DSARs (also known as data subject access requests and consumer privacy requests) are at the heart of GDPR and similar privacy laws. Companies are required to fulfil these requests within specific time frames or face fines and reputational risk.
A DSAR is any request for a copy of an individual’s personal information. Depending on the law, this could include anything that can be used to identify them. To effectively fulfil a DSAR, you must have a full understanding of the personal data your company holds—in hard copies, digital files, user accounts and payment services.
What Is A DSAR?
Under the GDPR, consumers are able to submit a data subject request to get a copy of their personal information that a company has on file. Depending on the law and the individual, they may also request deletion of their data from your system.
These requests are typically submitted through email or a designated form on your website, though in some cases individuals can contact companies more informally through social media or direct mail. Companies are obligated to respond to these requests within 30 days, although they can request an extension of up to two months and inform the consumer of why.
Who Can Make A DSAR?
A GDPR DSAR is a request made by an individual, known as a data subject, who wants to find out what information you have about them. The law gives them a right to know how their personal information is being used and who it is shared with.
Individuals can make a request through any contact channel, whether it be a phone call, email or even a social media post. Often, they will be making the request on behalf of another person, like a family member or friend. In this case, your organisation is required to check that they are indeed requesting information on behalf of the data subject.
The Benefits Of GDPR DSAR
Your consumer’s personal data belongs to them, and they should have control over how you use that data. That’s the principle behind GDPR and CCPA legislation, which requires companies to honour requests for access to their personal data from individual consumers, known as data subjects.
When a consumer submits a request, you have 30 days to respond to it—or face fines and regulatory action. That’s why it’s important to offer an easy way for consumers to submit DSARs and monitor all communication channels to ensure no requests are missed.
Using automated software that scans your data repositories, classifies sensitive content and documents, and tags them with the appropriate classification can make this much easier.
DSARs often trigger other data protection rights such as rectification, or the right to be forgotten, which is why fulfilling a DSAR is a crucial step in maintaining compliance with GDPR and other privacy laws. Not responding to a DSAR before the 30-day deadline could open you up to fines or other penalties depending on your jurisdiction’s data protection law.
To comply with a DSAR, you must be able to identify the personal information that is held on a requestor and provide it in a common format. This will require searching hard copies, digital files, user accounts and more across departments within your organisation.
Data protection laws make it clear that individuals have the right to request a copy of all personal information your company holds on them (known as “data subject access requests” or DSARs). If you don’t comply with a DSAR, you risk fines from data privacy authorities. In addition, the individual who made the request can bring legal action against your business.
Responding to a DSAR requires a thorough search of hard copies, digital files, systems, user accounts, payment services, and more. It’s also necessary to verify the person making the DSAR’s identity. This step alone can be time-consuming and laborious, especially if it’s manual.
Whether a consumer or an employee, your data subject can make a DSAR request to see what information you have about them. Often, they want to know how their data is used and where it goes. This kind of transparency can improve brand trust and customer satisfaction by building confidence that a business is using their data ethically.
The law requires that you respond to a DSAR within one month, or provide an extension. You have to inform the individual if you will need more time to fulfil their request and explain why. A delay in responding to a DSAR can lead to fines and penalties, as well as reputational damage.
What Should A Company Know Before Responding?
As a business, you must have a detailed compliance plan for handling requests under data protection laws. This includes procedures for identifying a DSAR, authenticating the individual’s identity, and providing them with a copy of their personal information, your privacy notice and any supplementary information you hold on them.
Depending on the law, you may also be allowed to charge a fee for processing a DSAR request. However, you must always inform the individual if a fee is being charged, and why, and how much it will be.
What Should A Company Do In Response To A DSAR?
As a company, you should respond to a DSAR within the time frame established by law. Failure to do so can result in fines from data protection authorities and lawsuits from consumers.
Start by confirming that the request is valid, then authenticate the individual’s identity and clarify their request. Determine whether they are seeking access, deletion, or rectification of personal information. Conduct a thorough search of your hard copies, digital files, user accounts, payment services and more to find all the personal information about the individual in question.
You should only charge a reasonable fee to complete a request, and that fee should be based on the administrative costs of gathering the requested information. You should also keep a record of your internal activities and provide the individual with a copy of the full response.