Learn how to effectively respond to Data Subject Access Requests (DSAR) under GDPR, CCPA, and other privacy laws. Discover the do's and don'ts of managing DSARs, the importance of data verification, response timelines, and how Secure Privacy can streamline the process.
You have to respond to data subject access requests. There is no way around them if you want to remain compliant with the General Data Protection Regulation (GDPR) and other privacy laws, such as the California Consumer Privacy Act(CCPA) or the California Privacy Rights Act (CPRA).
Your data subjects have privacy rights. One of these rights is the right of access the personal data that you process.
Users can submit requests about that data, and this article will explain how to respond.
An individual can make a Data Subject Access Request (DSAR) to find out what information a company holds on them. Try a demo for free with Secure Privacy.
A data subject access request is the request that your user submits to get access to their own personal data in your records.
If you collect and process users’ personal data, then you are their data controller. You have it in some of your records, but that data belongs to your users. It is not yours.
As a result, they have data subject rights. One of those rights is the right to access their personal information. They can exercise that right, i.e., access the data by submitting a data subject access request to you.
In your response to the DSAR, you must provide them access to their data.
The data subject is the user from whom you have collected personal data and processed it. Every internet user and every offline user can be data subjects if you order some personal data from them.
If you have a website that does not collect personal information, your website visitors are not your data subjects. When you order at least one piece of information that could identify them, they become your data subjects. You owe them all the data subject rights in the applicable data protection law.
Data subject rights are the data privacy rights you owe to your users. Depending on which privacy regulations apply to you, these rights include any or all of the following:
The right to access grants your user the right to get access to their personal data in your records.
The GDPR, CCPA, LGPD, and other data privacy laws require businesses to be transparent with users about their personal data. You must let your users know what you know about them.
Every internet user from whom you have collected personal data has the right to access the data you have in your records about them.
Anyone can submit a DSAR. This includes your data subjects and internet users who have nothing to do with your business.
Your data subjects can submit a request anytime, and you’ll need to give them access to their personal information. An authorized agent can submit the request on their behalf, following the law.
A person whose personal data you do not process can also submit a data subject request. They can submit it, but you’ll have nothing to give them access to.
No data protection law prescribes the request form.
Data protection laws aim to empower internet users to protect their online privacy rights; therefore, they do not impose barriers such as specific request forms. This means you must respond in whatever manner you receive a DSAR. You must accept a DSAR due to the form in which it has been submitted.
Data protection laws do not prescribe a specific DSAR process or workflow. They oblige you to respond without undue delay and within the timeframe specified in the law and to ensure that you provide access to personal data to the right person.
Having that in mind, you can handle the DSAR response process easily by following these steps:
In addition, you can inform the data subject of other data subject rights besides the right to access, such as the right to correct data, transfer data, object to processing, etc. This is not obligatory, but it can help build trust.
The GDPR lists eight types of information that data controllers must make available to data subjects on request:
1. Know your data
Make sure you are aware of:
A smart move is to invest in an automated data discovery and classification solution which can help you respond to a DSAR in an agile way.
2. Clarify the Nature of the Request
When you receive a DSAR, you should do a quick evaluation to determine what the data subject wants to know.
Mostly, subjects simply want to see all the data you have collected about them, but there may be cases where an individual may invoke other GDPR data privacy rights.
For example, the access request may also exercise the GDPR right to correct, whereby the user wants to rectify inaccurate data that you may have collected about them.
One thing to take into account is that such cases also present an opportunity to determine if you can reply to the request within the one-month timeframe.
If you’ll need more time to generate a response, explain this to the subject.
3. Register and authenticate DSARs
For every data access request you receive under the GDPR, you need to log it in a system of records, verify the user, before proceeding to handle it, whether manually or automatically.
4. Provide an easy way for users to submit DSARs
You should provide an online DSAR form on your website, such that data subject access requests are channeled to the right person or department and contain the necessary information.
