Advanced data processing tools and systems have enabled organizations to collect more personal data and information than ever. However, as organizations collect personal information, they are subject to various data governance policies.
Today, businesses must comply with a slew of data privacy laws. This often includes processing personal data and responding to data subject access requests.
This post will explain what a data subject access request (DSAR) is and how your business can prepare to handle the DSAR process as it collects and stores personal data from users.
What Is a Data Subject Access Request (DSAR)?
A data subject access request is a submission by an individual, known as a data subject, to an organization requesting to know what personal data of theirs has been collected and stored and how it is being used.
A DSAR also allows data subjects to know who else their personal data has been shared with and make specific action requests such as deletion, modification, or opting out of future data collection.
DSAR is a term that was initially introduced in the EU’s General Data Protection Regulation (GDPR). However, DSAR has become an essential aspect of other data protection legislation, most notably the California Consumer Privacy Act (CCPA).
DSAR requirements will vary based on the specific legislation and jurisdiction. As a result, organizations should have a data protection officer and a team that handles DSAR petitions. For example, in the United States, policies covering data subject requests vary state-by-state.
Depending on the specific legislation and jurisdiction, data subjects may have the following rights:
- To access their personal data, your organization has collected
- To delete their personal data, your organization has collected
- To correct their personal data
- To opt out of the sale of their personal data
- To opt out of personal data processing
- To port their personal data
A data subject request must be made in a specific manner depending on the legislation and policies governing a jurisdiction. For example, a DSAR must be made verbally or in writing to comply with GDPR.
However, CCPA requires organizations to offer data subjects a minimum of two ways to submit a DSAR, and one of them must be a toll-free phone number. If you are a multinational business, you must ensure that your operations comply with shifting DSAR requirements between jurisdictions.
Data Subject Access Request (DSAR) Requirements
Beyond the policy differences between GDPR, CCPA, and other laws, each policy has different DSAR requirements about which types of DSAR petitions must be responded to and which businesses must comply with.
Several factors affect whether your organization must comply with or respond to a DSAR, including:
- The location of your business operations
- The size of your business
- The type of business
- How personal data is utilized in business operations
- The physical location of stored data
- The physical location of people whose data is being collected and stored
Your business must understand which laws and regulations apply to it, who can make a data subject access request (DSAR), which personal data actions can be requested, and how long your business has to comply with a DSAR request.
For example, under the CCPA, a data subject does not have the right to restrict access to their data once it has been collected. However, GDPR does allow a data subject to restrict access to their data.
In the United States, organizations have 45 days to comply with a DSAR and can be granted an additional 45-day period. The GDPR requires organizations to respond to a DSAR within 30 days, but they can also be granted an additional 60-day extension window.
While legislation in the United States and GDPR give businesses 90 days to comply with DSAR, they have different time frames that must be met. Additionally, CCPA does require that businesses comply with opt-out DSAR requests within 15 days of receipt.
Planning for Data Subject Access Request (DSAR) Compliance
At this point, DSAR compliance likely sounds overwhelming. There are shifting data subject rights, data collection policies, and more. Therefore, formulating a unified DSAR response is critical.
All policies and DSAR regulations follow a similar path in protecting customer data. However, they often diverge on the specific details of personal data.
In the event of a DSAR request, your organization must provide all personal information back to the data subject. As a result, your organization must know what is considered personal information for each privacy regulation and document this information internally.
It is essential to understand that a DSAR request does not require your business to gather every data point of personal information it might have on a data subject. Instead, a DSAR request only obligates your business to deliver the personal information it owns about the data subject.
Innovative organizations will link the various definitions of personal information to their internal data processes to create a robust DSAR response. When your organization has a strong DSAR response program, your organization will be able to:
- Achieve a complete overview of the personal information it collects
- Scale its DSAR response as legislation and processes change
- Make data management processes more efficient
- Deliver relevant information efficiently in a structured manner to DSAR requests
It is crucial to ensure a data subject’s identity is confirmed before allowing them to access personal information stored by your organization. Failure to do so can result in a data breach that drives up administrative costs and damages the reputation of your organization’s brand.
You won’t always be able to rely on automated decision-making tools to avoid a data breach. Therefore, you should have at least a data controller that assists the DSAR process through a verification process before delivering personal information.
Final Thoughts
Data privacy is an essential issue for modern software. As a result, there is a slew of legislation and regulatory policy that your organization must comply with. If you want to know more about DSAR requests and how to ensure your business handles them correctly, reach out to an experienced technical partner like Koombea.
