How to Respond to a DSAR – A Short Guide in 2023

Requests for access or removal can take considerable time and require verification of the identity and legitimacy of the requester. Rapid and accurate fulfilment of Data Subject Access Requests (DSARs) helps businesses foster brand loyalty while meeting data privacy regulations. A successful GDPR DSAR fulfilment programme, however, requires more than just knowledge about privacy laws or prior experience to be effective.

What is a DSAR?

A Data Subject Access Request, or DSAR for short, is a formal request from any data subject (an individual who owns personal information) who wants to see what data a company holds about them. Usually the person making this request makes their own DSAR; however, it can also come from others, such as parents or guardians representing children or lawyers representing clients.

Requests for GDPR DSAR can come through any communication channel, making it essential that businesses be ready to receive them. They could come through your website, social media pages, emails, or even calls into customer support centres; having a form dedicated to taking DSAR submissions would be ideal, but responses should always be ready regardless of their source.

Once a DSAR is submitted, it’s essential to swiftly verify its identity as soon as possible. Sometimes this means simply verifying their name and address; other times it could require gathering multiple forms of identification to authenticate their submission. After verifying their identity, it’s time to start compiling your response within the prescribed deadlines of either 30 days for GDPR compliance or 45 days under CCPA—both are critical considerations when responding promptly.

Your response should include a comprehensive list of all the data you possess about an individual and details on who has shared or sold that data, along with any reasons why it cannot meet their request.

With more frequent DSARs, it is becoming more essential for businesses to train their staff on how to recognise and handle them effectively. A documented process for responding to DSARs will ensure your team stays on task and avoids costly fines, while building trust with customers and strengthening brand image.

What is the GDPR?

The GDPR is a set of data protection laws that afford citizens certain rights in regards to their personal data, including access, deletion, and transferability. Businesses must abide by this set of regulations by responding quickly and efficiently when receiving data subject access requests (DSARs) from customers.

The law requires businesses to respond to a DSAR request promptly, within one month of receipt and two months if the requested information requires significant review or is complex.

Businesses seeking to meet regulatory requirements should create a team specifically for handling data subject access requests. This team should include members familiar with data privacy laws who can ensure the company processes comply with them; furthermore, this team must be trained on how best to process them according to regulation.

Businesses seeking to satisfy DSAR requirements must possess the capability of searching across various areas of their systems and databases, which could include searching hard copies, digital files, user accounts, and payment services. This process may be time-consuming and resource-intensive, while it also involves sensitive consumer data requiring additional security measures. Effectively managing this process may prove challenging when meeting regulatory deadlines.

An integral aspect of this process is ensuring the correct data reaches consumers. If incorrect information were to reach someone, this could cause serious injury; protecting this process and all data encryption before being distributed can help ensure its safe delivery to its intended audience.

Fides is here to assist businesses in this process by enabling them to search across various parts of their data systems and present an easy-to-read package to consumers that fulfils regulatory requirements while showing respect for users data and earning their trust.

How do I respond to a DSAR?

An organisation must conduct an initial review to ascertain which data is being requested and whether the individual has invoked other rights. For instance, in addition to accessing their personal data, individuals can request rectifification or deletion.

Once data has been reviewed, an organisation must respond within one calendar month of receiving the request, although this timeframe can be extended in certain situations (i.e., complex requests from multiple data subjects).

Responses must contain the information requested by an individual. Unless legally permissible, your organisation should provide this data free of charge; however, an administrative cost recovery fee can be assessed to cover administrative costs related to processing a request; typically, this cost calculation depends on how much work was involved in fulfilling it.

Under general guidelines, you should inform an individual requesting data what information was withheld from their set and why; this can be accomplished either through adding a note to their response or updating your privacy notice.

Your DSAR response must only include information that is accurate and up-to-date, making sure only relevant data is included in it. Therefore, having systems in place that ensure only relevant details are included is important; for instance, not including internal memos that reference customer names directly within their content isn’t advised either.

Keep in mind that your organisation must comply with all DSARs received, fulfil any legitimate requests received, and comply with a DSAR request only if it is manifestly unfounded, excessive, too costly, or the information is already readily available elsewhere. Otherwise, all valid requests received must be fulfilled within your organisation.

GDPR can give individuals the power to request personal data from organisations; however, many may still find the concept unfamiliar. Therefore, it would be prudent for organisations to prepare an action plan for dealing with Data Subject Access Requests (DSARs), including an explanation of how requests will be processed as well as who will respond promptly to each DSAR.

Finally, it is critical that an automated and scalable system for processing DSARs be in place. Validating each request, retrieving correct data from various systems, and compiling a comprehensive report manually can be time-consuming and error-prone. With an automated solution in place, requests can be met quickly while adhering to regulations.