In This Article

What is Data Subject Access Request?

Natasha Murphy
| Read Time 8 min read| Updated On - December 5, 2022

Data Subject Access Request

A Data Subject Access Request (DSAR) is a formal request sent to an organization by an individual who wishes to find out what information has been collected and stored on their behalf.

The individual (subject) can also ask for their data to be changed in some way – perhaps if the data is inaccurate or out-of-date.

They should also have the option to opt out of future data collection activities. In most cases, the request is sent by the data subject themselves. However, under certain conditions, it’s possible for the request to be made by a third party, such as a parent, guardian, family member, legal advisor, or even a friend of the data subject.

Individuals can submit a DSAR free of charge, although data controllers are permitted to charge a fair price to cover certain administrative costs if requests are made too frequently.

Which Data Privacy Regulations Include DSARs?

The most notable data privacy regulations that include DSARs are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). However, there are some subtle differences between these regulations relating to the way DSARs are handled. For example, under the CCPA, organizations must disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from a consumer.

Individuals can request that their data be deleted, although this only applies to data that was collected from the consumer, and doesn’t take into account data that was collected from third parties.

Under the GDPR, organizations must respond to DSARs within a month of receiving a request, and individuals can request the deletion of all data that relates to them, regardless of how it was collected.

Who Can Submit a DSAR?

Anyone whose personal data has been collected and stored by a for-profit organization can file a DSAR. This includes employees, contractors, vendors, business associates, and customers. An individual may make a request on their own behalf, or on the behalf of another person – providing they have the consent of the data subject. For example, a legal representative, parent, guardian, relative, or acquaintance may submit a request on behalf of a data subject, providing they have a justification for doing so and are able to satisfy the verification requirements.

How to Respond to Data Subject Access Requests

If you have appointed a data protection officer (DPO), it will be their responsibility to fulfill DSARs. Otherwise, you will need to appoint a member of the security team to respond to DSARs. Organizations are required to maintain a tamper-proof record of all requests, and they must securely authenticate the user before they can process the request. This can be done through either:

Knowledge-based authentication

Ask a series of questions about the individual’s personal information, how they use your services, how long they have been a customer, and any other relevant questions.

User login credentials / MFA

The subject can either log in to a portal and make the request from there, or the request can be sent to a verified email address belonging to the subject. You can also send a one-time passcode to the subject’s phone number or email address, and then ask them to enter the passcode in order to verify their identity.

In order to be able to respond to DSARs in a fast and efficient manner, data controllers must know exactly what PII they store, and where it is located.

While it is theoretically possible to manually discover and classify PII, most companies will use an automated solution that will scan all repositories, whether on-premise or cloud-based, and discover and classify data in accordance with the relevant compliance requirements.

If your data is classified properly you should be able to enter the subject’s name and retrieve all of the PII associated with them. Once you have retrieved their information, you will need to ensure that the data meets the DSAR requirements. To be more precise, you must ensure that it doesn’t include PII or other sensitive information that belongs to other data subjects.

Finally, you will need to deliver the data to the subject in a way that is secure and easy to access.

What Needs to Be Included in a DSAR?

Only personal data needs to be provided in response to a DSAR. Businesses are not required to include every piece of information that refers to or mentions the data subject. Internal notes or a person’s order history are examples of situations where data would not need to be disclosed in a DSAR. However, in addition to personal data, businesses are also required to provide;

  • The reasons why they are processing personal data.
  • Information about any third parties that the organization is sharing personal data with.
  • The types of personal data the organization processes.
  • The source of the personal data – assuming the data wasn’t collected from the subject themselves.
  • The data retention period, or in other words, the length of time an organization will retain personal data.
  • Information about any automated decision-making and profiling.
  • Information about the data subject’s rights, including the rights to rectification, erasure, and so on.

DSAR Response Process

Once a DSAR is received, businesses have a limited period of time to respond. A DSAR response procedure should be implemented to deal with responses in a systematic manner, without interruption. When developing a DSAR response process, there are important factors that need to be considered. These include;

  • The system used to receive requests.
  • How the requesters’ identity is verified.
  • How the requests are processed.
  • How a user’s data is collected and stored.
  • How users’ data is secured, both at rest and in transit.
  • The format used to deliver the request response to the subject.
  • Any remediation activities that need to be performed during or following the request.

DSAR Request Verification

Businesses are required to confirm the identities of those issuing the request in order to prevent a data breach from occurring due to information being disclosed to an unauthorized person.

Request verification can be done in the following ways;

  • By asking questions relating to the personal data that has already been collected by the organization.
  • By asking the requester to log in to their account before issuing a request.
  • By using a third-party verification service.

Who Should Respond to the DSAR?

To oversee DSAR management and guarantee that the essential requirements are met, a compliance team should be established. Additionally, due to the short deadlines, businesses must designate either a Data Protection Officer (DPO), a data controller, or another member of staff with the relevant skills/experience.

Refusing to Respond to a DSAR

A company may refuse to respond to a DSAR for a variety of reasons, such as when;

  • Personal data is not retained in a format that is properly searchable and accessible.
  • Personal data is processed for compliance purposes.
  • Personal data isn’t used for commercial purposes.
  • Personal data is used for the purpose of national security.
  • A data subject makes too many requests – perhaps with the intention of causing disruption.

How Much Time is Allowed to Respond to a DSAR?

The time frame for responding to a DSAR varies depending on the relevant data protection laws. For example, under the GDPR, businesses have 30 days to respond from the time the request is received, whereas, under the CCPA, businesses have 45 days to respond to a DSAR. Fines and other penalties may apply if a DSAR request is not fulfilled within the allotted time frames.

Charging a Fee for the DSAR Response

Businesses are permitted to impose a “reasonable fee” to compensate administrative costs if a DSAR is unjustified or excessive, such as if a customer repeatedly wants the same information or makes unreasonable requests. Fees for a DSAR response must only be used to cover costs, and not used to make a profit.

DSAR Response Challenges

There are a number of challenges that businesses will face when responding to DSARs. Firstly, DSARs can be submitted at no cost to the data subject, as all that is required is a phone call, email, or some other method of communication. The problem is that processing DSARs comes at a cost to the company. They also have a limited time to reply, which means they have to appoint additional members of staff to carry out DSAR processing activities. As mentioned above, the response time window for CCPA is 45 days and 30 days for the GDPR. This could be a problem for companies whose data is spread across multiple systems and locations – some of which may be stored in an unstructured format. These issues will make it harder to locate and obtain a subject’s personal data.

How Lepide Can Help You Respond Quickly to Data Subject Access Requests

Lepide Data Security Platform uses eDiscovery to locate PII in files in order to speed up privacy and data subject access requests and achieve compliance with privacy regulations. With Lepide, you can schedule searches for PII easily, so that you can generate responses to DSARs quickly. Our DSAR solution also allows you to search through a wide variety of file types, and combine multiple values, so that you can avoid false positives.

If you’d like to see how the Lepide Data Security Platform can help you respond to a Data Subject Access Requests, schedule a demo with one of our engineers.

Natasha Murphy
Natasha Murphy

Natasha is a dedicated customer success advocate, helping Lepide customers to get the most out of their solutions.

Popular Blog Posts