Data Subject Access Requests: Do's and Don’ts in Handling GDPR DSARs
Data Subject Access Requests (DSARs) are one of the less-talked-about GDPR requirements, but failure to handle them correctly could land your company in trouble.
Data Subject Access Requests (DSARs) are one of the less talked about GDPR requirements, but failure to handle them correctly could land your company in trouble.
By enforcing the GDPR in May 2018, the EU sought to address the growing concern about the inappropriate use of personal data by businesses by giving the public more control over their information that is collected online.
This control came in the form of requiring you to guarantee users their data subject rights, which are;
- The right to be informed about the data you collect, how you use it, how long you keep it, and if you intend to share it with 3rd parties
- The right to access a copy of any personal data you hold about them
- The right to correct any information you hold about them in case it is either inaccurate or incomplete
- The right to delete any personal data you hold about them in specific circumstances
- The right to limit the processing of their data
- The right to data portability whereby they can obtain and use the information they have shared with you through either consent or in the performance of a contract
- The right to object to the processing of personal data that you collect from them based on legitimate interests or in the interest of the official authority
- The right to reject automated decision-making including profiling if they deem your processing to be illegal.
You can learn more about GDPR Data Subject Rights here
In this article, the focus is on the Right of Access, and how to best handle a GDPR Data Subject Access Request.
Table of Contents
- What is a GDPR DSAR?
- Who is a data subject?
- What is personal data under the GDPR?
- Who is a GDPR data controller?
- What information can a data subject request under the GDPR?
- What are the Do's and Don'ts of Managing GDPR Data Subject Access Requests?
- What Information should be included in a GDPR DSAR response?
- What is the time limit of responding to a GDPR DSAR?
- What does the UK GDPR say about DSARs?
- How does Secure Privacy help in managing DSARs?
- How to enable the Secure Privacy’s Data Request Form
What is a GDPR DSAR?
A GDPR data subject access request is the mechanism through which your users can contact your company and ask you to disclose what kind of personal data you have collected about them, how you use it, or which third parties have access to it.
Who is a Data Subject?
According to the GDPR, any natural person that can be identified from the personal information they share with your business is a data subject.
What is Personal Data under the GDPR?
The GDPR defines personal data as any information you can use to identify a natural living person. It could be;
- A phone number
- A credit card number
- Email address
- Bank account details
- IP address
- A person’s preferences or habits.
Learn more about GDPR and how to make your website GDPR compliant with our comprehensive guide.
Who is a GDPR Data Controller?
Article 4 of the EU’s data protection law defines a data controller as any entity that decides why and the means of processing personal data.
What Information can a Data Subject Request under the GDPR?
The Right of Access applies to personal data. If you receive a Data Subject Access Request, you need to disclose the categories of information you have collected about the user, how you plan to use this information, and who you share it with.
What are the Do's and Don'ts of Managing GDPR Data Subject Access Requests?
1. Know your data
Make sure you are aware of;
- all the categories of data you collect from users,
- where it is stored,
- where it came from,
- whom you share it with
A smart move is to invest in an automated data discovery and classification solution which can help you respond to a DSAR in an agile way.
2. Clarify the Nature of the Request
When you receive a DSAR, you should do a quick evaluation to determine what the data subject wants to know.
Mostly, subjects simply want to see all the data you have collected about them, but there may be cases where an individual may invoke other GDPR data privacy rights.
For example, the access request may also exercise the GDPR right to correct, whereby the user wants to rectify inaccurate data that you may have collected about them.
One thing to take into account is that such cases also present an opportunity to determine if you can reply to the request within the one-month timeframe.
If you’ll need more time to generate a response, explain this to the subject.
3. Register and authenticate DSARs
For every data access request you receive under the GDPR, you need to log it in a system of records, verify the user, before proceeding to handle it, whether manually or automatically.
4. Provide an easy way for users to submit DSARs
You should provide an online DSAR form on your website, such that data subject access requests are channeled to the right person or department and contain the necessary information.
If you do not have an online DSAR form, you stand the risk of your customers submitting an access request using the wrong contact information or channel.
The problem with this is that the 30-day timer starts counting although the recipient might not be in charge of anything related to GDPR compliance or DSAR requests.
5. Use secure methods of authentication
You must ensure that every request to access data is made by a legitimate person.
But this does not mean you verify data subject access requests by asking for more personal information you don’t already have that may fall under the scope of the GDPR, such as ID card numbers, passports, or other official documents.
Instead, a good option is to verify the request by asking the person to provide some personal information you already have, such as requesting the individual to specify the information the request relates to.
6. Review and approve the information:
After you obtain the requested information, you need to assess it and make sure it meets DSAR requirements without revealing proprietary information or the personal data of any other data subject.
7. Explain the Subject’s Rights
At the end of your response, include a section that reminds the subjects of their data privacy rights.
Remind your users that they have the right to object to the processing of their data, can request the rectification of their data, or lodge a GDPR complaint with a Data Protection Authority (DPA).
8. Safely deliver customer information
Your response should be delivered to the consumer securely. If a data breach occurs, it can cost as much as $750 for every leaked record.
