What You Need to Know About Responding to Data Subject Access Requests

You have to respond to data subject access requests. There is no way around them if you want to remain compliant with the General Data Protection Regulation (GDPR) and other privacy laws, such as the California Consumer Privacy Act(CCPA) or the California Privacy Rights Act (CPRA).

Your data subjects have privacy rights. One of these rights is the right of access the personal data that you process.

Users can submit requests about that data, and this article will explain how to respond.

What is a Data Subject Access Request (DSAR)?

An individual can make a Data Subject Access Request (DSAR) to find out what information a company holds on them. Try a demo for free with Secure Privacy.

A data subject access request is the request that your user submits to get access to their own personal data in your records.

If you collect and process users’ personal data, then you are their data controller. You have it in some of your records, but that data belongs to your users. It is not yours.

As a result, they have data subject rights. One of those rights is the right to access their personal information. They can exercise that right, i.e., access the data by submitting a data subject access request to you.

In your response to the DSAR, you must provide them access to their data.

What is a data subject?

The data subject is the user from whom you have collected personal data and processed it. Every internet user and every offline user can be data subjects if you order some personal data from them.

If you have a website that does not collect personal information, your website visitors are not your data subjects. When you order at least one piece of information that could identify them, they become your data subjects. You owe them all the data subject rights in the applicable data protection law.

What are data subject rights?

Data subject rights are the data privacy rights you owe to your users. Depending on which privacy regulations apply to you, these rights include any or all of the following:

• Right of access
• Right of erasure (deletion) of personal data
• Right of rectification
• Right of data portability
• Right to know about data collection and data processing
• Right to know about profiling and automated decision-making
• Right to restriction of processing
• Right to object to data processing
  

What does the ‘right of access’ mean?

The right to access grants your user the right to get access to their personal data in your records.

The GDPR, CCPA, LGPD, and other data privacy laws require businesses to be transparent with users about their personal data. You must let your users know what you know about them.

Every internet user from whom you have collected personal data has the right to access the data you have in your records about them.

Who can submit a DSAR?

Anyone can submit a DSAR. This includes your data subjects and internet users who have nothing to do with your business.

Your data subjects can submit a request anytime, and you’ll need to give them access to their personal information. An authorized agent can submit the request on their behalf, following the law.

A person whose personal data you do not process can also submit a data subject request. They can submit it, but you’ll have nothing to give them access to.

Is there any prescribed form for the DSAR?

No data protection law prescribes the request form.

Data protection laws aim to empower internet users to protect their online privacy rights; therefore, they do not impose barriers such as specific request forms. This means you must respond in whatever manner you receive a DSAR. You must accept a DSAR due to the form in which it has been submitted.

What should I do when I receive a DSAR?

Data protection laws do not prescribe a specific DSAR process or workflow. They oblige you to respond without undue delay and within the timeframe specified in the law and to ensure that you provide access to personal data to the right person.

Having that in mind, you can handle the DSAR response process easily by following these steps:

1. Verify the identity of the data subject. You are about to access someone’s personal data, so you must present the information to the right person. At this stage, you can also provide the data subject with a receipt of the request if applicable to your situation.
2. Clarify the request. Make sure that you have received a DSAR. Data subjects can also submit requests to know, to be forgotten, for data transfer, or another type of request. So first, could you clarify what the request is about? If you need more clarifications from the data subject, please contact them and ask questions.
3. Check to see if the requester’s data is being processed at all. If the result is negative, you’ll inform them that you have not processed any of their data. If the result is positive, proceed to the next step.
4. Inspect, collect, and package the data. Make sure that it is in a format that is easily accessible and readable for the user. 
5. Provide the data subject with access to their personal data. It is preferable to give the user direct and remote access to their personal data, but if that is not possible in your case or for the specific categories of personal data, send a copy to the requester.

In addition, you can inform the data subject of other data subject rights besides the right to access, such as the right to correct data, transfer data, object to processing, etc. This is not obligatory, but it can help build trust.

How do I respond to a GDPR DSAR or a CCPA DSAR?

GDPR DSARs and CCPA DSARs require the steps described in answer to the previous question about what to do when you receive one.

The differences between the two are that:

• The CCPA has prescribed verification methods for password-protected account holders and non-account holders; the GDPR has not, and
• Under the GDPR compliance, you have to receive the request no matter the submission method, while under the CCPA, you can put it on hold and guide the user on how to submit it properly.
  

What should be included in a DSAR response?

