What You Need to Know About Responding to Data Subject Access Requests (DSAR)

You have to respond to data subject access requests. There is no way around them if you want to remain compliant with the General Data Protection Regulation (GDPR) and other privacy laws, such as the California Consumer Privacy Act(CCPA) or the California Privacy Rights Act (CPRA).

Your data subjects have privacy rights. One of these rights is the right of access the personal data that you process.

Users can submit requests about that data, and this article will explain how to respond.

What is a Data Subject Access Request (DSAR)?

An individual can make a Data Subject Access Request (DSAR) to find out what information a company holds on them. Try a demo for free with Secure Privacy.

A data subject access request is the request that your user submits to get access to their own personal data in your records.

If you collect and process users’ personal data, then you are their data controller. You have it in some of your records, but that data belongs to your users. It is not yours.

As a result, they have data subject rights. One of those rights is the right to access their personal information. They can exercise that right, i.e., access the data by submitting a data subject access request to you.

In your response to the DSAR, you must provide them access to their data.

What is a data subject?

The data subject is the user from whom you have collected personal data and processed it. Every internet user and every offline user can be data subjects if you order some personal data from them.

If you have a website that does not collect personal information, your website visitors are not your data subjects. When you order at least one piece of information that could identify them, they become your data subjects. You owe them all the data subject rights in the applicable data protection law.

What are data subject rights?

Data subject rights are the data privacy rights you owe to your users. Depending on which privacy regulations apply to you, these rights include any or all of the following:

• Right of access
• Right of erasure (deletion) of personal data
• Right of rectification
• Right of data portability
• Right to know about data collection and data processing
• Right to know about profiling and automated decision-making
• Right to restriction of processing
• Right to object to data processing
  

What does the ‘right of access’ mean?

The right to access grants your user the right to get access to their personal data in your records.

The GDPR, CCPA, LGPD, and other data privacy laws require businesses to be transparent with users about their personal data. You must let your users know what you know about them.

Every internet user from whom you have collected personal data has the right to access the data you have in your records about them.

Who can submit a DSAR?

Anyone can submit a DSAR. This includes your data subjects and internet users who have nothing to do with your business.

Your data subjects can submit a request anytime, and you’ll need to give them access to their personal information. An authorized agent can submit the request on their behalf, following the law.

A person whose personal data you do not process can also submit a data subject request. They can submit it, but you’ll have nothing to give them access to.

Is there any prescribed form for the DSAR?

No data protection law prescribes the request form.

Data protection laws aim to empower internet users to protect their online privacy rights; therefore, they do not impose barriers such as specific request forms. This means you must respond in whatever manner you receive a DSAR. You must accept a DSAR due to the form in which it has been submitted.

What should I do when I receive a DSAR?

Data protection laws do not prescribe a specific DSAR process or workflow. They oblige you to respond without undue delay and within the timeframe specified in the law and to ensure that you provide access to personal data to the right person.

Having that in mind, you can handle the DSAR response process easily by following these steps:

1. Verify the identity of the data subject. You are about to access someone’s personal data, so you must present the information to the right person. At this stage, you can also provide the data subject with a receipt of the request if applicable to your situation.
2. Clarify the request. Make sure that you have received a DSAR. Data subjects can also submit requests to know, to be forgotten, for data transfer, or another type of request. So first, could you clarify what the request is about? If you need more clarifications from the data subject, please contact them and ask questions.
3. Check to see if the requester’s data is being processed at all. If the result is negative, you’ll inform them that you have not processed any of their data. If the result is positive, proceed to the next step.
4. Inspect, collect, and package the data. Make sure that it is in a format that is easily accessible and readable for the user. 
5. Provide the data subject with access to their personal data. It is preferable to give the user direct and remote access to their personal data, but if that is not possible in your case or for the specific categories of personal data, send a copy to the requester.

In addition, you can inform the data subject of other data subject rights besides the right to access, such as the right to correct data, transfer data, object to processing, etc. This is not obligatory, but it can help build trust.

What Information Should be Included in a GDPR DSAR? 

The GDPR lists eight types of information that data controllers must make available to data subjects on request:

• the categories of personal data do you hold about the data subject.
• The purposes of collecting their personal data and what you are doing with it.
• The types of companies you share personal data with and whether any of them are based outside of the EU.
• How long you plan to store the data subject's information
• Inform the data subject of their right to complain to a Data Protection Authority, and inform them of the specific one they can use to file a complaint against your company.
• If you make certain automated decisions,  your customers should be aware of this. Provide additional information about your decision-making algorithm, and the consequences of its decisions.
• The other categories of personal data that you may be holding about the data subject that you may have obtained from other sources.
• Inform them about the other 7 GDPR data subject rights
  

What are the do's and don'ts of managing GDPR DSARs? 

