What is DSAR? Data Subject Access Requests (DSARs) are a common requirement in privacy regulations including the CCPA and GDPR. These regulations provide individuals with the right to request a copy of all information a company has about them, make changes to the information, and even demand its deletion. An individual who makes a DSAR […]
Data Subject Access Requests (DSARs) are a common requirement in privacy regulations including the CCPA and GDPR. These regulations provide individuals with the right to request a copy of all information a company has about them, make changes to the information, and even demand its deletion.
An individual who makes a DSAR is entitled to receive a confirmation that you are processing their personal data, a copy of that data, your privacy notice, and supplementary information.
DSARs are not limited to customers; anyone whose personal data you collect — including employees and contractors — has the right to submit one.
DSARs can be grouped into four categories, according to the rights involved.
The Right of Access
The Right to Portability
Right to Rectification
Right to Erase
Right to Request Delete
Right to Restriction of Processing
Right to Object Data Processing
Right to Opt-out
Right to Object to Automated Decision Making and Profiling
Individuals do not need a reason to submit a DSAR. Subjects can request to see their data at any time. Organizations may only ask questions that verify the subject’s identity and help them locate the requested information.
Unless you give your customers an easy way to submit DSARs, they are likely to use the first company email address they find. It’s smart to have an online DSAR form since it helps ensure that requests go to the correct place and contain all the required information.
Assign responsibility for creating and updating a record of each DSAR to an individual or department. You might have them develop a spreadsheet that shows the date of the request, its status, and other essential information for tracking progress.
Verify the identity of the person making the request before responding. You may not ask for protected data you don’t already have, but you can ask the requester to provide personal information you do have to authenticate the request. The data you request for verification must be proportionate to the request.
Process the requests according to factors like complexity or degree of legal or business risk to ensure that work is prioritized properly and ensure that response deadlines are met.
Collect all records containing the individual’s data, along with the following supplementary documentation
Review each response for completeness and accuracy. You may decide to require review by legal counsel before sending the response to the requester.
Share the response securely and confidentially with the requester. Remember that you must respond within the timeframe defined by the applicable regulation which is 30 days of the request received.