In general, you’ll need to let your user know about the following:

• Whether you process their data or not
• The categories of personal data about them that you control
• The purpose of processing
• How you collect the data
• With whom you share their personal data

The data subject may request only a portion of this information. 

If they specify what they want access to in the request, then provide them access only to such relevant information. For example, if they request access to the categories of personal data you process, that’s all you must provide access to.

As Facebook and other social media sites have done, it is a good idea to give the data subject remote access to your records or a portal where they can easily access their data.

If the resources don’t allow that, give the person a copy of the data in a way that is easy to read and access.

How to verify the identity of the data subject

Most data protection laws do not prescribe a method to verify the requester’s identity. The method of choice is left to you.

You should do what is reasonably possible to verify the data subject’s identity. You can opt for methods such as two-step verification of the email address used for the user account, confirming the identity by sending a code to the phone number you have collected from the data subject previously, requiring them to log into the membership portal if you have one, and so on. The best identity verification method depends on the methods you use to collect personal data.

The only law that prescribes a way to verify the requester’s identity so far is the CCPA. If you get a CCPA DSAR, there are different steps to take depending on whether you have a password-protected account or don’t have an account.

It is important to note that if you provide personal data access to a person who does not have the right to access it, you facilitate a data breach. That’s a violation of the law, so it is crucial to ensure you know who you are talking to.

How can data subjects submit DSARs?

It is up to you to decide how the users can submit their DSARs.

You can provide them with a DSAR portal, a dedicated email address, a toll-free phone number, or your email address for general inquiries.

Also, remember to include the methods for submitting requests in your privacy policy. Whatever law you need to abide by requires it.

Can I refuse to respond to a DSAR?

You can refuse to respond to a DSAR in some cases, but that’s an exception to the rule.

In general, you should respond to all DSARs. You can refuse them only in the following cases:

• You are unable to identify the requester, or
• The request is unfounded and excessive.

If you decide to turn down a DSAR, you should explain why and give the person the chance to file a complaint.

How soon do I have to respond to a DSAR request?

Every data protection law prescribes a deadline for responding to a DSAR.

GDPR allows 30 days for a response. The LGPD has no specific deadline and requires a response as quickly as reasonably possible.

On the other hand, the CCPA says that you must acknowledge receiving the DSAR within ten days and then give the requested information within 45 days of receiving the request.

The deadline depends on the laws that apply to your relationship with the user. If two laws apply simultaneously, comply with the shortest deadline.

What happens if I don’t respond to a DSAR request?

Responding to a DSAR is your duty under the data protection laws; therefore, not responding to one or not responding within the deadline violates the law. That will likely cause an enforcement action by the supervisory authority.

Violations of the law lead to penalties. GDPR prescribes fines of up to 4% of the annual turnover or 20 million EUR, whichever is greater. LGPD prescribes fines of up to 2% of the annual turnover or 50 million Reales, whichever is greater. The CCPA prescribes a penalty of $7,500 per consumer whose rights have been violated.

Most of the time, you won’t get the maximum fine for not responding correctly to a DSAR, but if you do it often or on a large scale, you can expect the fines to be higher.

Who should respond to a DSAR?

Data protection laws require the data controller to respond to the DSAR, but it doesn’t matter who responds. It could be anyone from the company. If you are a solo entrepreneur, it would be you. It could be that person if your company has a Data Protection Officer (DPO).

However, if the resources allow it, it is better to have a designated person respond to DSARs.

Can I charge a fee for a DSAR response?

DSAR responses should be free of charge.

The only exception is when you respond to an excessive DSAR that incurs high costs for you to reply, allowing you to charge a reasonable fee for the administrative costs or other costs due to the response. Keep in mind, however, that this is an exception to the rule that the answer should be free of charge for the data subject.

What’s the most challenging part of responding to a DSAR?

It seems simple and easy to respond to a DSAR, but many businesses need more time to be ready to respond to these requests quickly because they need help finding the required data.

A user submits a DSAR and has to figure out how to find that user’s data and provide access. Responding to a DSAR requires a good understanding of what data you collect and process, where you store it, how you process it, and for what purposes. Deadlines give you enough time to gather the necessary information and respond, but you have to be ready ahead of time and, if needed, have some DSAR policies in place.

How to comply with the GDPR, CCPA, and LGPD DSAR requirements with Secure Privacy

Secure Privacy DSAR portal helps you receive DSARs and manage to respond to requests.

Only one failure to respond to a DSAR properly leads to a violation of the law and possibly a fine. You must prepare to respond to DSARs long before receiving the first one.