Data is what makes the modern business world go around. But as the amount of data that organizations collect and process grows, so, too, do concerns about data security and how organizations respond to DSARs.
These concerns have led many jurisdictions to adopt data privacy rules and regulations. An astonishing 71% of countries worldwide have data privacy laws in place, and another 9% have drafted legislation. Meanwhile, five U.S. states have enacted data privacy laws and 35 states have at least contemplated data privacy legislation.
Under these statutes, protected individuals can make requests of businesses that hold their personal data. These communications are known as data subject access requests (DSARs). For corporate legal teams, responding to DSARs in a timely, sufficient manner can be a major challenge. According to Gartner, responding to a single DSAR can take two weeks or more, at an average cost of $1,400.
This post takes a deep dive into DSARs and DSAR responses. We’ll also share some of the challenges of responding to DSARs along with four best practices organizations can use to be more efficient in their DSAR responses. We’ll wrap up with a look at how modern technology can help corporate legal teams expedite their DSAR response process and minimize costs.
What is a data subject access request (DSAR)?
A data subject access request (DSAR) is an inquiry that protected individuals—or data subjects—can submit to organizations that hold their personal data. A DSAR may request access to an individual’s personal data or may direct an organization to delete or limit its use of that data. DSARs are also known as “subject rights requests” and “privacy rights requests.”
What qualifies as personal data that data subjects can make a request about? Personal data typically includes information about an individual combined with details that could reveal their identity, such as their name, date of birth, social security number, mailing address, or email address.
Data subjects use DSARs to exercise their data privacy rights. Although each jurisdiction’s rule or regulation is unique, data privacy statutes generally give individuals the right to:
- know what data organizations are collecting about them and why,
- access the data that organizations have collected about them,
- correct their personal data where necessary,
- limit how their personal information is used and disclosed,
- demand an organization to delete the data it has collected about them,
- prevent their personal data from being sold, and
- be free from discrimination as a result of exercising their rights.
Now that we’ve defined what a data subject request is, let’s talk about how DSARs are submitted and who can submit them.
How are DSARs submitted?
A data subject must submit a DSAR directly to the target organization. Organizations accept DSARs by different means, from designated DSAR portals and email addresses to general phone numbers, email addresses, and mailing addresses.
A DSAR may be oral or in writing and should include:
- the term “data subject access request” or an equivalent term as the subject line or header,
- the date of the request,
- the data subject’s name and any relevant aliases,
- a list and description of the information they want to access or protect, and
- the data subject’s contact information.
So, who can submit a DSAR? Any individual who resides in a jurisdiction with a data privacy statute can submit a DSAR, including consumers, contractors, and current, former, and prospective employees.
An individual can also submit a DSAR on behalf of a data subject—such as a child, legal client, or person with a legal guardian—with the requisite authority or consent. In this case, an organization may require the requester to provide written consent or other documentation of their relationship with the data subject before responding to the DSAR.
But just because someone makes a request doesn’t always mean that request has to be granted—or does it?
When is a DSAR response required?
An organization must respond to a data subject access request if the data privacy law that protects the requester applies to the organization.
Some data privacy laws—such as the EU’s General Data Protection Regulation (GDPR)—are extraterritorial, meaning they apply to organizations that are based outside their jurisdiction so long as those organizations conduct business or collect data on their citizens.
Other data privacy laws are more narrowly construed. The California Consumer Privacy Act (CCPA), for example, applies to businesses—subject to certain exemptions—only if they operate in California and:
What if an organization determines that a DSAR is unfounded or the requester has not demonstrated that they have the authority to make the request? In that case, the organization should explain why it believes a response is not appropriate and tell the requester that they are welcome to correct their DSAR or submit additional information.
Who, then, sends the response? Usually, the organization’s data protection officer (DPO) is in charge of responding to DSARs. If an organization does not have a DPO, anyone with knowledge of the organization’s data can respond.
Responding to a DSAR may sound relatively easy, but a DSAR response must contain certain details to be sufficient. Let’s turn to what a DSAR response should look like.
What should a DSAR response include?
After the organization has verified the requester’s identity, it must search its data to determine whether it has any of the requester’s personal data and respond to the DSAR. Generally speaking, a response to a DSAR should include:
- a statement affirming or denying whether the organization has collected or processed the requester’s personal data;
- a copy of any of the data subject’s personal data that the organization has;
- a list of the categories of personal data the organization collected, sold, or shared about the data subject;
- a list of the types of sources where the organization obtained the data;
- an explanation of the purpose for which the organization collected the data; and
- a list of the types of third parties to whom the organization disclosed the data.
