DSR Fulfillment Timeline: What You Should Know

In today’s digital world, numerous data privacy regulations worldwide have provided control to individuals with respect to their personal data by granting data subjects several rights.

Known popularly as data subject rights (DSR) requests, these allow users to contact organizations collecting and processing their data and exercise their data subject rights, such as the right to access, modify, or delete, among others.

For organizations, honoring DSR requests is a strict legal obligation. Hence, having absolute clarity related to the timeline in which such DSR requests must be honored under applicable privacy laws is critical to eventual compliance with such requests.

Organizations often question when the time to complete a data subject’s right request starts. Does it start when the request comes in or after the identity verification of an individual has taken place? Read on to learn more about the DSR fulfillment timeline under the General Data Protection Regulations (GDPR) and the California Privacy Rights Act (CPRA).

DSR Fulfillment Timeline Under the GDPR

Before an organization can begin addressing a DSR request, it needs clarity on the timeline it should follow. The European Data Protection Board (EDPB) released an updated guide on data subject’s right of access on 28 March 2023, which provides guidance on timelines, suspension, and timeline extension to respond to an access request.

Timeline to respond

Under the GDPR, the time limit for responding to an access request starts when the organization has received the request, meaning when the request reaches the organization through one of its official channels.

The data controller being unaware of the request being made would not affect the time limit in any case. The deadline to respond to an access request is one month under the GDPR. For example, if an organization receives a request on 5 March - the organization has until and including 5 April to comply with the request at the latest.

In another example provided by the EDPB, if the organization receives an access request on 31st August and there is no corresponding date in the next month, the organization must respond to the access request by the end of the next month, which is 30th September.

Suspension of timeline

The time limit may be suspended if the organization is required to communicate with the data subject regarding the data subject's identity. In such a situation, the suspension of the timeline is permitted until the organization has received sufficient information from the data subject regarding his/her identity, provided that the organization has asked for additional information from the data subject confirming his/her identity without undue delay.

In all cases of timeline suspension, the data controller must inform the data subject about the delay, the possibility of lodging a complaint with a supervisory authority, and seeking a judicial remedy within one month of receipt of the request.

In one of the examples provided by the EDPB, a controller reacts immediately following the reception of the request and asks for the information it needs to confirm the person's identity. The data subject replies several days later but with insufficient information regarding the data subject's identity.

In this situation, the timeline's suspension is permitted until the organization has received sufficient information from the data subject to confirm his/her identity. However, the caveat to note here is that the controller has reached out to the data subject without undue delay, asking for identity verification - without undue delay means as soon as possible.

Extension of the timeline

Article 12(3) of the official GDPR text states that DSR requests must be responded to "without undue delay and in any event within one month of receipt of the request…That period may be extended by two further months where necessary, taking into account the complexity and number of the requests."

This indicates that the extension of the timeline is permissible to only two further months only if the request is sufficiently complex or the controller has received a large number of requests from many individuals, provided that the controller has informed the individual of the reasons for the delay and extension within one month of the receipt of the request.

DSR Fulfillment Timeline Under the CPRA

The CPRA provides different timelines for responding to different types of DSR requests depending upon the underlying consumer right exercised.

Timeline to respond

Under the CPRA, the timeline to respond to a DSR request starts on the day on which a business receives the request. One significant difference between the GDPR and the CPRA is that the DSR request verification does not result in suspension of the response time. Rather, a business may deny a DSR request if it is unable to verify the request within the 45-day response period.

Following are different timelines for responding to different types of DSR requests under the CPRA:

Requests to delete, correct, and know

The businesses must respond to the DSR requests to delete, correct, and know within 45 calendar days after the receipt of the request. In addition, the businesses must also confirm the receipt of the request and provide information about how the business will process the request within the 10 calendar days after the receipt of the request.

Requests to opt-out of sale/sharing and limit the use of sensitive personal information

The businesses must respond to the DSR requests to opt-out of sale/sharing and limit the use of sensitive personal information as soon as feasibly possible, but in any case, within 15 calendar days after the receipt of the request.

Extension of the timeline

While the GDPR provides businesses with an option to extend the response period twice where necessary, taking into account the complexity and number of the requests, the CPRA only allows a one-off extension for specific DSR requests.

Requests to delete, correct, and know

The businesses may request an extension in the initial response time of 45 days for all deletion, access, and correction requests when reasonably necessary. However, the businesses must inform the consumer of the extension in the response time and the reason for such extension within the first 45 calendar days from the receipt of the request.

Requests to opt-out of sale/sharing and limit the use of sensitive personal information

The CPRA does not provide for the option of extension in the response time for DSR requests to opt-out of sale/sharing and limit the use of sensitive personal information.

Why Are These Timelines So Important?

Regulatory fines are an obvious reason behind the importance of ensuring all DSR requests are honored within the aforementioned timelines.

Under the GDPR, non-compliance with a DSR request can lead to a €20 million fine or 4% of the organization’s worldwide turnover, whichever is higher. Similarly, under the CPRA, an organization faces a $7,500 fine per intentional violation or $2,500 per unintentional violation.

Therefore, it is important to comply with the DSR fulfillment timelines under the applicable laws to avoid monetary and reputational risks.

How Can Securiti Help

Trust is incontrovertible in ensuring users allow organizations to collect their data. This trust implies that not only will the organization collecting the data use it to enrich the user’s experience further online but will also be proactive in responding to any of their queries related to their data, especially in case a DSR request is made.

However, given the sheer volume of data being collected from thousands, if not millions, of users, manually attempting to keep track and ensure a timely response to DSR requests is an exercise in futility and an unnecessary strain on resources.

Automation is the most efficient and effective way to address such requests.

Securiti has made a name for itself as a pioneer in the data security, governance, compliance, and privacy sectors.

Securiti PrivacyCenter.cloud is an elegant all-in-one solution that helps an organization comply with a myriad of complex and evolving global privacy regulations. In addition to several features, it offers complete real-time oversight of all the organization’s DSR requests.

Moreover, with this solution, organizations can customize their DSR forms based on their unique needs, conduct efficient identity verification, and maintain extensive documentation in case of regulatory reviews, audits, or lawsuits.

Request a demo today and learn more about how Securiti can help your organization fulfill all DSR requests reliably.