DSAR response template: how to use
DSARs are data subject access requests that your customers send you to learn about what data you collect and store on them. Responding to them with one calendar month is a requirement of the GDPR and can be challenging for many organizations. We have created a DSAR response template to help you streamline your DSAR workflow and speed up the whole process. Learn how to complete the template in this article.
Download the template
If you haven’t yet downloaded the template, do so by clicking the button below.
The first page you land on when opening the DSAR response template is the General settings. Enter your name, the organization on behalf of which you are completing the response and the completion date.
In the spreadsheet below, you can tune the template’s dropdown lists to your needs. Look at each column and add, replace, or remove in accordance with your organization’s data collection and storage practices.
For example, should your organization use data for other reasons than specified in the Processing purpose column, modify the fields as you require. The same goes for which systems you use to process customer data: adapt the fields to apply to the locations which are in line with your practices. The legal bases are taken straight from the legislation, so these shouldn’t need modification.
As for Retention, please consult your retention schedule or policy to learn how long you keep customer data for and for what purposes. This should be properly documented and the time periods for different data vary per organization.
Once you have set the general settings for your organization, it is recommended to save them so that they are ready for each response you make as the data subject requests come in.
Once you have the settings ready, you can move on to completing the response. Should you receive a DSAR, you have one calendar month to respond. The template provides you with a great framework and starting point for doing so, while it also presents the client data in an accessible, concise, and intelligible format, as required by the authorities.
The DSAR response template will be individual for each of your customers. For each data point you collect and store, enter in the value in the column provided. You can add or delete any rows of data types which you don’t process.
When you are happy that you have entered all of the data values you store in the template, you can move on to indicating the source of the data points. Delete any unnecessary rows for data which you do not process.
The source of the data point refers to how you came to process this piece of data. We provide you with a list of the most frequent sources:
- Directly from the subject
- Via marketing activities
- Via a third party
Directly from the subject is when your customer shares their data with you in a variety of situations, such as upon performance of a contract or leaving their details in a contact form.
However, you may have received client data through marketing activities, whereby you advertise something and receive customer details in exchange. This may be a banner that leads to your website and you collect the details of the redirect and user location.
Another way you can receive customer personal data is from third parties. This can take place when you purchase a database in order to launch a marketing campaign.
Processing purpose for personal data
The reason that you use the data for is listed as the processing purpose. In the template you are provided with six different purposes:
- Customer support
- Legal risk management
- Sales and marketing
- Human resources (HR)
Accounting purposes are those where you use the data to process some kind of payment. This could be a billing address to satisfy a contract.
While providing your customers with support, you will likely process some of their data, such as their name, email address, or other contact details.
Legal risk management relates to how you process and store data in line with different laws. For example, there are different laws which mandate the storage of certain financial data for a specific period of time for audits which may take place.
Profiling relates to how you categorize consumers into different buckets and is generally associated with marketing purposes. However, profiling may also be used to generate automated decisions which may have an impact on your customers. For example, you may offer different services or prices to different customers and for this you may use age data to profile customers.
Sales and marketing purposes for processing personal data are pretty self explanatory: you use the data to market and sell to customers. For example, you may process email addresses to send out newsletters: this would be an example of processing data for marketing and sales purposes.
If you employ staff, you will need to process their personal data and this falls under the HR purpose for collection and storage. Furthermore, any information you receive from people wanting to join your organization would also fall into this category.
It is important to note that you may use consumer personal data for several reasons. If this is the case, add a row beneath each data point and indicate the additional purpose.
Legal basis for processing personal data
Data protection legislation such as the GDPR specifies six legal bases for processing personal data:
- Legal obligation
- Vital interest
- Public task
- Legitimate interest
In addition to these bases, there are separate bases for what is termed “special category data”. This is information, for example, about health or political views which is classified as especially sensitive.
The bases for processing special category data are:
- Legal obligation
- Vital interests
- Legitimate activity
- Publicized by the subject
- Judicial purpose
- Public interest
- Medical diagnosis
- Public health
- Archiving purposes
You can read more about the different legal bases for processing personal data in our data mapping article. Creating a data map is best practice and is strongly advised. It will also help you when completing DSAR responses since you will know where to find customer data.
Data retention periods are tricky business in data protection as there is no single set of rules that you need to follow. Instead, you need to set your policies in line with the proportionality of the usage. For example, if you collect someone’s email address for marketing purposes, you need to consider how frequently you will use this data and for how long you will store it. Harvesting up data and storing it forever goes against GDPR data minimization principles.
Use your data retention policy to guide you when filling in the length of time during which you store the customer data. If you’ve already created a data map, use this to fill in the fields. If you don’t have a data retention policy, you need to get started on one as this is a must have.
In the DSAR response template, we have offered a range of suggestions which you can use. Feel free to edit them on the settings page to tailor them to your organization’s requirements.
Third parties data is shared with
You need to inform the individual (data subject) who asked for their data via a DSAR about the different organizations you share their data with. This part of the template is left open for you to indicate because who you share data with outside of your organization will be specific and individual to where you work.
Knowing the geographic location of where your organization stores consumer personal data is really important. You may use a range of different software services which process data on your behalf. Many of these services are located in the USA and this should be taken into account along with other third countries which you transfer data to.
Again, amend the settings page and adapt the fields to cater to your organization’s practices.
Once you have filled in the DSAR response, you will need to take some short steps before sending it. Delete the disclaimer and instructions at the top, in addition to replacing the Soveren branding with that of your organization (bottom of the file) so as not to confuse the individual that requested their data. Then we recommend that you save this DSAR response sheet of the file as a PDF to send to the individual.
Double check the PDF to make sure that everything is correct and saved properly.
In the message that you send to the data subject, you also need to explain their rights to lodge a complaint. When you have done so, you are ready to attach the PDF and send the DSAR response to the individual.