Data Subject Rights (DSRs) are a fundamental component of data privacy and protection regulations like the European Union’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) now amended by the California Privacy Rights Act (CPRA), and various other data privacy regulations worldwide.
DSRs empower individuals to exercise control over their personal data. Various DSRs under global data privacy laws and regulations include the right to be informed, right to access, right of rectification, right to erasure/right to be forgotten, right to restrict processing, right to data portability, right to object to data processing activities, and the rights related to automated decision making, including profiling.
Handling DSR requests effectively is crucial for organizations to ensure compliance and maintain trust with data subjects. This guide will explore ten essential steps to completing a data subject request to exercise the right to access (DSAR).
DSAR Response Time Frames
Before we dive into the DSAR process, it's crucial to establish the correct timeframe for a DSAR response process. There are different deadlines for DSAR compliance. For instance, under the CCPA, organizations must respond to a DSAR within 45 days of receiving it.
On the other hand, DSARs under the EU and UK GDPR must be responded to within 30 days following their receipt. Under Article 12 of the GDPR, data controllers must respond to a DSAR “without undue delay” and “in any event within one month of receipt of the request”.
Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are obliged to respond to the request for personal information within 30 calendar days of receipt of a request for it. Organizations cannot simply acknowledge within 30 days that they received the request and then take more time actually to deal with it.
Step 1 – Identify and Document DSARs
Identifying and documenting the request is the first step in the DSAR process. This may be received by phone, email, or even an online form. A robust DSAR process must be in place to swiftly document and log these requests. Accurate identification and documentation at this step lay the foundation for effective DSAR management throughout the entire process.
To ensure compliance with evolving data protection laws and to provide a transparent and easy-to-use process for data subjects and the organization, it is imperative to establish a systematic approach for documenting and handling existing and upcoming DSARs.
Step 2 – Verify the Requestor's Identity
This crucial stage verifies that the requester of the data access is, in fact, the individual they claim they are. Confirm the individual's identity to prevent unauthorized access to sensitive data. Verification usually entails validating their identity using secure tools, such as official identification documents, login credentials, or other authorized methods.
Step 3 – Locate and Access Data Sources
After verifying the requestor's identity, the organization must begin the complex and multifaceted task of locating and accessing the requested personal data, which may be spread across several departments, databases, formats, native systems, and cloud and multi-cloud environments.
It is imperative to establish an effective and systematic data retrieval process to comply with the evolving requirements of data privacy laws and ensure prompt and correct responses to DSARs. During this step, it's critical to demonstrate transparency by informing the data subject of their request's status.
Step 4 – Retrieve the Requested Data
The next step is to extract and compile the specific personal data that the data subject has requested. This may entail obtaining data from various sources, including files, databases, emails, etc.
This step requires special consideration as it is critical to ensure that the data provided is accurate, in line with the request made by the data subject, and without any unnecessary data. Additionally, data protection regulations require that the process be carried out securely, maintaining the privacy of the data at all times and within the permitted time frame.
Step 5 – Review Data for Exemptions
Thoroughly examine the retrieved data for any exemptions or redaction requirements, as data privacy regulations may legally protect some personal data and may contain third-party data that should not be disclosed or shared with the data subject.
Provide the data subject with their data in a clear, structured, understandable format and user-friendly manner. This may involve preparing a detailed report of the data subject’s data or providing them access to a secure portal where they can review their data.
Data may need to be organized systematically and converted into a widely utilized format, such as Excel or PDF. This enables the data subject to examine and use the data efficiently, enhancing transparency and facilitating a seamless experience in exercising their DSARs.
Step 7 – Secure Data Transmission
Once the required personal data has been organized and formatted, it is ready for delivery to the data subject. To safeguard data from any breaches or leaks, organizations must ensure that such transfers are carried out using the highest security standards. This includes transferring the data over secure networks or via secure file-sharing methods.
Step 8 – Document the Process
Maintain thorough documentation of the DSAR process, including every step carried out, the response given, and any exemptions used. This includes details about the request, verification techniques, data retrieval process, applicable exemptions, data format used, and data transfers made via a secure channel.
Aside from providing proof of compliance with applicable data protection laws, maintaining documentation enables organizations to monitor the entire DSAR process, identify improvement areas, and demonstrate accountability in case of audits or investigations.
Step 9 – Communicate with the Requestor
Throughout the DSAR process, constantly communicate with the requestor regarding each step, how things are going, if there are any delays, and when they may expect to receive the needed data. This correspondence should include specifics of the data that has been provided, addressing any ambiguities, and contact details in case of confusion.
Step 10 – Close the DSAR
Close the DSAR after the data subject has received the requested information. This includes getting the data subject to attest that their request has been fulfilled, resolving any issues that may still exist, and making sure they are informed that the procedure is finished.
Closing the DSAR demonstrates the conclusion of the data subject's request for their data and assists organizations in keeping an accurate record of their compliance with applicable data protection laws. This last step guarantees that the organization has honored the data subject's rights and that their request has been properly handled.
How Securiti Can Help
As data privacy regulations evolve, organizations that invest in robust DSAR automation tools will be better equipped to meet the growing expectations of a data-conscious society while maintaining compliance and confidence with their data subjects.
Securiti DSR automation is the most efficient and modern way to honor DSAR. Businesses can save money during the DSAR process, lower their risk of compliance fines dramatically, and maintain brand integrity by implementing automation.
Request a demo to witness Securiti in action.