Do's

1. Know your data

Make sure you are aware of:

•  all the categories of data you collect from users, 
• where it is stored, 
• where it came from, 
• whom you share it with 

A smart move is to invest in an automated data discovery and classification solution which can help you respond to a DSAR in an agile way.

2. Clarify the Nature of the Request

When you receive a DSAR, you should do a quick evaluation to determine what the data subject wants to know. 

Mostly, subjects simply want to see all the data you have collected about them, but there may be cases where an individual may invoke other GDPR data privacy rights. 

For example, the access request may also exercise the GDPR right to correct, whereby the user wants to rectify inaccurate data that you may have collected about them. 

One thing to take into account is that such cases also present an opportunity to determine if you can reply to the request within the one-month timeframe.

 If you’ll need more time to generate a response, explain this to the subject.

3. Register and authenticate DSARs 

For every data access request you receive under the GDPR, you need to log it in a system of records, verify the user, before proceeding to handle it, whether manually or automatically.

4. Provide an easy way for users to submit DSARs

You should provide an online DSAR form on your website, such that data subject access requests are channeled to the right person or department and contain the necessary information. 

If you do not have an online DSAR form, you stand the risk of your customers submitting an access request using the wrong contact information or channel.

The problem with this is that the 30-day timer starts counting although the recipient might not be in charge of anything related to GDPR compliance or DSAR requests.

5. Use secure methods of authentication

You must ensure that every request to access data is made by a legitimate person. 

But this does not mean you verify data subject access requests by asking for more personal information you don’t already have that may fall under the scope of the GDPR, such as ID card numbers, passports, or other official documents. 

Instead, a good option is to verify the request by asking the person to provide some personal information you already have, such as requesting the individual to specify the information the request relates to.

6. Review and approve the information:

After you obtain the requested information, you need to assess it and make sure it meets DSAR requirements without revealing proprietary information or the personal data of any other data subject.

7. Explain the subject’s rights

At the end of your response, include a section that reminds the subjects of their data privacy rights. 

Remind your users that they have the right to object to the processing of their data, can request the rectification of their data, or lodge a GDPR complaint with a Data Protection Authority (DPA).

8. Safely deliver customer information

Your response should be delivered to the consumer securely. If a data breach occurs, it can cost as much as USD 750 for every leaked record.

9. Hire a data protection officer (DPO) if necessary

If you are uncertain about how to handle your DSARs, it is advisable to consult or hire a DPO. 

 Some companies are obliged to appoint a DPO, especially those that process large volumes of sensitive categories of personal data such as public authorities, and large multinationals that engage in systematic and large-scale monitoring of individuals.

Don'ts 

1. Do not violate the 30-day deadline

One of the notable GDPR amendments is the reduction of the time needed to respond to a DSAR request from 40 days to 30 days. 

Although you can get an extension of up to 2 months when it is necessary, determined on the basis of the complexity or number of requests that a business receives, the data subject should still get a response within one month.

2. Do not deny a request

You can only deny a request if you feel the request meets one of the two exceptions: manifestly unfounded or excessive.

But, keep in mind that if you deem a DSAR unfounded or excessive, you must provide proof beyond a reasonable doubt. 

3. Do not charge a fee

The GDPR makes it clear that you should not put a cost or seek to profit off handling access requests from data subjects. 

In exceptional cases where a fee may be necessary,  you can only base it on the real administrative cost of answering the request.

4. Do not fail to inform the consumer about their data subject rights

The GDPR requires you to disclose the rights your users are entitled to and communicate them clearly when you respond to a DSAR. 

5. Do not handle data scanning manually

If you have to carry out a manual search for each DSAR, there’s a high risk that you will miss some relevant information or fail to meet the 30-day deadline.

6. Do not deliver a DSAR to the wrong person

If you make a mistake and deliver a data subject access request to the wrong individual, you will be liable for a penalty of up to USD 750 for every piece of data leaked. 

How do I respond to a GDPR DSAR or a CCPA DSAR?

GDPR DSARs and CCPA DSARs require the steps described in answer to the previous question about what to do when you receive one.

The differences between the two are that:

• The CCPA has prescribed verification methods for password-protected account holders and non-account holders; the GDPR has not, and
• Under the GDPR compliance, you have to receive the request no matter the submission method, while under the CCPA, you can put it on hold and guide the user on how to submit it properly.
  

What does UK GDPR say about DSARs?

With the UK GDPR (UK GDPR compliance solution) replacing the EU GDPR as the data protection regime in Britain following Brexit, DSARs are commonly referred to as Subject Access Requests (SARs).

From the ICOs guide for managing SARs, it is evident that the requirements mirror those under the GDPR. 

You can learn more about UK Subject Access Requests here

What should be included in a DSAR response?

In general, you’ll need to let your user know about the following:

• Whether you process their data or not
• The categories of personal data about them that you control
• The purpose of processing
• How you collect the data
• With whom you share their personal data

The data subject may request only a portion of this information. 

