholders, especially the consumers.

Charging a Fee for the DSAR Response

In most cases, you are not allowed to charge a fee for handling a request. However, controllers are permitted to charge a fair price depending on administrative costs when a person requests more copies of their personal data being processed.

What Needs to be Included in a DSAR Response?

When responding to a DSAR, organizations are required to have the following heading in their response:

• A confirmation that the data subject’s personal data is processed.
• Access to the data subject’s personal information.
• State all the lawful basis for processing data.
• Mention the period, or criteria for which data will be stored.
• Any relevant information  about how this data has been obtained.
• Any relevant information about automated decision-making and profiling.
• The names of any third parties information is shared with.

DSAR Response Challenges

While honoring DSAR requests is a significant regulatory obligation for most organizations, simply responding to such requests can pose a challenge in its own right. Depending on several factors such as volume of requests, data systems, ensuring data security and integrity, appropriate measures during data retrieval and other complications, organizations may find it challenging to coordinate various departments within the organization when responding to a single request.

These complications can get further exacerbated if third party information is involved, requiring compliance with several other regulations when handling such data. Hence, a well-defined and comprehensive approach is necessary when dealing with DSAR.

Refusing to Respond to a DSAR

According to ICO standards, a DSAR may be rejected if it is excessive or unwarranted. It's critical to keep in mind that each request's eligibility for an exemption must be considered individually. If you decline to fulfill a request, you must inform the relevant individual regarding the reasons for refusal and the available options which an individual has to file a complaint with the relevant authorities.

Key Takeaways

Here are some highlights:

• DSARs are a mechanism by which consumers request access to their personal information held by organizations such as yours.
• Responding to these requests presents several operational challenges.
• Fulfilling DSARs will prove to be especially costly (average cost of $1,400 per each request when fulfilled manually).
• A comprehensive DSR robotic automation solution can reduce cost and complexity and limit legal liability.

Large organizations may have hundreds of millions of records about their consumers, often spread across an array of systems. Sorting this data and creating a data inventory to cope with DSARs is a challenging task that requires organizations to automate their current practices.

At Securiti, we have solutions that offer robotic automation, machine learning and secure cross-channel collaboration to help your business stay prepared for fulfilling DSARs requirements under various privacy laws.

Next Steps

To learn more about automation and orchestration of data subject requests and how much time you can save, check out the video below or schedule a demo to see it live, in action!