All You Need to Know About Data Subject Access Requests (DSARs)
What is DSAR?
Data Subject Access Requests (DSARs) are a common requirement in privacy regulations including the CCPA and GDPR. These regulations provide individuals with the right to request a copy of all information a company has about them, make changes to the information, and even demand its deletion.
An individual who makes a DSAR is entitled to receive a confirmation that you are processing their personal data, a copy of that data, your privacy notice, and supplementary information.
DSARs are not limited to customers; anyone whose personal data you collect — including employees and contractors — has the right to submit one.
Types of Data Subject Requests
DSARs can be grouped into four categories, according to the rights involved.
- Access Requests
The Right of Access
- Portability Request
The Right to Portability
- Change Request
Right to Rectification
Right to Erase
Right to Request Delete
- Objection Request
Right to Restriction of Processing
Right to Object Data Processing
Right to Opt-out
Right to Object to Automated Decision Making and Profiling
What Should be in a DSAR Response?
Individuals do not need a reason to submit a DSAR. Subjects can request to see their data at any time. Organizations may only ask questions that verify the subject’s identity and help them locate the requested information.
Steps in DSAR
- Get Request
- Request Logging
- Identity Verification
- Data Collection
Unless you give your customers an easy way to submit DSARs, they are likely to use the first company email address they find. It’s smart to have an online DSAR form since it helps ensure that requests go to the correct place and contain all the required information.
Assign responsibility for creating and updating a record of each DSAR to an individual or department. You might have them develop a spreadsheet that shows the date of the request, its status, and other essential information for tracking progress.
Verify the identity of the person making the request before responding. You may not ask for protected data you don’t already have, but you can ask the requester to provide personal information you do have to authenticate the request. The data you request for verification must be proportionate to the request.
Process the requests according to factors like complexity or degree of legal or business risk to ensure that work is prioritized properly and ensure that response deadlines are met.
Collect all records containing the individual’s data, along with the following supplementary documentation
- Your privacy notice
- A statement of the purpose for processing private data
- The categories of personal data collected
- The recipients (or categories of recipients) with whom you shared the personal data
- How long you hold personal data
- Advice on any additional rights the user has, such as the right to object to processing or the right to request erasure or rectification or to lodge a complaint with a supervisory authority
- Where you obtained the data, if it was not directly from the subject
- The existence of any automated decision-making that took place using the data
- Security measures you use when transferring data to a third part
Review each response for completeness and accuracy. You may decide to require review by legal counsel before sending the response to the requester.
Share the response securely and confidentially with the requester. Remember that you must respond within the timeframe defined by the applicable regulation which is 30 days of the request received.