DSARs: how to deal with them
DSAR is a data subject access request: where an individual seeks to exercise their right to access information an organization stores on them. Upon receiving a DSAR from a person, your organization has a legal duty to respond to the request, provide a copy of the data collected, and explain how and why the data is being processed. Let’s outline how you can handle DSARs to comply with data privacy laws such as the GDPR.
DSAR response mechanism
When responding to a DSAR, you should aim to respond in the same way in which the request was made. The GDPR guidelines recommend responding electronically where the personal data is stored and processed electronically. Furthermore, if you receive a DSAR electronically via email, you should respond via email.
However, where the individual makes a special request in which they indicate that they would like to receive the response, for example, via post: you are advised to do as requested unless this would be unreasonable or cause issues.
The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means.
Recital 59 of GDPR
Where the individual requests their data verbally, your organization needs to have a mechanism to record these requests. While handling verbal requests, always double check with the individual to ensure that you have understood the request correctly.
What information to provide?
When responding to a DSAR, you only need to provide information that is personal data of the individual. This means you do not need to include information which merely refers to the individual and does not allow to directly identify the data subject.
Any information which does not fall within the scope of the request should be redacted. To avoid a potential data breach, you should redact information which pertains to another individual or data which is private to your organization. For example, if the data subject’s billing data is stored alongside the name of the accounting company your organization uses, you can and should redact the name.
Personal data breach: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
GDPR Article 4
Overall, the information must be provided in a transparent, intelligible, and concise manner which can be easily accessed by the subject. In other words, the data should be provided in a simple format which is capable of being understood by any person.
Responsibility for handling responses
Ideally, your organization should appoint an internal data protection officer (DPO) who will be responsible to handle DSARs. The need to appoint an internal DPO whose role only involves data protection duties depends on the size of your organization and nature of your business.
For small and medium enterprises (SMEs) with fewer and less intensive data activities, you can appoint an existing member of staff who carries out another role in addition to serving as DPO. However, their day-to-day role should not pose a conflict of interest against their role as DPO and they must be free to act independently.
DPOs oversee all data protection processes for organizations. A DPO should have thorough knowledge of the relevant data privacy regulations so as to ensure compliance when handling DSARs.
If your organization deals with or will potentially have to deal with a high volume of DSARs, it is advisable to have a set process to compile responses and address DSARs effectively. This could be in the form of software which handles the request manually or a set internal process that streamlines the handling of requests, making use of set templates for DSAR responses. This ensures much more efficient and simple handling of responses.
Timeline for responding to a DSAR
Organizations should respond to DSARs in a prompt manner to provide a positive privacy experience. The timelines differ for different data privacy laws depending on the countries you serve:
· GDPR (EU/UK): 30 days
· CCPA/CPRA (California): 45 days
· LGPD (Brazil): 15 days
However, best practice is to follow a lower threshold for all requests to ensure you respond to all DSARs in time. For example, if your company has customers from California and the EU, the best practice would be to have a maximum response time of 30 days for all DSARs.
It’s also worth noting that you may also request an extension of the deadline, providing the reason for an extension to the individual.
Can you charge a fee?
The GDPR doesn’t generally allow organizations to charge fees for covering administrative costs of responding to DSARs. However, you can charge a reasonable fee if the request is ‘manifestly unfounded or excessive’. In general, manifestly unfounded or excessive requests are sent as a nuisance to organizations.
Your organization may also refuse to respond to a DSAR if you can demonstrate that the request is manifestly unfounded or excessive. For example, if you can show that the request has been made without any intention to exercise the right to access or overlaps with another request, you can refuse to respond to the DSAR.
If you refuse to handle a DSAR, you need to explain the appropriate grounds for the refusal to the individual in writing. You should also explain the rights of the person to lodge a complaint or take legal action against the refusal.
Now that we know the basics of how to deal with DSARs, let’s run through a step-by-step process that you can implement in your organization.
DSAR: step-by-step guide to handling them
Responding to DSARs is a legal obligation. To comply with the law, you need to respond within the mandated time frame. Since time is of the essence, it is advisable to have an established DSAR process ready and able to deal with requests timely and effectively. Below are the initial steps your organization should take while handling DSARs:
Identify the DSAR
Before handling a DSAR, it is important to be able to identify one. You may receive a DSAR request from anyone you process personal data on. This includes employees, customers, and other business partners. You may receive a DSAR in verbal or written form, or even through social media. The request may not contain formal terminology like: “data subject access request” or “subject access request”. Moreover, anyone in your organization may receive the DSAR and should be trained to identify such a request.
Verify their identity
Verify the identity of the individual making the request. If the request has been made through a third party, make sure the third party has the authority to make such a request on behalf of the individual. Verifying the individual’s identity will help you search for information on that person and will prevent you from sharing personal data with those who do not have the right to access it.
Assess the nature
Initially, review the DSAR and figure out whether the request is clear about the information sought. If you are unsure about which data you should provide, seek clarifications from the person making the request.
Organize the information
Compile the individual’s data from your databases in line with the information sought in the DSAR. The information should be compiled in a format that is easily accessible and understandable. The GDPR guidelines state that, where possible, individuals should be provided with remote access to a secure system which ensures direct access to the data requested. If an individual submits a DSAR asking for all of their data, make your response as comprehensive as possible to avoid any potential problems which may arise from non-compliance.
Review the response
Before sending a copy of the personal data you store to the individual, it may be a good idea to review the information carefully before sending it. This point is especially important where the data being sent is sensitive. The response should effectively address the DSAR and should not contain anyone else’s personal data to avoid a potential data breach.
Explain their rights
You should also provide an explanation of data protection rights in the response letter. The explanation should outline the individual's rights to lodge a complaint with the supervising authority, object to the data processing, and request rectification of their data.
Send the data
Finally, send the personal data and information sought through the DSAR within the mandated time frame. Document communications with the individual, even for verbal DSARs, so as to ensure legal compliance.
Challenges involved in responding to DSARs
Responding to DSARs sounds simple, but is becoming a huge task, particularly for small and medium businesses. This is because there has been an enormous growth in the amount of data being collected and processed. Dealing with a large number of requests in a short time frame — sorting through the personal data, collating, reviewing, and sending it — leads to significant administrative costs and swallows up a lot of resources.
As DSARs are the most frequent form of data protection complaint, responding effectively is becoming challenging for all sizes of organizations. As such, handling DSARs requires a robust process in place through which you are able to sort the information, understand how the personal data is being processed, and prepare a response within the deadline.