In this article we’re looking at the process for handling data subject requests and Data Subject Access Requests (DSARs) and the significant resource allocation required.
Processing DSARs involves authenticating the requester's identity, thoroughly reviewing each request for compliance, and meticulously gathering and verifying the requested information. This process can be time-consuming and requires dedicated systems and personnel, making it a challenging and resource-intensive task for businesses to ensure compliance with various data privacy laws.
Clym offers a solution to this challenge by providing an automated compliance solution (CMP) that streamlines the process of handling DSARs, significantly reducing the burden on business resources.
One of the main goals of data protection laws is to give individuals more control over their personal information. A requirement to provide notice on data processing, the ability to correct or delete personal information, object to the processing, or opt out of marketing emails, all these abilities have been provided to individuals by "data subjects rights" or "consumer rights" under data protection laws such as the GDPR, the CCPA, and others.
When an individual wishes to exercise one of these rights, they are expected to send a request to the company. A request to confirm the processing and receive more details about the personal information in businesses’ possession is called a data subject access request or DSAR. In addition to data subject access requests, individuals are given the option to submit requests to correct, delete, to transfer their personal data in a portable format, or to opt-out of personal data processing thanks to data subject rights granted to them by these privacy laws.
Requests for any of these data subject rights are collectively known as data subject requests, or data subject requests, and understanding the difference between a DSAR and a data subject request is crucial for your business’s compliance with data privacy laws around the world.
If you collect and store personal information from people in a regulated area, you're probably subject to the local data privacy laws. This applies whether you operate a business in the region or just target individuals that reside there.
This article answers these questions, makes a distinction between DSARs and DSRs, and provides essential information to keep your organization compliant.
DSAR means Data Subject Access Request. This is a type of request that an individual, such as potential customers, employees, and other individuals, can submit to your organization in order to be granted access to and control of their personal information that you have collected and processed. A DSAR refers to fundamental rights granted to individuals under various data privacy laws which empower individuals to request access to their personal information collected by organizations.
Most famous data regulations, such as the GDPR or the CCPA, enumerate certain rights for individuals, or data subject rights, one of which requires companies to provide access to the data collected on individuals, a data subject access request, by facilitating DSARs. The types of DSARs a data subject can submit to your company vary by jurisdiction and empower individuals to understand and manage what information is being collected about them.
Taking the example of the GDPR, the types of data subject requests that can be made include:
Under the CCPA/CPRA, the types of data subject requests that can be made include:
There is a common misconception when it comes to DSARs, namely that the distinction between DSARs (Data Subject Access Requests) and DSRs (Data Subject Requests) lies in terminology, and that the two terms are interchangeable. That is not correct...
DSAR generally refers to a request to confirm the processing and access information, also known as a “right to know.”
DSR is a more umbrella term encompassing various data subject requests, including the above mentioned access, but also covering rectification, erasure, and other types of requests.
Essentially, DSARs are a subset of DSRs, with the former specifically focusing on individuals seeking access to their personal data. Understanding this difference is crucial for organizations navigating compliance landscapes and responding effectively to diverse requests from data subjects.
Data Subject Rights refer to a set of fundamental rights granted to individuals regarding the processing of their personal data. These rights, established under data protection laws such as GDPR, CCPA/CPRA, or PIPEDA, empower individuals to have control over their information. Common data subject rights include the right to access personal data, rectify inaccuracies, erase data (the right to be forgotten), restrict processing, and object to certain types of processing. Additionally, individuals may have rights related to data portability and not be subject to automated decision-making. Recognizing and respecting these rights is pivotal for organizations to ensure compliance, build trust with their users, and contribute to a transparent and ethical approach to data management.
Global data regulations require companies to provide access to the data collected on individuals by facilitating “data subject access requests” (DSARs). The general means for this bear many similarities or are identical across jurisdictions, but some variations may occur. DSAR category types vary by jurisdiction and empower individuals to understand and manage what information is being collected about them.
The standard Data Subject Access Request response process revolves around the systematic approach to addressing requests submitted by individuals regarding their personal data. Once a data subject submits a DSAR request, either in writing or through designated channels provided by your organization (dedicated email address, telephone number, consent management platform, etc.), you have to authenticate the request by identifying the requester to ensure the security of personal information.