If they specify what they want access to in the request, then provide them access only to such relevant information. For example, if they request access to the categories of personal data you process, that’s all you must provide access to.

As Facebook and other social media sites have done, it is a good idea to give the data subject remote access to your records or a portal where they can easily access their data.

If the resources don’t allow that, give the person a copy of the data in a way that is easy to read and access.

How to verify the identity of the data subject

Most data protection laws do not prescribe a method to verify the requester’s identity. The method of choice is left to you.

You should do what is reasonably possible to verify the data subject’s identity. You can opt for methods such as two-step verification of the email address used for the user account, confirming the identity by sending a code to the phone number you have collected from the data subject previously, requiring them to log into the membership portal if you have one, and so on. The best identity verification method depends on the methods you use to collect personal data.

The only law that prescribes a way to verify the requester’s identity so far is the CCPA. If you get a CCPA DSAR, there are different steps to take depending on whether you have a password-protected account or don’t have an account.

It is important to note that if you provide personal data access to a person who does not have the right to access it, you facilitate a data breach. That’s a violation of the law, so it is crucial to ensure you know who you are talking to.

How can data subjects submit DSARs?

It is up to you to decide how the users can submit their DSARs.

You can provide them with a DSAR portal, a dedicated email address, a toll-free phone number, or your email address for general inquiries.

Also, remember to include the methods for submitting requests in your privacy policy. Whatever law you need to abide by requires it.

Can I refuse to respond to a DSAR?

You can refuse to respond to a DSAR in some cases, but that’s an exception to the rule.

In general, you should respond to all DSARs. You can refuse them only in the following cases:

• You are unable to identify the requester, or
• The request is unfounded and excessive.

If you decide to turn down a DSAR, you should explain why and give the person the chance to file a complaint.

How soon do I have to respond to a DSAR request?

Every data protection law prescribes a deadline for responding to a DSAR.

GDPR allows 30 days for a response. The LGPD has no specific deadline and requires a response as quickly as reasonably possible.

On the other hand, the CCPA says that you must acknowledge receiving the DSAR within ten days and then give the requested information within 45 days of receiving the request.

The deadline depends on the laws that apply to your relationship with the user. If two laws apply simultaneously, comply with the shortest deadline.

What happens if I don’t respond to a DSAR request?

Responding to a DSAR is your duty under the data protection laws; therefore, not responding to one or not responding within the deadline violates the law. That will likely cause an enforcement action by the supervisory authority.

Violations of the law lead to penalties. GDPR prescribes fines of up to 4% of the annual turnover or 20 million EUR, whichever is greater. LGPD prescribes fines of up to 2% of the annual turnover or 50 million Reales, whichever is greater. The CCPA prescribes a penalty of $7,500 per consumer whose rights have been violated.

Most of the time, you won’t get the maximum fine for not responding correctly to a DSAR, but if you do it often or on a large scale, you can expect the fines to be higher.

Who should respond to a DSAR?

Data protection laws require the data controller to respond to the DSAR, but it doesn’t matter who responds. It could be anyone from the company. If you are a solo entrepreneur, it would be you. It could be that person if your company has a Data Protection Officer (DPO).

However, if the resources allow it, it is better to have a designated person respond to DSARs.

Can I charge a fee for a DSAR response?

DSAR responses should be free of charge.

The only exception is when you respond to an excessive DSAR that incurs high costs for you to reply, allowing you to charge a reasonable fee for the administrative costs or other costs due to the response. Keep in mind, however, that this is an exception to the rule that the answer should be free of charge for the data subject.

What’s the most challenging part of responding to a DSAR?

It seems simple and easy to respond to a DSAR, but many businesses need more time to be ready to respond to these requests quickly because they need help finding the required data.

A user submits a DSAR and has to figure out how to find that user’s data and provide access. Responding to a DSAR requires a good understanding of what data you collect and process, where you store it, how you process it, and for what purposes. Deadlines give you enough time to gather the necessary information and respond, but you have to be ready ahead of time and, if needed, have some DSAR policies in place.

How does Secure Privacy help in managing DSARs?

Secure Privacy helps you address GDPR DSARs with an industry-leading online form that is also compliant with EU’s privacy law, as well as California’s CCPA and Brazil’s LGPD.

The main benefits of Secure Privacy’s DSAR form are;

• It ensures that your data subject access requests are channeled to the right person or department, which enables a streamlined DSAR process for your business.
• It guarantees that the DSARs contain the relevant and necessary information to ensure you do not miss the 30-day deadline.

Furthermore, The Secure Privacy DSAR form is unique in that; 

• you can rename the title of the “Data Request Form” tab
•  You can edit the text content on form control elements
• you can edit/delete a control element on the Data Request form
• You can modify notification messages for the Data Request form
• You can  enable/disable the Data Request form
• You can modify automated emails of the Data Request form to your customers