9. Hire a data protection officer (DPO) if necessary
If you are uncertain about how to handle your DSARs, it is advisable to consult or hire a DPO.
Some companies are obliged to appoint a DPO, especially those that process large volumes of sensitive categories of personal data such as public authorities, and large multinationals that engage in systematic and large-scale monitoring of individuals.
1. Do not violate the 30-day deadline
One of the notable GDPR amendments is the reduction of the time needed to respond to a DSAR request from 40 days to 30 days.
Although you can get an extension of up to 2 months when it is necessary, determined on the basis of the complexity or number of requests that a business receives, the data subject should still get a response within one month.
2. Do not deny a request
You can only deny a request if you feel the request meets one of the two exceptions: manifestly unfounded or excessive.
But, keep in mind that if you deem a DSAR unfounded or excessive, you must provide proof beyond a reasonable doubt.
3. Do not Charge a Fee
The GDPR makes it clear that you should not put a cost or seek to profit off handling access requests from data subjects.
In exceptional cases where a fee may be necessary, you can only base it on the real administrative cost of answering the request.
4. Do not fail to inform the consumer about their data subject rights
The GDPR requires you to disclose the rights your users are entitled to and communicate them clearly when you respond to a DSAR.
5. Do not handle data scanning manually
If you have to carry out a manual search for each DSAR, there’s a high risk that you will miss some relevant information or fail to meet the 30-day deadline.
6. Do not deliver a DSAR to the wrong person
If you make a mistake and deliver a data subject access request to the wrong individual, you will be liable for a penalty of up to $750 for every piece of data leaked.
What Information Should be Included in a GDPR DSAR?
The GDPR lists eight types of information that data controllers must make available to data subjects on request:
- the categories of personal data do you hold about the data subject.
- The purposes of collecting their personal data and what you are doing with it.
- The types of companies you share personal data with and whether any of them are based outside of the EU.
- How long you plan to store the data subject's information
- Inform the data subject of their right to complain to a Data Protection Authority, and inform them of the specific one they can use to file a complaint against your company.
- If you make certain automated decisions, your customers should be aware of this. Provide additional information about your decision-making algorithm, and the consequences of its decisions.
- The other categories of personal data that you may be holding about the data subject that you may have obtained from other sources.
- Inform them about the other 7 GDPR data subject rights
What is the Time-Limit of Responding to a GDPR DSAR?
Unlike the CCPA, which gives a 45-day window to respond to a DSAR, you have 30 days to respond to a subject access request under the General Data Protection Regulation. If you get a request on April 15th, you must respond by May 15th.
What does UK GDPR say about DSARs?
From the ICOs guide for managing SARs, it is evident that the requirements mirror those under the GDPR.
You can learn more about UK Subject Access Requests here
How Does Secure Privacy Help in Managing DSARs?
The main benefits of Secure Privacy’s DSAR form are;
- It ensures that your data subject access requests are channeled to the right person or department, which enables a streamlined DSAR process for your business.
- It guarantees that the DSARs contain the relevant and necessary information to ensure you do not miss the 30-day deadline.
Furthermore, The Secure Privacy DSAR form is unique in that;
- you can rename the title of the “Data Request Form” tab
- You can edit the text content on form control elements
- you can edit/delete a control element on the Data Request form
- You can modify notification messages for the Data Request form
- You can enable/disable the Data Request form
- You can modify automated emails of the Data Request form to your customers
How to Enable the Secure Privacy Data Request Form
- Login into your Secure Privacy account, select GDPR/CCPA/LGPD accordingly on the left sidebar.
- Click the “Data request form” link, you will be shown the “Edit Text” tab.
- Click on the “Settings” link to access configurable parameters for your Data Request form.
- The “Enable Data request form” switch enables/disables the Data Request form for your domain.
- The “Verify users email” parameter ensures that a user has to verify email first to confirm identity.
- “Send data request emails to” sets the email address of a person within your company that processes Data Export/Removal/Other requests.
- Click the green “Save” button to apply the changes made.
If you receive a Data Subject Access Request or better yet are reviewing ways to best protect your business when you next receive DSARs, book a 30-min call to discuss how we can solve your concerns for you with our specialized service.
Alternatively, you can sign up for your Secure Privacy free trial and discover for yourself how the tool works.
This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.
The Data Protection and Digital Information Bill: Data Privacy Reform in the UK Government
The introduction of Bill 143 to the House of Commons on July 18, 2022, follows the UK Government’s consultation in September 2021. The consultation detailed the UK Government’s proposed reforms to the UK’s data protection regime following Brexit and is a big step towards achieving the planned reform of the UK's data protection framework, with many significant proposed changes for companies to be aware of. To get started, here are some key provisions to consider about this new data protection legislation.
CPRA Guide | Full Text Summary
If you need to comply with the CCPA, you must also comply with the California Privacy Rights Act (CPRA). Here we have the full text of the CPRA. California legislature bodies have written it in legalese, of course, but we added notes at the beginning of each section to help you understand what that specific section is about.