For some companies today, complying with DSARs has created a mountain of work and a number of pressing issues that need to be carefully addressed.
A DSAR, or “data subject access request,” is made to an organisation in order to find out what personal data that organisation has collected about an individual and how that data is being used. Under recent data protection regulations in the European Union, U.K., California, and Virginia, companies must honour data subject rights and provide a thorough report on any personal data they possess. Responses to a DSAR must be made within tight deadlines and the penalties for not doing so are steep.
As a sign of just how challenging handling data subject access requests can be, Stephenson Law recently published a blog post titled “DSAR-RRRGH!” The firm began by saying: “DSARs are just one of the legal rights that individuals have under data protection law, but they are probably the request most known for causing the biggest headaches.”
The good news is that regulators have been very clear about the rules for complying with DSARs (although a few grey areas do exist and judgement calls will sometimes need to be made).
Responding to DSARs requires advanced planning, but once the basics are mastered, an organisation can lay out and follow a clear set of steps. In addition, new software tools are making compliance easier.
How to Identify a DSAR
Companies have been scrambling to understand DSARs since 2018, when the European Union’s (E.U.’s) General Data Protection Regulation (GDPR) went into effect. GDPR grants anyone in the European Union or anyone doing business with E.U. organisations data subject rights regarding how organisations collect, store, and process personal data. Even after Brexit, the U.K. maintained these data protections so U.K. citizens and anyone doing business with U.K. organisations have similar data subject rights under UK-GDPR.
The E.U. and U.K. are not alone. California and Virginia have enacted similar sets of rules about data subject rights: the California Consumer Privacy Act and Virginia Consumer Data Protection Act, respectively.
Even companies with no physical presence in the E.U., U.K., California, or Virginia are feeling the effects of data protection regulations. That’s because these laws apply to a company if its customers reside in any of those jurisdictions.
Although many DSARs are written communications, such as letters, they don’t have to be. DSARs can also arrive in the form of emails, phone calls, and even via websites, social media channels, or chat boxes.
With DSARs, individuals usually request all the personal information a business has collected about them. In some cases, DSARs ask only for certain specifics, such as:
- How long will my personal data be stored?
- Which third parties are storing my data?
- How did you obtain my data?
- How is my data being used in profiling or decision-making?
The Role of a Data Protection Officer (DPO)
Growing numbers of companies have designated one employee to be Data Protection Officer, or DPO. A DPO will ensure that DSARs don’t fall through the cracks, embarrassing the organisation with fines for non-compliance.
DPOs should establish and oversee a formal process for the efficient handling of all DSARs. For instance, it’s important to register requests and then log them into a record system. For tasks like this, data-protection compliance software can be an enormous help.
Even with the right software, a DPO cannot successfully manage all DSARs without help from the broader employee base. Because DSARs can be submitted several ways-- including by phone or through social media channels-- receptionists, mail carriers, and the communications and social media teams must all be educated about how to recognize these requests.
The Response Timeline
Under GDPR, companies must respond to a DSAR within 30 days. Under CCPA, the deadline for responding is slightly longer: 45 days.
Failing to respond in a timely fashion opens a company to significant fines and regulatory penalties. It can also harm your reputation.
If a data subject’s request involves furnishing massive amounts of data, extensions are allowed. For instance, under GDPR, a company can ask for a month-long extension, but the request for an extension should be made within 30 days of receiving the DSAR and typically extends the deadline to 60 days.
Seven Steps for Processing a DSAR
Step One:Verify the subject's identity. In certain instances, an individual can submit a DSAR on behalf of someone else, as when a parent or guardian asks for information for a child or when businesspeople submit DSARs for clients. In situations like this, it’s important to verify that the person submitting a DSAR on behalf of another individual has the authority to do so. Supporting evidence might include a birth certificate, power of attorney, or a current client contract.
Verification is essential so organisations don’t commit data breaches by sending personal information to the wrong individuals.
Step Two: Clarify what a DSAR is asking you to provide. Review the DSAR to determine what the individual wants to know and whether that falls within his or her data subject rights. Doing so will help determine whether there are considerations that would make responding take longer than usual and an extension should be requested.
Step Three: Retrieve and review data. Depending on the nature of your business, personal data may be found in a number of different places. At a minimum, you’ll want to search the data subject’s personal file (if one exists), any emails between the subject and the company, and any official records for the subject, including financial statements.
Gathering information often means searching through a number of different systems, from the company’s central database to emails, internal chats, and paper documents stored in filing cabinets.
In some cases—and especially if you have processed a particularly large amount of information about a given individual—you may want to ask a data subject to specify the kinds of information that the request relates to.
Step Four: Package data for the individual. After a subject’s personal data has been gathered, an organisation must review the data. The goal is to meet the requirements of the DSAR without revealing proprietary information, or data that belongs to other subjects.
The way that most companies make sure they are not harming themselves or others with what they disclose is through redaction, or obscuring parts of a text.
Redaction must be done carefully. That’s because the U.K.’s Data Protection Act of 2018 calls it “an offence” to redact information that a data subject was entitled to receive.
Step Five: Take all appropriate actions. A data subject may request that errors be corrected. According to the U.K.’s ICO—or the Information Commissioner’s Office-- an organisation should take “reasonable steps to investigate whether the data is accurate, and should be able to demonstrate it has done so.” In addition, an organisation should confirm it has corrected any errors in the data, or should explain why it will not make corrections.
Finally, organisations may be asked to delete personal data (erasure). The ICO has said that individuals have “an absolute right” to stop their data from being used in direct marketing. In other cases, an organisation may continue to process data if it can demonstrate a compelling reason for doing so.
Whenever an organisation corrects or deletes data, it is also obligated to inform any third parties to which it sent the subject’s personal information about changes made within the data files.
Step Six: Explain the individual's rights: Along with personal data, it’s a good idea to send a statement reminding individuals of their data subject rights. This statement should include the right to lodge a complaint with an authority, the right to rectify data (or correct errors), and the right to object to data processing.
Step Seven: Send a formal response to the DSAR. Once you’ve collected the necessary data and completed all redactions, you’ll want to draft a formal response. Linkilaw Solicitors notes that while there’s no required format for providing a subject with personal data, “companies should ensure that they provide the requester with an easily accessible file.”
Refusing a DSAR
Companies can refuse to respond to DSARs, but the bar for refusal should be kept high.
Organisations can, for instance, choose not to comply when a demand for information is excessive. This generally happens when a DSAR asks for information beyond the scope of a subject’s personal data – or when a data subject makes repeated, unreasonable requests for information. If an individual were to submit 50 requests in a month, for instance, a company would not necessarily need to process all 50.
When determining what’s reasonable, context matters. It may be considered excessive to request monthly information from a small local business but not from a global marketer.
Experts advise organisations to be cautious about refusing a DSAR as unfounded or excessive. If you are not completely certain that you can defend your decision in a courtroom, it’s generally best not to refuse a data subject access request.
Conclusion: New Solutions for Handling DSARs
Technology has been a tremendous boon when it comes to responding to data subject access requests. The right automation software will scan for the necessary personal data, then review what’s been found for accuracy. Software can also redact data, preventing data breaches.
Leading tools will also record everything from how DSARs are identified to how they’re processed and what final responses were sent. Having a comprehensive audit trail can save both time and money.
Responding to DSARs is no simple feat, and it is growing more complicated as the number of data requests increases. Leveraging automation software to streamline the internal handling of these requests is therefore more important than ever.