Responding to Data Subject Access Requests
The following are the steps required to process and fulfill a DSAR:
-
Register, log and authenticate DSAR
Organizations must register data requests, log them in a system of record, and authenticate the user before starting work on their fulfillment, either manually or automatically.
-
Collect personal information
For organizations to prepare for DSARs, they will need to discover and categorize the personal data they process and store. This data is often stored on an array of systems within an organization and externally as well. The personal data must also be mapped to the individual owner of that data to facilitate the processing of DSARs. Leveraging a People Data Graph can help streamline this process. The collection of this data must also be done in a safe manner to avoid additional data sprawl which could translate to greater liability.
-
Review and approve the information
After gathering the necessary information, organizations need to review the data and make sure it meets the DSAR requirements without disclosing proprietary information or the personal data of any other data subject.
-
Safely deliver customer information
The final response must then be delivered to the consumer securely. If a data breach or leakage occurs, it can cost as much as $750 per leaked record.
Here are several risks associated with fulfilling a data subject request you must watch out for:
- Requesters cannot be trusted without authentication.
- Managing deadlines is crucial to fulfilling DSARs.
- Data scanning should be automated, and done in a way that does not replicate copies of the data
- Data processing should be centralized in a safe workplace to avoid personal data sprawl
- Consumer responses should be encrypted to avoid data breaches.
- The activity must be tracked to keep a record for validating compliance
- Data delivered to the wrong person can be catastrophic.
One important factor to consider is that using traditional means will do more harm than good. For example, using emails to deal with DSARs can be dangerous as the risk of data sprawl increases when sending and receiving data over a system that is not secure. Moving personal information in an unencrypted system increases the risk of data breaches. It takes an average of 196 days for an organization to pick up on a data breach, making it essential for enterprises to fortify and automate their systems to protect themselves from any data breach.
Who Responds to a DSAR?
If the organization has designated a data protection officer (DPO), they will often be in charge of fulfilling DSARs. If an organization does not have a DPO, the responsibility should fall to a staff member knowledgeable about data protection and honoring DSAR.
Charging a Fee for the DSAR Response
In most cases, you are not allowed to charge a fee for handling a request. After receiving the request, you must react without delay and within one month. However, controllers are permitted to charge a fair price depending on administrative costs when a person requests more copies of their personal data being processed.
What Needs to be Included in a DSAR Response?
When responding to a DSAR, organizations are required to have the following heading in their response:
- A confirmation that the data subject’s personal data is processed.
- Access to the data subject’s personal information.
- State all the lawful basis for processing data.
- Mention the period or criteria for which data will be stored.
- Any relevant information about how this data has been obtained.
- Any relevant information about automated decision-making and profiling.
The names of any third parties information is shared with.
DSAR Response Challenges
Receiving a DSAR can strain organizations' resources, resulting in operational challenges. These challenges intensify when organizations collect large volumes of personal data, have obtained data from third parties, or share it with third parties, data residing in numerous data systems, categories of data (personal and sensitive), etc.
Deadline for Responding to the DSAR
Data controllers are required to respond to a DSAR "without undue delay" and "in any case within one month of receipt of the request," according to Article 12 of the GDPR. The ICO previously specified that this 30-day window begins the day after a data controller receives a DSAR.
If the request is complicated or the organization has received many requests from the person, the deadline may, in some circumstances, be extended by two more months. For instance, the person simultaneously lodged a DSAR and a right to be forgotten.
Refusing to Respond to a DSAR
According to ICO standards, a DSAR may be rejected if it is excessive or unwarranted. It's critical to keep in mind that each request's eligibility for an exemption must be considered individually. If you decline to fulfill a request, you must let the person know why and that they have the option to file a complaint with the ICO.