What is Data Subject Access Request?

Which Data Privacy Regulations Include DSARs?

The most notable data privacy regulations that include DSARs are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). However, there are some subtle differences between these regulations relating to the way DSARs are handled. For example, under the CCPA, organizations must disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from a consumer.

Individuals can request that their data be deleted, although this only applies to data that was collected from the consumer, and doesn’t take into account data that was collected from third parties.

Under the GDPR, organizations must respond to DSARs within a month of receiving a request, and individuals can request the deletion of all data that relates to them, regardless of how it was collected.

Who Can Submit a DSAR?

Anyone whose personal data has been collected and stored by a for-profit organization can file a DSAR. This includes employees, contractors, vendors, business associates, and customers. An individual may make a request on their own behalf, or on the behalf of another person – providing they have the consent of the data subject. For example, a legal representative, parent, guardian, relative, or acquaintance may submit a request on behalf of a data subject, providing they have a justification for doing so and are able to satisfy the verification requirements.

How to Respond to Data Subject Access Requests

If you have appointed a data protection officer (DPO), it will be their responsibility to fulfill DSARs. Otherwise, you will need to appoint a member of the security team to respond to DSARs. Organizations are required to maintain a tamper-proof record of all requests, and they must securely authenticate the user before they can process the request. This can be done through either:

Knowledge-based authentication

Ask a series of questions about the individual’s personal information, how they use your services, how long they have been a customer, and any other relevant questions.

User login credentials / MFA

The subject can either log in to a portal and make the request from there, or the request can be sent to a verified email address belonging to the subject. You can also send a one-time passcode to the subject’s phone number or email address, and then ask them to enter the passcode in order to verify their identity.

In order to be able to respond to DSARs in a fast and efficient manner, data controllers must know exactly what PII they store, and where it is located.

While it is theoretically possible to manually discover and classify PII, most companies will use an automated solution that will scan all repositories, whether on-premise or cloud-based, and discover and classify data in accordance with the relevant compliance requirements.

If your data is classified properly you should be able to enter the subject’s name and retrieve all of the PII associated with them. Once you have retrieved their information, you will need to ensure that the data meets the DSAR requirements. To be more precise, you must ensure that it doesn’t include PII or other sensitive information that belongs to other data subjects.

Finally, you will need to deliver the data to the subject in a way that is secure and easy to access.

What Needs to Be Included in a DSAR?

Only personal data needs to be provided in response to a DSAR. Businesses are not required to include every piece of information that refers to or mentions the data subject. Internal notes or a person’s order history are examples of situations where data would not need to be disclosed in a DSAR. However, in addition to personal data, businesses are also required to provide;

• The reasons why they are processing personal data.
• Information about any third parties that the organization is sharing personal data with.
• The types of personal data the organization processes.
• The source of the personal data – assuming the data wasn’t collected from the subject themselves.
• The data retention period, or in other words, the length of time an organization will retain personal data.
• Information about any automated decision-making and profiling.
• Information about the data subject’s rights, including the rights to rectification, erasure, and so on.

DSAR Response Process

Once a DSAR is received, businesses have a limited period of time to respond. A DSAR response procedure should be implemented to deal with responses in a systematic manner, without interruption. When developing a DSAR response process, there are important factors that need to be considered. These include;

• The system used to receive requests.
• How the requesters’ identity is verified.
• How the requests are processed.
• How a user’s data is collected and stored.
• How users’ data is secured, both at rest and in transit.
• The format used to deliver the request response to the subject.
• Any remediation activities that need to be performed during or following the request.

DSAR Request Verification

Businesses are required to confirm the identities of those issuing the request in order to prevent a data breach from occurring due to information being disclosed to an unauthorized person.

Request verification can be done in the following ways;

• By asking questions relating to the personal data that has already been collected by the organization.
• By asking the requester to log in to their account before issuing a request.
• By using a third-party verification service.

Who Should Respond to the DSAR?

To oversee DSAR management and guarantee that the essential requirements are met, a compliance team should be established. Additionally, due to the short deadlines, businesses must designate either a Data Protection Officer (DPO), a data controller, or another member of staff with the relevant skills/experience.

Refusing to Respond to a DSAR

A company may refuse to respond to a DSAR for a variety of reasons, such as when;

• Personal data is not retained in a format that is properly searchable and accessible.
• Personal data is processed for compliance purposes.
• Personal data isn’t used for commercial purposes.
• Personal data is used for the purpose of national security.
• A data subject makes too many requests – perhaps with the intention of causing disruption.

