Upcoming Webinar: Lepide Data Security Platform 22.1 - A Demonstration Register Now
In This Article

What is Data Subject Access Request?

Natasha Murphy
| Read Time 4 min read| Updated On - October 4, 2022

Data Subject Access Request

A Data Subject Access Request (DSAR) is a formal request sent to an organization by an individual who wishes to find out what information has been collected and stored on their behalf.

The individual (subject) can also ask for their data to be changed in some way – perhaps if the data is inaccurate or out-of-date.

They should also have the option to opt-out of future data collection activities. In most cases, the request is sent by the data subject themselves. However, under certain conditions, it’s possible for the request to be made by a third party, such as a parent, guardian, family member, legal advisor, or even a friend of the data subject.

Individuals can submit a DSAR free of charge, although data controllers are permitted to charge a fair price to cover certain administrative costs if requests are made too frequently.

Which Data Privacy Regulations Include DSARs?

The most notable data privacy regulations that include DSARs are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). However, there are some subtle differences between these regulations relating to the way DSARs are handled. For example, under the CCPA, organizations must disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from a consumer.

Individuals can request that their data be deleted, although this only applies to data that was collected from the consumer, and doesn’t take into account data that was collected from third-parties.

Under the GDPR, organizations must respond to DSARs within a month of receiving a request, and individuals can request the deletion of all data that relates to them, regardless of how it was collected.

How to Respond to Data Subject Access Requests

If you have appointed a data protection officer (DPO), it will be their responsibility to fulfill DSARs. Otherwise, you will need to appoint a member of the security team to respond to DSARs. Organizations are required to maintain a tamper-proof record of all requests, and they must securely authenticate the user before they can process the request. This can be done through either:

Knowledge-based authentication

Ask a series of questions about the individual’s personal information, how they use your services, how long they have been a customer, and any other relevant questions.

User login credentials / MFA

The subject can either login to a portal and make the request from there, or the request can be sent to a verified email address belonging to the subject. You can also send a one-time passcode to the subject’s phone number or email address, and then ask them to enter the passcode in order to verify their identity.

In order to be able to respond to DSARs in a fast and efficient manner, data controllers must know exactly what PII they store, and where it is located.

While it is theoretically possible to manually discover and classify PII, most companies will use an automated solution that will scan all repositories, whether on-premise or cloud-based and discover and classify data in accordance with the relevant compliance requirements.

If your data is classified properly you should be able to enter the subject’s name and retrieve all of the PII associated with them. Once you have retrieved their information, you will need to ensure that the data meets the DSAR requirements. To be more precise, you must ensure that it doesn’t include PII or other sensitive information that belongs to other data subjects.

Finally, you will need to deliver the data to the subject in a way that is secure and easy to access.

What Needs to be Included in a DSAR Response?

The organization must first confirm that they process the personal data of the requesting subject. They must state the reasons why and how they are processing their personal data, including how the data was collected and stored, and how long they intend to retain it. They should also provide clear information about any automated decision-making and profiling that is carried out on their behalf.

If you’d like to see how the Lepide Data Security Platform can help you respond to a DSAR, schedule a demo with one of our engineers.

Natasha Murphy
Natasha Murphy

Natasha is a dedicated customer success advocate, helping Lepide customers to get the most out of their solutions.

Popular Blog Posts