What is a DSAR? DSAR, which stands for data subject access request, is part of the General Data Protection Regulation (GDPR) privacy law. The provision gives employees and consumers (i.e., persons) the right to know what personal information companies have on them, and how this information will be used. Below, discover what a data subject rights request looks like and how to process a DSAR.
What is a Data Subject Asset Request?
A DSAR is what a person submits to discover what information a company or organization (i.e., business) has on him or her.
The GDPR gives persons the right to privacy. Recital 63 specifically states that persons must be able "to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing."
Likewise, the California Consumer Privacy Act (CCPA) establishes "the right of Californians to access their personal information" in Section 2.
Usually, persons ask for all the personal information a business has on them. In some cases, they may ask for only specifics, such as:
- How long you will store their data
- With which third parties their data is stored
- How you obtained their data
- How their data is used in profiling or decision-making
Persons can submit a DSAR at any time, and they do not need a reason to do so. Businesses are not allowed to challenge the request. They are allowed to ask clarifying questions to verify the identity of the person or for ease in retrieving the information asked for under the DSAR.
Most DSAR requests come from the individual whose data is stored by a business, but there are some other use cases to note. One is when a party asks for another party's information. An example is a parent or guardian asking for information about his or her child that a business may store or a lawyer asking for information about a client.
A second is when an individual who is not a person submits a DSAR. This includes requests from employees, prospective employees, donors, contractors, and other stakeholders whose data a business may possess.
By establishing the person's right and the ease of the request, these laws increase transparency. That said, they also create extra compliance work for your business.
How to Handle a DSAR Request
Interestingly, businesses do not need to respond to every single DSAR request. They can refuse to do so if they believe the person's request is excessive. For example, if an individual were to submit 50 requests in a month, they would not need to process all fifty.
They can refuse to do so if the request is unfounded — e.g., if there is a reasonable belief that the person will use the data to make false claims against the company.
In all other cases, DSAR compliance is required. What does this look like? Businesses are expected to reply to DSARs within one month of their receipt. If the DSAR is complicated and this would not be viable, it is OK to tack on two more months to comply, provided you notify the person. If a business does not reply in any way within 40 days, it could be fined or face penalties from regulators.
Many businesses find the most streamlined approach for handing a CCPA access request or GDPR access request is to appoint a single individual designed to address these requests. The data protection officer (DPO) will vet the validity of the request and respond.
Steps for Processing a DSAR
Here is how the DPO should process a DSAR.
- Verify the subject's identity: First, verify the identity to determine the request is legitimate. Sending a person's data to the wrong individual is considered a data breach, so this step is crucial.
- Clarify the DSAR: Review the DSAR to determine what the person wants to know. This will help determine if the request is straightforward or if any other considerations would make it take longer. At this point, the DPO should be able to decide if the request will take longer than one month to satisfy, so he or she can notify the person within the appropriate time frame.
- Retrieve and review data: Retrieve the data, then review it. Some DPOs like to add context explaining why they keep information. At a minimum, make sure no other person's information is mixed with the data.
- Package data for the person: Convert the internal business data into a format the person can review. Double-check that this is comprehensive and no asked-for data has been omitted.
- Explain the person's rights: Along with the business data, send a statement reminding persons of their data privacy rights. This includes the right to lodge a complaint with an authority, the right to rectify their data (or correct errors), and the right to object to data processing.
- Send back the data: Conclude the DSAR by sending the data back to the person. Best practices are to use a secure system that gives the person data access and to document everything in writing. This creates an audit trail in case there are any compliance issues raised.
Challenges and Solutions for Dealing With DSARs
The right automation software scans for the necessary personal data then reviews it for accuracy. It allows the data of other persons to be redacted, so there is no data breach.
Compliance is important from an ethical and regulatory standpoint. It's the right thing to do to take these requests seriously and process them quickly. Regulators will issue fines even to small businesses for noncompliance, and they won't accept excuses such as, "I didn't know I had to do this." Leverage automation software to get in compliance with DSAR and streamline internal handling of these requests.