Next, the request should be thoroughly reviewed to determine its validity and compliance with relevant data protection laws. Once this is done, your company will then have to gather and sort through the requested information, ensuring accuracy and completeness. The response, which is usually provided within a legally stipulated time frame, outlines the actions taken, such as providing access to the data, rectifying inaccuracies, or deleting information.
Transparency is key throughout this process, so your company has to clearly communicate to the data subjects the steps taken and any exceptions or limitations. Implementing a standardized and efficient Data Subject Access Request response process is crucial for your business to meet legal obligations, uphold individuals' rights, and foster trust in their data handling practices.
Clym’s compliance widget helps you cover all these steps within one single tool, that requires no setup from you. Once installed, the compliance widget will automatically display the DSRs relevant to the individuals’ jurisdiction and respective applicable privacy regulations, and will notify you of any new DSR, and the deadline for responding. In addition to this, you can also add DSRs on the fly.
Clym’s Privacy Widget also allows you to manually add DSRs so you can manage ALL of your DSRs in one place, regardless of how they were submitted - mail, email, phone, or through your website. In addition to this you are provided with a time-stamped, audit-ready trace of the data subject (access) request from start to finish, and you are able to keep any communication between the requester and your organization in one place, with already pre-configured DSR templates for various regulations that are only going to be displayed for the relevant jurisdiction. This means, for example, that if you receive a request under the CCPA/CPRA the templates available to you will be the ones relevant for this data privacy law.
Here is an example of what that will look like:
Any individual whose personal information is held by your organization can typically submit a Data Subject (Access) Request, as long as there is a privacy law in place which grants them data subject rights. The types of DSRs an individual can submit are also mandated by the privacy law, so these may be different from one jurisdiction to the next. This includes customers, potential customers, employees, and others whose data your organization collects.
The process for submitting a DSAR or any type of DSR may vary but is often facilitated through designated channels provided by your organization, such as data subject request forms, email, or dedicated portals. The individual submitting the request usually needs to provide sufficient information to verify their identity to ensure the security of personal data. In certain situations, data subjects can have authorized representatives submit requests for them. Additionally, advancements in technology now permit authorized agents, such as Universal Opt Out Mechanisms like Global Privacy Control (GPC), to submit requests.
For example, these agents can file a Data Subject Request (DSR) for the Right to Opt-Out of certain processing activities. These activities include targeted advertising, selling personal data, or profiling that leads to significant legal decisions affecting a consumer.
Understanding who can submit a DSR and establishing clear and accessible submission methods are crucial aspects of your organization's compliance with data protection laws, as they empower individuals to exercise their rights over their personal information.
Clym's compliance widget stands out as a powerful solution for effectively managing Data Subject Requests (DSRs) or, specifically Data Subject Access Requests (DSARs). Our innovative tool provides organizations with a streamlined process to handle DSRs in compliance with data protection laws. The widget integrates seamlessly into websites and digital platforms, offering a user-friendly interface for individuals to submit their requests.
Clym's compliance widget facilitates the submission of DSRs and DSARs and ensures a secure and efficient response process. It enables organizations to authenticate the identity of requesters, review and gather the requested information, and communicate transparently about the steps taken. By leveraging Clym's compliance widget, your business can navigate the complexities of DSAR management, demonstrating a commitment to data privacy and bolstering trust with your users.
Generally, organizations have thirty (30) days to respond to a DSR after receipt, however, this deadline can be extended to ninety (90) days based on the complexity of the request. Other data privacy laws differ in their allowable DSRs and timelines, so companies need to familiarize themselves with what type of request each jurisdiction requires, the length of deadlines for response, and the financial penalties for failing to respond in a timely fashion. So the answer is a bit more complicated since it depends on the regulation, since there are some differences between major ones currently in existence.
For example, under GDPR, generally, organizations have 30 days to respond to a request, while under CCPA, that time period is 45 days. There are extensions available depending on the size and scope of the request. Here's a general overview, but it's crucial to refer to the specific legislation for accurate and up-to-date information:
Download this table with response times for DSARs here.
It is very important for your company to have a full understanding of the types of DSRs individuals can make, and how those requests need to be managed. If you’re managing these DSRs via email and Microsoft Office tools, you’ll quickly find yourself unable to manage all of the DSRs in a compliant way. Clym’s compliance tool is built with an audit-ready trail which allows you to manage all the DSRs you receive in an efficient and cost-effective way, regardless of whether you receive 10 or 10,000. As the deadline for the request gets closer, we’ll send you multiple reminders via email so you don’t miss it.
