GDPR DSAR: What is a DSAR?
Data Subject Access Requests (DSAR, SAR, or DSR) are requests made by individuals seeking insight into what personal information your organisation holds on them. With our world becoming more privacy-aware, individuals have growing expectations around how GDPR DSAR should be utilised and want to know exactly what data your organisation holds on them.
Read on to learn more as we dive into the question of what exactly is a DSAR.
Identifying a Data Subject
Data subjects refer to any living human who has their personal data processed. This can include employees and customers as well as anyone else whose data is collected or processed by an organisation. They can request access by submitting a DSAR; within one month of making their request, they should receive a full overview of all their personal information from that company (this must include social media). DSAR requests do not need to mention GDPR explicitly; instead, they can be sent to any employee (such as marketing).
A Data Subject Access Request (DSAR) is a legal mechanism designed to give individuals access to their data held by businesses under privacy laws. While the process can be complex for businesses with multiple offices and multiple systems in operation, organisations are mandated by law to fulfill DSAR requests swiftly and accurately.
People submit a Data Subject Access Request (DSAR) in order to learn what information a company holds about them, often with an eye towards discovering whether their data was involved in any security breaches or whether its contents are outdated or inaccurate.
Companies are required to provide individuals with a complete list of all of the personal information that they have on them upon request, including both categories and personal data itself. Furthermore, they must disclose any third parties who may have received or used this data and any lawful bases for processing it, as well as automated decision-making or profiling activities undertaken with this data.
Fulfilling a DSAR can be time-consuming and cumbersome for organisations of any size. When using multiple office locations or extensive global data systems, automating this process to ensure accuracy can reduce business risk, minimise error rates, and build customer trust. DataGrail’s Privacy Control Centre makes fulfilling a DSAR easier by helping organisations quickly validate requests that come their way, so they can deliver secure reports within their required timeline.
Identifying a Data Controller
Under GDPR’s Data Subject Access Requests Act (DSAR), individuals have the right to know what data organisations hold on them and its purpose. Individuals exercising this right are known as “data subjects.”
Responding quickly and within one month presents several operational challenges for businesses.
An organisation must clearly establish who is accountable for responding to and controlling data subject access requests (DSARs), ideally the Data Protection Officer (DPO). If your organisation doesn’t already have one, consider assigning this role to someone familiar with handling DSARs and data subject rights requests (DSRLs).
Your team must also be capable of quickly and easily verifying a requester’s identity quickly and without undue burden, which requires both parties working cooperatively—for instance, providing email addresses or identifiers of requesters when possible to ensure the right information reaches them back quickly.
Once identity has been verified, your team should begin fulfilling the request by providing information in an easily digestible format that meets their requirements. They should include information on any legal grounds for processing their personal data as well as any safeguards involved with international transfers; much of this should already be included in the privacy notice issued to each data subject when their personal data was initially collected.
Your team should also be ready to redact any information that does not constitute personal data, such as internal notes or documents that do not relate to a DSAR request or refer to another individual.
Under certain circumstances, charging fees to process DSARs may be appropriate; however, organisations should carefully assess these charges to ensure they are reasonable and not excessive.
Identifying a Data Processor
DSARs enable individuals to discover which companies have collected personal information on them, how it’s being used, and with whom it has been shared, empowering them to exercise their rights under GDPR to exercise full control of their data.
Individuals can submit a DSAR request to any business they feel is processing their personal data and can ask that it be deleted; however, businesses have the option of charging fees for complying with such requests; once received, they must be processed within 30 days and supplied in an electronic transferable format.
DSAR can be a complex process for several reasons. A vast amount of personal data may be spread among various systems, databases, and applications; often this data is unorganised and difficult to access; additionally, it may be hard to pinpoint its rightful subject when shared among multiple departments.
Organisations should be prepared for requests despite their challenges by creating a team to manage and ensure compliance. Representatives from every area that handles personal data, including the IT team, system owners, and legal department, should all play key roles on this team. It is also key that they partner with an automated privacy technology partner capable of automating workflows and redacting data as appropriate.
