A Data Subject Access Request (DSAR) is a submission by an individual (data subject) to a business asking to know what personal information of theirs has been collected and stored as well as how it is being used. Data subjects can also use a DSAR to ask that certain actions be taken with their data. Action requests may include deleting their data, amendment of incorrect data, or opting out of future data collection.
Let’s jump in and learn:
What is a Data Subject Access Request (DSAR)?
Data Subject Access Request (DSAR) is a term introduced by the General Data Protection Regulation (GDPR). It is now used interchangeably with SAR, IRR, VCR, and SRR. With both the California Consumer Privacy Act (CCPA) and GDPR, businesses should provide clear instructions for how a data subject can submit a DSAR.
GDPR—Recital 63:
a data subject should have the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals, to be aware of and verify, the lawfulness of the processing.
CCPA—Title 1.81.5. California Consumer Privacy Act of 2018 (1798.100 C, D):
A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.
A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section.
While the CCPA’s DSAR requirements are similar to the GDPR’s, there are some differences regarding how a DSAR must be processed. (Note: other privacy laws also have differences that need to be considered.)
Another difference between the GDPR and the CCPA is how a DSAR can be submitted. The GDPR provides only general direction related to methods for submitting a request. Data subjects have the option to make a request either verbally or in writing.
The CCPA provides more specific instructions. Data subjects must be offered at least two ways of submitting a request, one of which must be a toll-free phone number.
Who Can Submit a DSAR?
If a for-profit organization collects personal data, anyone whose data is stored can submit a DSAR. That includes employees, contractors, suppliers, partners, and customers. A request can be submitted by an individual or by someone else acting on that person’s behalf.
DSAR submissions have also been converted into applications. With Subject Access Request as a Service (SARaaS) platforms, individuals can receive assistance via an app or a website.
Responding to a DSAR
Businesses must promptly respond to DSAR submissions. That means adhering to the window given to process the DSAR (30 days for GDPR and 45 days for CCPA), as well as other important deadlines.
- Within 10 business days—confirm receipt of the request
- Within 15 business days—respond to opt-out requests
- Within 90 business days—inform third parties to stop selling consumer information
- For two years—maintain logs of requests
DSAR Request Verification
To avoid falling victim to a data breach by disclosing information to an unauthorized party, requestors’ identities must be verified. This can be done in a number of ways, such as using:
- Personal information that has already been collected
- An existing password-protected account
- Third-party verification services
Who Should Respond to the DSAR?
A team should be put in place to oversee DSAR management and ensure that the relevant requirements are met. It is important to have several people involved because of the tight deadlines.
Businesses usually put one of the following people in charge of DSAR management and assign them to select a team to execute tactics:
- Data protection officer (DPO)
- Controller
- Someone in a comparable role
DSAR Response Process
Businesses must respond to a DSAR in a prescribed amount of time once a submission is received. To do this, a DSAR response process should be put into place. It provides the framework needed to manage responses in an orderly fashion with minimal disruption.
Key considerations for a DSAR response process are:
- Systems for receiving requests
- Identity verification
- Workflows for processing requests
- Data collection, review, and redaction (as needed)
- Delivery formats
- Remediation plans
Refusing to Respond to a DSAR
A business can refuse to respond to a DSAR for certain reasons, including:
- Personal information is not maintained in a searchable, reasonably accessible format.
- Personal information is processed for compliance purposes.
- Personal information is not sold or used for any commercial purposes.
- Personal data is used for law enforcement or safeguarding national security.
- A data subject makes repeated requests in a deliberate manner with the intent to cause disruption.
Responding to Part of a DSAR
When responding to a DSAR, it is only necessary to provide information that is considered personal data. Businesses are not required to include every bit of data that mentions or refers to the data subject. A scenario where information would not need to be provided to the data subject would be internal notes or documents related to the person’s order history.
In addition, a DSAR response can include redacted information. This is done for internal content that is not related to or within the scope of the DSAR. Information related to another person can also be redacted.
How Much Time is Allowed to Respond?
The amount of time allowed to respond to a DSAR varies by regulation. For the GDPR, businesses have 30 days to respond from the time the request is received. The CCPA gives businesses 45 days to respond to a DSAR.
Failing to comply with a DSAR request within these timeframes can lead to fines and other penalties.
Charging a Fee for the DSAR Response
If a DSAR is unfounded or excessive, businesses are allowed to charge a “reasonable fee” to cover administrative costs. A business would be within its rights to charge a fee if the same person asks for the same information multiple times or makes unreasonable requests.
Any charges made must only cover costs. The business may not profit from fees charged for a DSAR response.
DSAR Response Challenges
Challenges that some businesses experience related to DSARs include:
- Low barrier for submission: A DSAR can be submitted by simply making a phone call, at no cost to the data subject
- Limited time to respond: 30 days for the GDPR and 45 days for the CCPA
- Distributed data storage for larger businesses: Live, backup, archival, and data warehouses
- Data stored in a wide array of formats, some unstructured
- Cost to manage the processing of DSAR submissions
Be Ready for a DSAR
The DSAR is a key part of most privacy laws, included to provide transparency so individuals can understand how their personal data is used. While this transparency is beneficial to those individuals, it can pose challenges for businesses.
Because the bar for data to qualify as personal information is low (first name and last name in combination with one other element of identifying information, such as a driver’s license number), many businesses find themselves responding to DSARs. Businesses must be cognizant of what data they collect, store, and use as well as manage where it resides.
Some businesses choose not to store this data or to anonymize it to avoid dealing with the DSAR process. In any case, businesses must be aware of this aspect of privacy laws and have a detailed compliance plan.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000 customers with millions of customers worldwide.