Securiti Tops DSPM Ratings in GigaOm Report


Data Subject Access Request (DSAR) – All You Need to Know

Published August 15, 2022 / Updated March 6, 2024

Listen to the content

An individual (data subject) may submit a Data Subject Access Request (DSAR) to a company to find out what information has been collected and stored about them or to ask that certain actions be taken with their data. A DSAR can be used to request that data be deleted, incorrect information be corrected, or that future data collection be opted out of.

Legal sections within the CCPA and GDPR outlining businesses’/data controllers’ responsibility to adhere to DSARs:


Cal. Civ. Code § 1798.130(a)

In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall in a form that is reasonably accessible to consumers:

  1. Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115.
  2. Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’ duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request. If the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.


Article 15 GDPR

  1. The Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    • The purposes of the processing;
    • The categories of personal data concerned;
    • The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • The right to lodge a complaint with a supervisory authority;
    • Where the personal data are not collected from the data subject, any available information as to their source;
    • The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

An enterprise served with a DSAR is legally obligated to fulfill these requests within a limited timeframe to avoid non-compliance. This is why automating the processing of DSARs is necessary to respond within the aforementioned timeframe. So, let’s discuss the importance of DSARs, how they differ under CCPA and GDPR, and how your business can cost-effectively prepare for and automatically respond to DSARs, which are likely to increase substantially in a post-CCPA world.

Who Are the Beneficiaries of DSARs?

DSARs give consumers unprecedented control over their personal information stored by organizations, from access to data and requesting information on stored data to requesting information on the data safeguards the organization provides. With CCPA, consumers can request DSARs twice a year at no cost whatsoever.

For businesses, speedy and accurate fulfillment of DSARs substantially boosts their brand image while also ensuring compliance with CCPA regulations. However, some estimates put the cost of the fulfillment of each DSAR could be in the thousands, since it requires data gathering across a multitude of systems, putting them in one place, going through data records and compiling it all in a comprehensive report. Moreover, fulfilling each DSAR can take weeks. This is where a solution based on automation can be a potent weapon.


Example of a Data Subject Access Request

DSARs under CCPA vs. GDPR

While both CCPA and GDPR provide consumers with mechanisms to exercise greater control over their data, there are some fundamental differences between how much power a consumer has under each law. Let’s have a look:


Who Can Submit a DSAR?

A Data Subject Access Request (DSAR) is a formal inquiry made to a company by a data subject inquiring what of the data subject's personal information has been collected, stored, and used. Anyone who is a data subject can submit a request.

If the person submitting the DSAR has the data subject's consent, they may also do so. Examples include:

  • The parent making a request on the child's behalf
  • Legal advisor making the request on the client's behalf
  • Family member or friend
  • An individual appointed to act as a guardian

In the event someone else is requesting DSAR, the request for written authorization or other supporting documentation may be required by the organization.

How to Prepare for DSARs

Many expect that the number of receiving DSARs have increased significantly after CCPA. So let’s explore what is required and how to prepare:

  • Responding to a Data Subject Request

Organizations have 45 days to respond and fulfill a customer’s data subject request, in a transferable electronic format. These obligations may vary depending on the customer’s request and how their information is handled.

  • Manage Deletion Requests

Deletion requests involve not only team members from within the organization, but also all third-party vendors and partners with whom the personal information has been shared.

  • Communicating with the Consumer

CCPA requires the disclosure of rights and communication about DSARs, as does the GDPR. The rights given to consumers under CCPA and GDPR are similar but not identical. This means that organizations will need to change their communication accordingly.


Responding to Data Subject Access Requests

The following are the steps required to process and fulfill a DSAR:

  1. Register, log and authenticate DSAR

    Organizations must register data requests, log them in a system of record, and authenticate the user before starting work on their fulfillment, either manually or automatically.

