DSARs are a legal mechanism whereby consumers can demand to access, amend, or erase their data which is held by companies, in accordance with data protection laws.
The European Union’s General Data Protection Regulation (GDPR) provides EU residents and any consumer or individual who interacts with EU organizations the right to access their information. Meanwhile, other data privacy laws such as the California CCPA (to be replaced by CPRA on January 1, 2023) or Brazilian LGPD also provide consumers with such rights to access, rectify, and erase their data. Business organizations who collect and store data often receive DSAR requests from individuals. They are required to address DSARs appropriately to ensure compliance with the data privacy regulations.
DSARs are also commonly referred to as Subject Access Requests (SAR), Data Subject Requests (DSR), or Subject Right Requests (SRR). These abbreviations all mean exactly the same thing: the right for consumers to make a request about their data to companies that process is.
Over time, DSAR and SAR have become the most commonly used terms for data subject requests.
So let’s dive into more detail about what DSARs are and what they mean for companies from a compliance standpoint.
Data subject access requests (DSAR) are simply a request from a person who believes that your organization stores data on them. In legal terms, this person is known as a data subject. Typically, a DSAR asks for a list of all the personal data your company may have stored on the individual.
Companies may receive DSARs at any time and from anyone — whether they have interacted with your business and you hold data on them or not. Businesses and other organizations such as yours are obligated to respond to DSARs with a copy of relevant information you may have on the data subject. If no data is held, the person that has requested their data must also be informed of this.
You may also be required to provide an explanation about all the purposes for which the data is being used or processed. While it is generally good practice to do so upon receipt of a DSAR, some companies require their customers to explicitly request certain information before they provide it.
In terms of EU law, the GDPR sets out the right for individuals to request their data EU-wide. Following the UK’s exit from the Union, the legislation was copied over to the UK to form the UK GDPR.
The GDPR sets out individuals’ right to access their information as per Recital 63 of the GDPR:
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
As such, the person (data subject) is able to learn about and can check which of their data is being collected, how this is taking place, and how this information is being handled afterwards.
Companies that are consumer-centric, looking to turn privacy into a competitive advantage, and strive to provide a positive privacy user experience aim to handle DSARs promptly.
DSAR has to be a request to access information, made specifically to receive a copy of the personal data an organization holds on an individual.
Merely a complaint or a general query will not constitute a DSAR.
However, a DSAR does not necessarily have to be formally titled as DSAR (or SAR, DSR, SSR, etc.). Business organizations may receive DSARs informally, yet are required to identify the individual and respond to the request. A request is considered a valid DSAR when it is clear that the individual is asking for their own personal data.
It is worth noting that a DSAR does not have to use specific language or words, neither does the request need to refer to specific laws or be directed to a specific person in your organization. This means that a DSAR can be made through any contact channel, be it verbally or in writing, even through social media.
On some occasions, DSARs may also be made by a third party (for example, a relative or friend) on behalf of the individual. Before responding to such a request, the organization should be satisfied that the third party making the DSAR is entitled to act on behalf of the data subject.
Article 15 of the GDPR sets out the information that individuals may seek from organizations. Broadly speaking, the following information may be sought in the form of a DSAR:
If the information sought falls under one of the categories mentioned above, the organization is obligated to provide the information to the data subject.
There may be cases where your organization may be processing a large amount of information about an individual. In this case, your organization may ask the individual to provide specific details about the information being requested.
The time limit to respond to the DSAR may be paused until you receive clarification from the data subject.
In any case, your organization should supply whatever other specific information that has been sought from you. You may also ask the individual whether they would prefer to have their data provided in hard copy or an electronic format.
You can refuse to provide the data requested if an exemption applies to the case. Specifically, you are not obligated to respond to a DSAR if:
You may also refuse to address a DSAR if it is “manifestly unfounded or excessive”. According to the guidelines, a DSAR can be considered manifestly unfounded when:
If you decide that you will not comply with a DSAR, you must inform the data subject about your reasons for refusal, the individual’s right to complain to their national data protection supervisory authority, and that this person may seek to enforce their data protection rights through the courts.
No, companies can’t generally charge fees for responding to DSARs. However, in case the DSAR is excessive or manifestly unfounded (see definition above), organizations can charge a reasonable fee for the administrative costs involved.
You may also charge a fee if the individual requests further copies of the data within an unreasonably short timespan.
Companies are required by the GDPR to respond to a DSAR within one calendar month from the date of receiving the request.
The short period of 30 days can be challenging for companies to respond to the DSAR. The deadline may be extended to two months if the request is complex or if your organization has received multiple requests from the same individual.
The CCPA is a privacy law, which enhances privacy rights and consumer protection for residents of California in the United States. The California Privacy Rights Act (CPRA) comes into effect in 2023, building on the CCPA. The updates bring the law further in line with the GDPR.
California’s CCPA privacy law affects businesses who operate from California and have clients abroad or in other states. As such, the law affects many companies in the US.
DSARs made under CCPA/CPRA need to be responded to within 45 days.
Brazil’s data protection law — the LGPD — was passed in 2018 and came into effect in 2020. DSAR requests made under the LGPD are required to be responded to in just 15 days. It is hard to imagine the complications and disruptions this is causing and will cause businesses that operate in the country.
With data privacy regulations such as GDPR and CPRA on the rise, handling DSARs poses a significant challenge for organizations. The data protection authority in the UK — the Information Commissioner’s Office — (ICO) found that DSARs were the most frequent form of data protection complaint and that they pose a real challenge for organizations.
A Gartner Security study showed that most organizations fail to deliver swift and precise responses to DSARs. The study reported that around two-thirds of organizations said that it took them two weeks or more to respond to one DSAR. Moreover, a study from Guardum about requests from employees and customers found that satisfying a DSAR costs on average over $5,000.
According to Soveren research responding to customer DSARs can cost up to and around $1,400, which, when coupled with a growing user base, can mean real headaches for your business.
If you fail to comply with a valid DSAR you are breaking data privacy laws. The individual who sent the request may drag your organization to the courts for enforcement of their rights. Data protection authorities are ready to take action against businesses of all sizes which fail to comply with the data protection legislation. On top of fines from the regulators, individuals can seek compensation from your business if you fail to comply with their DSAR.
Responding to DSARs poses a significant challenge for organizations across the globe and requires a thorough understanding of their obligations under data privacy laws. Understanding the basics of DSARs, how your organization should identify them, and the initial steps you need to take before responding to a DSAR is crucial to the success of your business.