If you do not have an online DSAR form, you stand the risk of your customers submitting an access request using the wrong contact information or channel.
The problem with this is that the 30-day timer starts counting although the recipient might not be in charge of anything related to GDPR compliance or DSAR requests.
5. Use secure methods of authentication
You must ensure that every request to access data is made by a legitimate person.
But this does not mean you verify data subject access requests by asking for more personal information you don’t already have that may fall under the scope of the GDPR, such as ID card numbers, passports, or other official documents.
Instead, a good option is to verify the request by asking the person to provide some personal information you already have, such as requesting the individual to specify the information the request relates to.
6. Review and approve the information:
After you obtain the requested information, you need to assess it and make sure it meets DSAR requirements without revealing proprietary information or the personal data of any other data subject.
7. Explain the subject’s rights
At the end of your response, include a section that reminds the subjects of their data privacy rights.
Remind your users that they have the right to object to the processing of their data, can request the rectification of their data, or lodge a GDPR complaint with a Data Protection Authority (DPA).
8. Safely deliver customer information
Your response should be delivered to the consumer securely. If a data breach occurs, it can cost as much as USD 750 for every leaked record.
9. Hire a data protection officer (DPO) if necessary
If you are uncertain about how to handle your DSARs, it is advisable to consult or hire a DPO.
Some companies are obliged to appoint a DPO, especially those that process large volumes of sensitive categories of personal data such as public authorities, and large multinationals that engage in systematic and large-scale monitoring of individuals.
1. Do not violate the 30-day deadline
One of the notable GDPR amendments is the reduction of the time needed to respond to a DSAR request from 40 days to 30 days.
Although you can get an extension of up to 2 months when it is necessary, determined on the basis of the complexity or number of requests that a business receives, the data subject should still get a response within one month.
2. Do not deny a request
You can only deny a request if you feel the request meets one of the two exceptions: manifestly unfounded or excessive.
But, keep in mind that if you deem a DSAR unfounded or excessive, you must provide proof beyond a reasonable doubt.
3. Do not charge a fee
The GDPR makes it clear that you should not put a cost or seek to profit off handling access requests from data subjects.
In exceptional cases where a fee may be necessary, you can only base it on the real administrative cost of answering the request.
4. Do not fail to inform the consumer about their data subject rights
The GDPR requires you to disclose the rights your users are entitled to and communicate them clearly when you respond to a DSAR.
5. Do not handle data scanning manually
If you have to carry out a manual search for each DSAR, there’s a high risk that you will miss some relevant information or fail to meet the 30-day deadline.
6. Do not deliver a DSAR to the wrong person
If you make a mistake and deliver a data subject access request to the wrong individual, you will be liable for a penalty of up to USD 750 for every piece of data leaked.
GDPR DSARs and CCPA DSARs require the steps described in answer to the previous question about what to do when you receive one.
The differences between the two are that:
With the UK GDPR (UK GDPR compliance solution) replacing the EU GDPR as the data protection regime in Britain following Brexit, DSARs are commonly referred to as Subject Access Requests (SARs).
From the ICOs guide for managing SARs, it is evident that the requirements mirror those under the GDPR.
You can learn more about UK Subject Access Requests here
In general, you’ll need to let your user know about the following:
The data subject may request only a portion of this information.
If they specify what they want access to in the request, then provide them access only to such relevant information. For example, if they request access to the categories of personal data you process, that’s all you must provide access to.
As Facebook and other social media sites have done, it is a good idea to give the data subject remote access to your records or a portal where they can easily access their data.
If the resources don’t allow that, give the person a copy of the data in a way that is easy to read and access.
Most data protection laws do not prescribe a method to verify the requester’s identity. The method of choice is left to you.
You should do what is reasonably possible to verify the data subject’s identity. You can opt for methods such as two-step verification of the email address used for the user account, confirming the identity by sending a code to the phone number you have collected from the data subject previously, requiring them to log into the membership portal if you have one, and so on. The best identity verification method depends on the methods you use to collect personal data.