One of the challenges of DSARs is that organizations don’t have much time to pull that information together.
What is the timeline for a DSAR response?
An organization must respond to a data subject access request by the applicable statutory deadline. Typically, these range from 30 to 45 days, plus extensions. An organization’s failure to timely and correctly respond to a DSAR is a legal violation. Therefore, if an organization fails to respond to a DSAR or otherwise violates a data privacy law, it may face civil penalties and even lawsuits.
Under the GDPR, for example, organizations must respond to data subject access requests “without undue delay and in any event within one month.” The GDPR allows extensions of up to two additional months if a DSAR is complex or contains numerous requests. If an organization receives an extension, it must notify the data subject of the delay and reasons for the delay within one month of receiving the request.
Failure to comply with the GDPR can lead to fines totaling up to €20 million or 4% of the organization’s annual global revenue, whichever is greater. The GDPR also allows data subjects to bring a private right of action to recover damages.
On the other hand, under the CCPA, organizations have 45 days to respond to a DSAR and can get a 45-day extension when “reasonably necessary.” As with the GDPR, if an organization requests an extension, it must notify the data subject of the delay within the first 45 days.
While a single violation may not result in a maximum penalty, an organization’s routine failure to timely respond to DSARs could equate to larger fines. Some laws, like the GDPR, also allow data subjects to seek a court order compelling an organization to respond to their data subject access request.
The first step corporate legal teams should take to ensure compliance is to understand the challenges of responding to DSARs.
What are the challenges of responding to DSARs?
DSARs are usually much harder for organizations to respond to than they are for individuals to submit.
The biggest challenge of responding to these requests is the high volume of data and the variety of places most organizations have to search to uncover relevant information. For example, an organization may have a considerable amount of personal data about a former employee scattered throughout multiple databases, email inboxes, and other repositories. Uncovering all of that information is tedious and requires an understanding of the data the organization collects and where it stores that data.
To complicate matters further, DSARs can be very complex. A single DSAR can request copies of the data subject’s personal data, ask the organization what its purposes are for collecting and processing that data, and demand that the organization delete one category of that data and limit how it uses another.
These challenges are compounded by the short turnaround most data privacy statutes require for DSAR responses, as we discussed above.
Responding to data subject access requests may sound daunting, but corporate legal teams can improve their processes by adopting the following best practices.
Four best practices for efficiently responding to DSARs
Developing sound practices for responding to DSARs is crucial to complying with data privacy laws and avoiding hefty fines, costly lawsuits, and loss of public trust. These four best practices are a good start.
1. Employ proper information governance
Information governance is a set of rules and policies that determines who can do what with data. Proper information governance helps ensure that data is accurately classified, securely stored, and readily accessible. That way, organizations can easily locate and retrieve data when something like a data subject access request comes up, reducing the time and effort it takes to respond. The main data governance principles organizations should adopt are:
- data quality,
- collaboration, and
- standardized rules and regulations.
2. Develop a standardized process
Adopting a standardized process can help legal teams fulfill DSARs more quickly and methodically and leave less room for error. The process for responding to DSARs should look something like this:
- review the request,
- verify the sender’s identity,
- perform a comprehensive data search,
- securely deliver relevant data to the data subject, and
- prepare an internal report.
Corporate leaders can use those internal reports to track key DSAR response metrics and update the legal team’s standardized process, as we’ll explain next.
3. Track DSAR metrics
Routinely tracking and reporting metrics can help an organization improve its DSAR response process. An organization might track how many DSARs it receives and how complex each data subject access request is along with how long it took to respond to each data subject access request and how many hours the legal team spent to respond. The organization can use that data to evaluate its DSAR response process and adjust it as needed.
4. Leverage technology
Technology plays an integral role in efficiently responding to DSARs. Given the large volume of data that most organizations collect and process, manual review is out of the question. Modern solutions make searching and reviewing data on a tight timeline more feasible and allow corporate legal teams to respond to DSARs faster while saving organizational resources.
Modern technology can help streamline DSAR workflows
Technology is key to improving DSAR workflows and consistently meeting deadlines. By investing in the right tools, organizations can set their legal teams up for success, save time and money, and avoid the penalties and other costs associated with late data subject access request responses.
For example, Live Early Data Assessment (EDA) can quickly provide valuable insights into an organization’s data and information management practices before it even receives a data subject access request. When a DSAR is filed, the legal team can use the platform to search and review vast amounts of data across multiple repositories quickly and easily, all from a single interface.
With the help of Live EDA, corporate legal teams can respond to DSARs on time—without working overtime.