The first question most businesses have is “Am I required to locate absolutely every piece of personal data requested within the DSAR?”
While every regulation is different, generally complying with the DSAR means conducting a reasonable and proportionate request in light of the amount of data collected and how it is used.
But what does “reasonable” mean? That’s a subjective term, so it will depend on a variety of factors and may require a judgment call. Having a policy in place at your company regarding the amount of employee time you deem reasonable to complete a request may be helpful as a guideline. Just don’t expect complying with DSARs to take the same amount of time every time.
To make it easier, let’s look at the types of DSRs that may be submitted. For example, when someone asks for a DSAR, meaning for access to their data, your organization needs to give a complete list of their personal information. Sometimes, the person may want specific details, and you must provide what they ask for. They can ask for:
Once they have a summary usually, data subjects may follow up with a data subject request (DSR) for deletion of personal information, meaning they might ask you to delete all or part of the personal information you have collected and processed about them. Once you’ve located the data, unless legally granted exceptions apply, i.e. an invoice or a contract, delete it and confirm this to the data subject.
The same goes when your company receives a data subject request (DSR) for correction of personal data. If they notice an error in the personal data you hold about them, data subjects may ask you to correct this. Once you’ve done this, simply confirm to the data subject the completion of the request, within the legal timeframe for this.
The scariest data subject request (DSR) is the one for opt-out, known also as the opt-out right, a request that data subjects can submit under the CCPA/CPRA in California, for example. However, this type of data subject request (DSR) simply means you can no longer share their personal data with third parties for the purpose of targeted advertising. Businesses covered by privacy legislation such as the CCPA/CPRA need the right tool to ensure that this side of compliance is also covered.
DSARs give individuals the right to discover what data an organization is holding about them, why the organization is holding that data and who else their information is disclosed to. Are you collecting email addresses and phone numbers? That counts. Is your website using tracking scripts and cookies? Guess what, IP addresses are considered personal data, so that information is in scope. The more data you have, the more difficult, time-consuming and expensive responding to DSARs may become.
Clym's compliance widget stands out as a powerful solution for effectively managing Data Subject Requests (DSRs) and Data Subject Access Requests (DSARs), including those related to the CCPA/CPRA. With our compliance solution, you can easily and conveniently place a footer link on your website for the Do Not Sell or Share My Personal Data requirement of the CCPA/CPRA, which allows users to opt-out.
Clym's compliance widget not only facilitates DSAR submissions but also ensures a secure and efficient response process, including identity authentication and transparent communication about the steps taken, meaning your users and your company’s legal team can sleep well at night knowing commitment to data privacy is facilitated, and trust with users is continuously built.
The most common approach that businesses take is assigning a person within the organization responsible for privacy matters who possesses knowledge of data privacy regulations and data protection, be that a Data Protection Officer (DPO), or not.
While the DPO isn't required to handle every request personally, they may supervise the process to guarantee that responses are precise, timely, and compliant. Not all companies are required to have a Data Protection Officer within the organization, but many privacy laws require to have a dedicated person assigned to oversee data protection matters. Also, remember that documenting your Data Subject (Access) Request response process is a wise practice that will allow any member of your organization to adhere to it.
A data subject request template refers to a standardized data subject request form that your business makes available to data subjects so they can submit a data subject request with your business. This should be customized to be relevant to the applicable data privacy regulations in the jurisdictions where you conduct business.
This standardized form should cover a few specific points, such as obtaining sufficient information to locate the individual in your company’s database, verifying their identity successfully, understanding the nature and scope of the data subject request, providing the data subject with proper information about the next steps in the submission process, and setting the right level of expectation in terms of timeframe. Many of these can be built into compliance management tools that give data subjects a way to submit a data subject request and verify it, for example, by clicking on a link that is generated and sent to the email address they provided in the data subject request form on your website. Once they’ve clicked the link, they can then be informed via automated email of the next steps in the process and the relevant timeline.
In written form, a data subject request template example, one of many, can look like this:
[Your Company Logo] Data Subject (Access) Request Form
Personal Information of the Requester:
Verification of Identity: Please provide a copy of one or more of the following documents to verify your identity (e.g., passport, driver's license).
