December 28, 2020
With the ever-expanding privacy laws, like the GDPR, CCPA, and recent passing of the CPRA, consumers have become increasingly data-savvy. They want to understand how their data is being collected and used by organizations, and data privacy laws like the GDPR and CCPA entitle consumers with the right to understand how organizations are using their data. Consumers can take advantage of this right by filing a Data Subject Access Request (DSAR).
What is a DSAR?
A DSAR is a written communication addressed from an individual to an organization that inquires which of their personal data is being stored, why their data is being stored, and to whom their data is being shared or disclosed to.
The term “DSAR” was originally introduced in the GDPR law verbiage, but has quickly evolved and become more commonplace. Sometimes, DSAR is used as an acronym for Data Subject Access Request. You will also see that DSAR is often used interchangeably with the term Subject Access Request (SAR) or Subject Rights Requests (SRR).
All of these terms — DSAR, SAR and SRR — essentially mean that individuals have the right to request and learn how their information is being collected, stored, used and shared by organizations. Also, DSARs aren’t limited to just consumers. Any individual, such as employees, contractors, and potential job candidates, can submit a DSAR to an organization.
How do consumers and users submit DSARs?
According to the CCPA, individuals can make DSARs that pertain to any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition is broader than the traditional definition of PII and also extends to aliases, IP addresses, geolocation data, internet activity, professional information and education information.
Also, individuals must be able to reasonably make DSARs. According to Section 1798.130 of the CCPA, organizations need to make at least two or more contact methods available for DSARs, including at minimum, a toll-free phone number. If the organization maintains an online website of any kind, there must be an accessible method of contact through that organization’s website.
What can be tricky for organizations is that individuals do not need to use the specific terms “Data Subject Access Request” or “Subject Access Rights Request”. They can use common language and simply ask to see the type of data an organization has collected from them. An organization must be able to discern messages like these as a DSAR request and respond accordingly to state and federal regulations.
What businesses need to do after receiving a DSAR
Once an organization receives a DSAR, they must confirm receipt within 45 days. If an organization complies with notifying the individual within this period, they may be eligible for a 45-day extension to gather all the information needed to fulfill the request.
There are a couple of exceptions where organizations have the right to refuse a DSAR, which are if the request is deemed to be unfounded or excessive.
Some examples of an “unfounded request” are:
- If the individual clearly has no intention to exercise their right of access. For example, a request is made, and then the individual offers to retract the request for compensation or benefits from the organization.
- If the request is malicious in intent and made solely to harass or disrupt an organization. For example, the individual is clearly targeting and harassing a particular employee within your organization.
Some instances that may substantiate an “excessive request” include:
- If an individual has repeatedly made the same request in a short time frame.
- If an individual makes a request that overlaps with other requests of the same information.
- If the request asks for information beyond your organization’s available resources.
There is a bit of grey area when it comes to what qualifies as unfounded or excessive requests, so organizations should tread lightly and be prepared to provide solid proof that the DSAR in question meets the criteria. In cases where organizations can refuse a request, they still need to inform the individual why their request is being refused and of their right to make a complaint or appeal to the courts.
Keeping track of DSARs, responding within the legal timeframe requirements and ensuring compliance can be a challenge for organizations, especially for large enterprises that interact with many individuals and collect large amounts of data.
Common DSAR compliance challenges for businesses
Many DSAR compliance challenges that businesses face stem from not having a detailed process, or an automated workflow in place.
If an organization does not have a specific form, email address, or employee protocol for receiving DSAR requests, it can become troublesome simply getting a hold of incoming DSARs. Without a centralized location or tracking system, the requests can be sent in a variety of places like a company’s social media account or to several employees across your organization. If DSARs fly underneath your radar and go unanswered, then your organization could be at risk for non-compliance.
Verifying the individual’s identity
Are the DSARs your organization receives legitimate? Before disclosing any information, organizations need to take measures to ensure that the individual’s identity is legitimate, and that you do not disclose information to unauthorized individuals assuming someone else’s identity.
Understanding the nature of the request
Since there are no formal guidelines for making a DSAR, individuals may not be clear on their ask. They may phrase their request in an unintentionally ambiguous way, leaving your team confused. This can also lead to a lot of unnecessary back and forth to simply understand what the individual is requesting.
Finding the right information to fulfill requests
Data Subject Access Requests seem simple in theory, but actually finding all of the information that pertains to them can be difficult, especially if your organization uses a lot of systems. For example, a single transaction on an e-Commerce website can trigger many actions and funnel personal information into multiple systems and software. Gathering all of those pieces together is not an easy endeavor.
Fulfilling requests in a comprehensive and timely manner
The 45-day deadline for DSAR notifications moves quickly. Between locating the request, verifying identity, gathering information and delegating who actually responds to the request with company-approved language — that doesn’t leave much time for wiggle room.
4 ways to make DSAR compliance easier
1. Centralize your DSAR request intake
For starters, ensuring that all of your DSARs exist in one space will make your team’s lives much easier. All DSARs should be funneled and stored in one secure spot, so your team has a streamlined view that is easier to manage. By keeping all DSARs in one location, it is also easier to keep records of your organization’s related DSAR activities and fulfillment.
2. Standardize DSARs
If your team creates a DSAR form on your website, you can structure the form to mitigate any potential confusion. For example, one of the questions on a DSAR form can be, “Which of the following would you like to request?”, and include pre-written selections for the individual to check off. Questions like these help your team fully understand the nature of the request and leaves no room for miscommunication.
3. Use smart software for identity verification and to locate data
AI and data mining technologies can make fulfilling DSARs an easier task for your organization. Consider using a data privacy management software that can recognize names, verify identity, and scan for data tied to that individual across your entire organization’s data landscape.
4. Create automated workflows to efficiently manage requests
Responding to DSARs becomes much more manageable when you remove time-consuming manual processes. By automating the process, you save time and money while also eliminating the chance for human error. And, by creating a preset workflow, you ensure that DSARs touch all the correct people in your organization and are fulfilled efficiently.
The Spirion Data Privacy Manager’s Compliance component allows you to take advantage of these features for easy, automated DSAR processing. To see our compliance tool in action, you can schedule a demo with us.