The only law that prescribes a way to verify the requester’s identity so far is the CCPA. If you get a CCPA DSAR, there are different steps to take depending on whether you have a password-protected account or don’t have an account.
It is important to note that if you provide personal data access to a person who does not have the right to access it, you facilitate a data breach. That’s a violation of the law, so it is crucial to ensure you know who you are talking to.
It is up to you to decide how the users can submit their DSARs.
You can provide them with a DSAR portal, a dedicated email address, a toll-free phone number, or your email address for general inquiries.
Also, remember to include the methods for submitting requests in your privacy policy. Whatever law you need to abide by requires it.
You can refuse to respond to a DSAR in some cases, but that’s an exception to the rule.
In general, you should respond to all DSARs. You can refuse them only in the following cases:
If you decide to turn down a DSAR, you should explain why and give the person the chance to file a complaint.
Every data protection law prescribes a deadline for responding to a DSAR.
GDPR allows 30 days for a response. The LGPD has no specific deadline and requires a response as quickly as reasonably possible.
On the other hand, the CCPA says that you must acknowledge receiving the DSAR within ten days and then give the requested information within 45 days of receiving the request.
The deadline depends on the laws that apply to your relationship with the user. If two laws apply simultaneously, comply with the shortest deadline.
Responding to a DSAR is your duty under the data protection laws; therefore, not responding to one or not responding within the deadline violates the law. That will likely cause an enforcement action by the supervisory authority.
Violations of the law lead to penalties. GDPR prescribes fines of up to 4% of the annual turnover or 20 million EUR, whichever is greater. LGPD prescribes fines of up to 2% of the annual turnover or 50 million Reales, whichever is greater. The CCPA prescribes a penalty of $7,500 per consumer whose rights have been violated.
Most of the time, you won’t get the maximum fine for not responding correctly to a DSAR, but if you do it often or on a large scale, you can expect the fines to be higher.
Data protection laws require the data controller to respond to the DSAR, but it doesn’t matter who responds. It could be anyone from the company. If you are a solo entrepreneur, it would be you. It could be that person if your company has a Data Protection Officer (DPO).
However, if the resources allow it, it is better to have a designated person respond to DSARs.
DSAR responses should be free of charge.
The only exception is when you respond to an excessive DSAR that incurs high costs for you to reply, allowing you to charge a reasonable fee for the administrative costs or other costs due to the response. Keep in mind, however, that this is an exception to the rule that the answer should be free of charge for the data subject.
It seems simple and easy to respond to a DSAR, but many businesses need more time to be ready to respond to these requests quickly because they need help finding the required data.
A user submits a DSAR and has to figure out how to find that user’s data and provide access. Responding to a DSAR requires a good understanding of what data you collect and process, where you store it, how you process it, and for what purposes. Deadlines give you enough time to gather the necessary information and respond, but you have to be ready ahead of time and, if needed, have some DSAR policies in place.
Secure Privacy helps you address GDPR DSARs with an industry-leading online form that is also compliant with EU’s privacy law, as well as California’s CCPA and Brazil’s LGPD.
The main benefits of Secure Privacy’s DSAR form are;
Furthermore, The Secure Privacy DSAR form is unique in that;
Start your Free Trial
As a startup, it is crucial to understand the General Data Protection Regulation (GDPR) and comply with its requirements to avoid significant fines and negative publicity. This article will explain the GDPR, its requirements, and the steps startups need to take to become GDPR compliant.
Explore how Privacy-Preserving Machine Learning, Zero-Knowledge Proofs, and decentralized identity frameworks are revolutionizing automated consent management. Discover the future of dynamic, user-centric consent beyond GDPR and CCPA compliance.
September 6, 2024Secure Privacy is now a Gold Tier Google Certified CMP Partner, ensuring top-tier consent management for businesses. Learn why this certification is vital for data privacy compliance and how it benefits your organization.