Details of the Request: Type of Request: [X] Access to Personal Data [ ] Rectification of Personal Data [ ] Deletion of Personal Data [ ] Other (Specify): ________________ Description of Request: ______________________________________________________ Relevant Time Period: From ____________ to ____________ (if applicable)
Declaration: I, [Requester's Full Name], hereby declare that the information provided in this request is true and accurate to the best of my knowledge. I understand that providing false information may result in consequences as per the applicable laws and regulations.
Signature: _________________________ Date: _________________ Submission Instructions: Please submit this completed DSAR form along with the necessary identification documents to [Your Company's DSAR Contact Point]. Email: ___________________________ Mailing Address: ___________________ In-Person Submission: ______________ (if applicable)
Notes for the Requester: The processing time for DSARs is typically [mention the timeframe as per your organization's policy or regulatory requirements]. You may be required to provide additional information for verification purposes. - We will communicate with you regarding the status of your request using the contact details provided.
Important! Please be aware that certain legal exemptions or restrictions may apply to your request, and we will inform you if any such limitations exist.
[Your Company Contact Information] |
You can download the Data Subject (Access) Request template here.
Clym’s data subject request management tool makes it easy for you to timely respond to DSRs through your admin account on our platform so that all responses and correspondence are time-stamped and tied directly to each request. We understand that nobody likes to be audited, but the reality is that you might be audited at some point and lack of an audit trail will cost you a pretty penny!
Let us help!
To save you and your team additional time, Clym provides you with default reply templates for various data subject requests, however if you’d like to add your own language, feel free to make any tweaks you deem necessary.
Here is an example of a template reply you can send a data subject that has submitted a data subject request for opt-out under the CCPA/CPRA:
The specific steps for DSR handling can vary based on the applicable data privacy regulation in your jurisdiction, so you should always make sure to stay informed about any updates or changes to this regulation. That being said, certain steps are considered common, but businesses have a great deal of freedom with regards to their process for handling DSRs. Even data subjects themselves have the freedom to request their data in an app, over the phone, or in person. Bear in mind that a data subject doesn’t have to use terms such as DSR or data subject request; they can simply say “I want to know what data you have on” and this is a valid DSR for access, DSAR.
Here are some industry standard steps for how to handle and how to document a DSR:
Regarding the fines for failing to comply with DSARs, as with most data privacy, this depends on the jurisdiction. Failing to respond to data subject requests can result in GDPR violations of up to €20 million or CCPA violations of up to $7,500 per incident (read: each time you fail to respond to a DSAR).
Typically, organizations are fined for failing to respond to requests in a timely fashion and failing to conduct a reasonable search related to personal data, for a number of reasons, including the fact that they either:
DSR requests have expanded significantly in volume since GDPR was implemented. With the passage of data privacy laws such as California’s CCPA and Brazil’s LGPD, we can expect to see a spike in requests as awareness around the rights granted by these laws grows. Those companies that are not leveraging technology will struggle to keep up with growing DSARs and increase the likelihood that they’ll suffer significant financial penalties.
As a best practice for improving in this area, consider the following:
Clym's revolutionary Cookie Consent Manager is a streamlined solution for DSR management so your company’s DSAR compliance is facilitated. You can effortlessly navigate through the intricacies of 40+ international data privacy laws, encompassing GDPR in Europe, LGPD in Brazil, and CCPA in California. Our platform goes beyond compliance; it intelligently adapts to regional regulations through built-in geolocation rules, ensuring seamless adherence to diverse requirements.
In the ever-evolving landscape of data privacy, Clym is your ally, alleviating the challenges of staying current with regulatory changes. Our system takes the burden off your shoulders by automatically updating the DSAR types whenever there's a modification in the covered regulations. Bid farewell to the constant monitoring of data subject requests (DSRs) and manual logging of these—Clym does it all for you.
At Clym, we believe in harmonizing digital compliance with your business needs, offering a suite of benefits, including an all-in-one platform that combines Privacy and Accessibility compliance with global regulations at an affordable price.
Experience seamless integration into your website, adaptability to users' locations and applicable regulations, customizable branding, ReadyCompliance™ covering 40+ data privacy regulations, and accessibility options, which include six preconfigured accessibility profiles and 25+ display adjustments for visitors to tailor their individual experiences. Clym is not just a solution; it's a commitment to simplifying and enhancing your digital compliance journey.
Convince yourself and see Clym in action today by booking a demo or reaching out to us to discuss your specific needs.