How Much Time is Allowed to Respond to a DSAR?

The time frame for responding to a DSAR varies depending on the relevant data protection laws. For example, under the GDPR, businesses have 30 days to respond from the time the request is received, whereas, under the CCPA, businesses have 45 days to respond to a DSAR. Fines and other penalties may apply if a DSAR request is not fulfilled within the allotted time frames.

Charging a Fee for the DSAR Response

Businesses are permitted to impose a “reasonable fee” to compensate administrative costs if a DSAR is unjustified or excessive, such as if a customer repeatedly wants the same information or makes unreasonable requests. Fees for a DSAR response must only be used to cover costs, and not used to make a profit.

DSAR Response Challenges

There are a number of challenges that businesses will face when responding to DSARs. Firstly, DSARs can be submitted at no cost to the data subject, as all that is required is a phone call, email, or some other method of communication. The problem is that processing DSARs comes at a cost to the company. They also have a limited time to reply, which means they have to appoint additional members of staff to carry out DSAR processing activities. As mentioned above, the response time window for CCPA is 45 days and 30 days for the GDPR. This could be a problem for companies whose data is spread across multiple systems and locations – some of which may be stored in an unstructured format. These issues will make it harder to locate and obtain a subject’s personal data.

How Lepide Can Help You Respond Quickly to Data Subject Access Requests

Lepide Data Security Platform uses eDiscovery to locate PII in files in order to speed up privacy and data subject access requests and achieve compliance with privacy regulations. With Lepide, you can schedule searches for PII easily, so that you can generate responses to DSARs quickly. Our DSAR solution also allows you to search through a wide variety of file types, and combine multiple values, so that you can avoid false positives.

If you’d like to see how the Lepide Data Security Platform can help you respond to a Data Subject Access Requests, schedule a demo with one of our engineers.

FAQs

How much does it cost to comply with a DSAR?

While individuals generally cannot be charged for making a Data Subject Access Request (DSAR), there are limited exceptions. Organizations can impose a reasonable fee to cover administrative costs if the request is deemed unfounded or excessive. Additionally, a small fee might be charged for providing multiple copies of requested data beyond the initial response. It is important to remember that these fees must be minimal and not discourage individuals from exercising their right to access their information.

For more information, you can refer to the Information Commissioner’s Office (ICO) guidance on the right of access or resources from Skillcast on GDPR Data Subject Access Requests.

What are the legal implications of not complying with a DSAR?

Ignoring a Data Subject Access Request (DSAR) can lead to serious legal consequences for organizations. Regulatory bodies like the ICO have the power to impose fines, reprimands, and other measures for non-compliance, with potential fines reaching millions under the GDPR. Additionally, individuals whose DSARs are ignored may claim compensation for any distress or damage caused. Furthermore, such instances can severely damage an organization’s reputation, leading to negative publicity and loss of customer trust. In today’s data-driven world, organizations that prioritize data privacy and demonstrate compliance with regulations gain a clear competitive advantage. For these reasons, it’s crucial for organizations to understand their obligations and implement robust processes for handling DSARs promptly, accurately, and in accordance with data protection laws.

How can businesses automate the process of responding to DSARs?

Businesses can leverage technology to automate various aspects of the DSAR response process, boosting both efficiency and compliance. Dedicated DSAR software streamlines tasks like request management, data location, redaction, and secure delivery. These tools often come pre-equipped with templates and workflows for faster processing.

Another key element is data discovery. Tools can automatically scan databases and applications, creating a comprehensive inventory of personal data. This facilitates accurate and efficient fulfillment of DSARs.

Beyond dedicated software, specific tasks can also be automated. This includes sending initial acknowledgment emails, redacting sensitive information, and generating reports summarizing the provided data.

However, it’s crucial to remember that automation should not entirely replace human involvement. While it significantly improves efficiency and reduces errors, human expertise remains vital in areas like:

• Evaluating the validity and legitimacy of requests.
• Making crucial decisions in complex situations or involving data exemptions.
• Effectively communicating with individuals and providing clear explanations.

By strategically combining automation with human expertise, businesses can create a robust and efficient DSAR response process, ensuring compliance while fostering trust with their customers.