  2. Collect personal information

    For organizations to prepare for DSARs, they will need to discover and categorize the personal data they process and store. This data is often stored on an array of systems within an organization and externally as well. The personal data must also be mapped to the individual owner of that data to facilitate the processing of DSARs. Leveraging a People Data Graph can help streamline this process. The collection of this data must also be done in a safe manner to avoid additional data sprawl which could translate to greater liability.

  3. Review and approve the information

    After gathering the necessary information, organizations need to review the data and make sure it meets the DSAR requirements without disclosing proprietary information or the personal data of any other data subject.

  4. Safely deliver customer information

    The final response must then be delivered to the consumer securely. If a data breach or leakage occurs, it can cost as much as $750 per leaked record.

Here are several risks associated with fulfilling a data subject request you must watch out for:

  • Requesters cannot be trusted without authentication.
  • Managing deadlines is crucial to fulfilling DSARs.
  • Data scanning should be automated, and done in a way that does not replicate copies of the data
  • Data processing should be centralized in a safe workplace to avoid personal data sprawl
  • Consumer responses should be encrypted to avoid data breaches.
  • The activity must be tracked to keep a record for validating compliance
  • Data delivered to the wrong person can be catastrophic.

One important factor to consider is that using traditional means will do more harm than good. For example, using emails to deal with DSARs can be dangerous as the risk of data sprawl increases when sending and receiving data over a system that is not secure. Moving personal information in an unencrypted system increases the risk of data breaches. It takes an average of 196 days for an organization to pick up on a data breach, making it essential for enterprises to fortify and automate their systems to protect themselves from any data breach.

Who Responds to a DSAR?

If the organization has designated a data protection officer (DPO), they will often be in charge of fulfilling DSARs. If an organization does not have a DPO, the responsibility should fall to a staff member knowledgeable about data protection and honoring DSAR.

Charging a Fee for the DSAR Response

In most cases, you are not allowed to charge a fee for handling a request. After receiving the request, you must react without delay and within one month. However, controllers are permitted to charge a fair price depending on administrative costs when a person requests more copies of their personal data being processed.

What Needs to be Included in a DSAR Response?

When responding to a DSAR, organizations are required to have the following heading in their response:

  • A confirmation that the data subject’s personal data is processed.
  • Access to the data subject’s personal information.
  • State all the lawful basis for processing data.
  • Mention the period or criteria for which data will be stored.
  • Any relevant information  about how this data has been obtained.
  • Any relevant information about automated decision-making and profiling.

The names of any third parties information is shared with.

DSAR Response Challenges

Receiving a DSAR can strain organizations' resources, resulting in operational challenges. These challenges intensify when organizations collect large volumes of personal data, have obtained data from third parties, or share it with third parties, data residing in numerous data systems, categories of data (personal and sensitive), etc.

Deadline for Responding to the DSAR

Data controllers are required to respond to a DSAR "without undue delay" and "in any case within one month of receipt of the request," according to Article 12 of the GDPR. The ICO previously specified that this 30-day window begins the day after a data controller receives a DSAR.

If the request is complicated or the organization has received many requests from the person, the deadline may, in some circumstances, be extended by two more months. For instance, the person simultaneously lodged a DSAR and a right to be forgotten.

Refusing to Respond to a DSAR

According to ICO standards, a DSAR may be rejected if it is excessive or unwarranted. It's critical to keep in mind that each request's eligibility for an exemption must be considered individually. If you decline to fulfill a request, you must let the person know why and that they have the option to file a complaint with the ICO.

Key Takeaways

Here are some highlights:

  • DSARs are a mechanism by which consumers request access to their personal information held by organizations such as yours.
  • Responding to these requests presents several operational challenges.
  • Fulfilling DSARs will prove to be especially costly (average cost of $1,400 per each request when fulfilled manually)
  • A comprehensive DSR robotic automation solution can reduce cost and complexity and limit legal liability

Large organizations may have hundreds of millions of records about their consumers, often spread across an array of systems. Sorting this data and creating a data inventory to cope with DSARs is a challenging task that requires organizations to automate their current practices.