As GDPR and CCPA deadlines approach, businesses must ensure they have robust DSAR processes in place to accommodate requests that come in, such as an automated workflow that triggers when they do come in; this will prevent requests from being overlooked or neglected altogether. Furthermore, an assigned data protection officer should oversee this process and make sure all requirements are being fulfilled.
The Data Subject Access Request (DSAR) process can be an intricate undertaking for any business. While the threshold for what qualifies as personal data may be low, keeping up with all of their own information can still prove a difficult challenge. In addition, meeting the tight timelines associated with responding to DSAR submissions can pose additional hurdles.
How Can Data Subjects Submit DSAR?
How Can Data Subjects Submit DSAR? Data subjects have the right to know exactly what personal information a business holds on them, its usage, and its recipients. As such, laws like GDPR compel businesses to be transparent and give access to consumer data; failure to do so could result in negative publicity, loss of good will, or even class action suits against them.
Organisations must comply with these requirements by providing consumers with access to their personal data through any method that is clearly communicated, including writing or email requests. Once again, individuals do not need to use the formal term DSAR when making requests; they can simply ask your organisation what data it holds on them.
As this is such a serious matter, your organisation must establish an effective process for responding to requests in accordance with data protection laws. This should include training employees on these requirements so they are able to recognise such requests when they are made. Furthermore, consider designating someone or team as responsible for creating and sending responses so you can document these communications and demonstrate accountability and compliance.
How to Handle a DSAR
Whenever an organisation collects personal data, they’re likely to encounter requests from individuals wanting to know what data has been stored about them. Such inquiries, known as data Subject Access requests, or DSARs for short, are regulated by privacy laws like GDPR and CCPA that require companies to provide this information upon request. As these inquiries can become an administrative burden when receiving multiple DSAR requests simultaneously, this may increase costs significantly as well as security and compliance risks for the recipient company.
Based on your country’s laws, there may be more formal processes in place for handling Data Subject Access Requests (DSARs); however, it’s wise to anticipate people submitting requests through any communication channel, including email, social media, and phone. As a result, it’s essential that everyone on your team understands how to recognise a request and follow appropriate response steps, including verifying an individual’s identity and searching for and retrieving relevant information.
Your exact steps for fulfilling a DSAR may differ, but keep these key principles in mind when beginning: clarifying and verifying the nature of a request before fulfilling it; making use of technology to expedite and make fulfilment faster, simpler, and more accurate.
When sending requested data directly to an individual, it is vital that only information considered personal is included. That means no internal memos, sales records, or other documentation that has no direct relation to them should be included in your transmission of the requested information.
Next, data must be delivered in an easy-to-read format; no Unicode, Wingdings, or any other font that requires special software can be sent. Finally, fees associated with processing requests should be transparently stated. Once permissible in most countries, charging fees was once acceptable but now should be avoided whenever possible.
Documenting each Data Subject Access Request (DSAR) to demonstrate accountability and compliance with data protection laws Appointing an individual as a Data Protection Officer (DPO) who oversees this process ensures responses are accurate and consistent. Furthermore, you should have a clearly documented procedure to follow when necessary when declining requests in accordance with data protection law.
Can I submit a DSA Request on behalf of Someone Else?
Under GDPR and CCPA, any individual may submit a Data Subject Access Request on their own behalf or on behalf of a friend or family member.
In such instances, your responsibility lies in verifying whether the person submitting is actually representing that individual and proving this relationship by asking for proof such as birth certificate copies, custody papers, or power-of-attorney documentation from them.
How to Respond to a DSAR?
The first step of the DSAR process is authenticating the requestor. This may involve asking for a government ID or using another method of verifying identity. After authenticating identity, determine if the request is valid by checking relevant laws that cover the requested data. Manifestly unfounded requests will likely be denied, and your organisation should inform individuals accordingly.
Once your team has determined that a DSAR is valid, they will gather the requested information. This may involve working with other departments and individuals within your organisation as well as making sure it arrives in an easily consumable format that does not damage an individual or their data. Finally, step four will involve creating and sending back an answer directly.
Individuals may submit a DSAR to any organisation processing their personal data in countries with privacy laws, as well as on behalf of third parties (for example, a parent or guardian submitting on their child’s behalf).