At Securiti, we have solutions that offer robotic automation, machine learning and secure cross-channel collaboration to help your business stay prepared for CCPA.

Next Steps

To learn more about automation and orchestration of data subject requests and how much time you can save, check out the video below or schedule a demo to see it live, in action!

Your Data+AI Command Center

Enable Safe Use of Data and AI

Key Takeaways:

  1. Definition of DSAR: A Data Subject Access Request (DSAR) enables individuals to inquire about the personal data collected, stored, or processed about them by an organization. They can request data deletion, correction, or opt-out of future data collection.
  2. Legal Framework for DSARs: The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) outline the obligations of businesses/data controllers to comply with DSARs, emphasizing the importance of handling personal information responsibly and transparently.
  3. CCPA and GDPR Requirements: Under CCPA, businesses must provide two or more methods for submitting DSARs and respond within 45 days. GDPR mandates similar responsiveness and adds specific details that must be included in the response, such as the purposes of data processing and the rights of data subjects.
  4. DSAR Response Process: Organizations must authenticate the DSAR, collect and review the requested personal information, and securely deliver the response, ensuring no breach of other individuals' data.
  5. Operational Challenges and Automation: Fulfilling DSARs can be costly and time-consuming, especially for organizations with vast amounts of data across multiple systems. Automation and robotic process automation (RPA) solutions can significantly reduce the cost and complexity of responding to DSARs.
  6. Who Responds to DSARs: Typically, a Data Protection Officer (DPO) or a knowledgeable staff member is responsible for responding to DSARs. Organizations without a DPO should designate someone familiar with data protection laws.
  7. Charging Fees and Refusing DSARs: Generally, organizations cannot charge fees for handling DSARs unless the requests are unfounded or excessive. Organizations must provide a rationale if they refuse to comply with a DSAR.
  8. Importance of DSARs: DSARs offer consumers control over their personal information, while compliance enhances an organization's reputation and ensures adherence to privacy laws. However, the process presents operational challenges that can be mitigated through automation.
  9. Securiti's Solution: Securiti provides solutions that leverage robotic automation, machine learning, and secure collaboration to help businesses efficiently manage and respond to DSARs, potentially saving significant time and resources.
  10. Next Steps: Organizations are encouraged to explore automation and orchestration solutions for DSARs to streamline their compliance processes and reduce the associated costs and complexities.

Frequently Asked Questions (FAQs)

A Data Subject Access Request (DSAR) is a request made by an individual to an organization to access their personal data and obtain information about how the organization processes their data.

A DSAR in GDPR refers to the Data Subject Access Request, which grants individuals the right to access their personal data held by organizations and understand how it's used. If requested, controllers must provide data subjects with a copy of their personal data, ensuring it doesn't adversely affect the rights and freedoms of others, along with specific details. The controller may charge a reasonable administrative fee for extra copies or in cases of manifestly unfounded or excessive requests.

An example of a DSAR is when customers request access to their purchase history and personal data stored by an online retailer.

A DSAR form is a structured template that individuals can use to submit their Data Subject Access Request, often provided by organizations to facilitate the request process.

In a DSAR, you can ask for a copy of your personal data, details about its processing, the purposes for processing, recipients of the data, and more.

DSAR (Data Subject Access Request) and SAR (Subject Access Request) are often used interchangeably. SAR is a more general term, while DSAR specifically refers to the rights granted by GDPR.

DSAR (Data Subject Access Request) and SAR (Subject Access Request) are often used interchangeably. SAR is a more general term, while DSAR specifically refers to the rights granted by GDPR.

DSARs empower individuals to take control of their personal data, understand how it's used, ensure accuracy, and hold organizations accountable for data processing.

Organizations are generally required to respond to a DSAR within one month. However, in some cases, this can be extended by two additional months depending on complexity.

You can request a DSAR by contacting the organization holding your data and expressing your desire to access your personal information.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You