Data Subject (Access) Requests in 2024: The Complete Guide to DSRs

In this article we’re looking at the process for handling data subject requests and Data Subject Access Requests (DSARs) and the significant resource allocation required. 

Processing DSARs involves authenticating the requester's identity, thoroughly reviewing each request for compliance, and meticulously gathering and verifying the requested information. This process can be time-consuming and requires dedicated systems and personnel, making it a challenging and resource-intensive task for businesses to ensure compliance with various data privacy laws. 

Clym offers a solution to this challenge by providing an automated compliance solution (CMP) that streamlines the process of handling DSARs, significantly reducing the burden on business resources.

One of the main goals of data protection laws is to give individuals more control over their personal information. A requirement to provide notice on data processing, the ability to correct or delete personal information, object to the processing, or opt out of marketing emails, all these abilities have been provided to individuals by "data subjects rights" or "consumer rights" under data protection laws such as the GDPR, the CCPA, and others. 

When an individual wishes to exercise one of these rights, they are expected to send a request to the company. A request to confirm the processing and receive more details  about the personal information in businesses’ possession is called a data subject access request or DSAR. In addition to data subject access requests, individuals are given the option to submit requests to correct, delete, to transfer their personal data in a portable format, or to opt-out of personal data processing thanks to data subject rights granted to them by these privacy laws. 

Requests for any of these data subject rights are collectively known as data subject requests, or data subject requests, and understanding the difference between a DSAR and a data subject request is crucial for your business’s compliance with data privacy laws around the world. 

If you collect and store personal information from people in a regulated area, you're probably subject to the local data privacy laws. This applies whether you operate a business in the region or just target individuals that reside there.

• But what does this mean for your organization? 
• What tasks must you complete to follow DSAR rules? 
• What happens if you ignore a DSAR? 
• How do you handle an increasing number of DSARs? 

This article answers these questions, makes a distinction between DSARs and DSRs, and provides essential information to keep your organization compliant. 

Data Subject Rights And Requests According To The GDPR

Read More

What is a data subject access request (DSAR)?

DSAR means Data Subject Access Request. This is a type of request that an individual, such as potential customers, employees, and other individuals, can submit to your organization in order to be granted access to and control of their personal information that you have collected and processed. A DSAR refers to fundamental rights granted to individuals under various data privacy laws which empower individuals to request access to their personal information collected by organizations. 

Most famous data regulations, such as the GDPR or the CCPA, enumerate certain rights for individuals, or data subject rights, one of which requires companies to provide access to the data collected on individuals, a data subject access request, by facilitating DSARs. The types of DSARs a data subject can submit to your company vary by jurisdiction and empower individuals to understand and manage what information is being collected about them. 

Taking the example of the GDPR, the types of data subject requests that can be made include:

• Access
• Rectification 
• Erasure
• Withdraw consent 
• Restrict processing 
• Data portability 
• Object to processing 

Under the CCPA/CPRA, the types of data subject requests that can be made include:

• Know 
• Access 
• Delete 
• Correct 
• Opt-Out 

Opt-In vs Opt-Out: What is the Difference?

Find Out Now

What is the difference between DSARs vs DSRs?

There is a common misconception when it comes to DSARs, namely that the distinction between DSARs (Data Subject Access Requests) and DSRs (Data Subject Requests) lies in terminology, and that the two terms are interchangeable. That is not correct...

DSAR generally refers to a request to confirm the processing and access information, also known as a “right to know.”

DSR is a more umbrella term encompassing various data subject requests, including the above mentioned access, but also covering rectification, erasure, and other types of requests.

Essentially, DSARs are a subset of DSRs, with the former specifically focusing on individuals seeking access to their personal data. Understanding this difference is crucial for organizations navigating compliance landscapes and responding effectively to diverse requests from data subjects.

What are Data Subject Rights?

Data Subject Rights refer to a set of fundamental rights granted to individuals regarding the processing of their personal data. These rights, established under data protection laws such as GDPR, CCPA/CPRA, or PIPEDA, empower individuals to have control over their information. Common data subject rights include the right to access personal data, rectify inaccuracies, erase data (the right to be forgotten), restrict processing, and object to certain types of processing. Additionally, individuals may have rights related to data portability and not be subject to automated decision-making. Recognizing and respecting these rights is pivotal for organizations to ensure compliance, build trust with their users, and contribute to a transparent and ethical approach to data management.

What Does 'Do Not Sell or Share My Personal Information' Mean in CCPA/CPRA?

Find Out Today!

What is the standard Data Subject Access Request response process?

Global data regulations require companies to provide access to the data collected on individuals by facilitating “data subject access requests” (DSARs). The general means for this bear many similarities or are identical across jurisdictions, but some variations may occur. DSAR category types vary by jurisdiction and empower individuals to understand and manage what information is being collected about them.

The standard Data Subject Access Request response process revolves around the systematic approach to addressing requests submitted by individuals regarding their personal data. Once a data subject submits a DSAR request, either in writing or through designated channels provided by your organization (dedicated email address, telephone number, consent management platform, etc.), you have to authenticate the request by identifying the requester to ensure the security of personal information.

Next, the request should be thoroughly reviewed to determine its validity and compliance with relevant data protection laws. Once this is done, your company will then have to gather and sort through the requested information, ensuring accuracy and completeness. The response, which is usually provided within a legally stipulated time frame, outlines the actions taken, such as providing access to the data, rectifying inaccuracies, or deleting information.

Transparency is key throughout this process, so your company has to clearly communicate to the data subjects the steps taken and any exceptions or limitations. Implementing a standardized and efficient Data Subject Access Request response process is crucial for your business to meet legal obligations, uphold individuals' rights, and foster trust in their data handling practices.

Clym’s compliance widget helps you cover all these steps within one single tool, that requires no setup from you. Once installed, the compliance widget will automatically display the DSRs relevant to the individuals’ jurisdiction and respective applicable privacy regulations, and will notify you of any new DSR, and the deadline for responding. In addition to this, you can also add DSRs on the fly. 

Clym’s Privacy Widget also allows you to manually add DSRs so you can manage ALL of your DSRs in one place,  regardless of how they were submitted - mail, email, phone, or through your website. In addition to this you are provided with a time-stamped, audit-ready trace of the data subject (access) request from start to finish, and you are able to keep any communication between the requester and your organization in one place, with already pre-configured DSR templates for various regulations that are only going to be displayed for the relevant jurisdiction. This means, for example, that if you receive a request under the CCPA/CPRA the templates available to you will be the ones relevant for this data privacy law. 

Here is an example of what that will look like: 

Who can submit a Data Subject (Access) Request and how?

Any individual whose personal information is held by your organization can typically submit a Data Subject (Access) Request, as long as there is a privacy law in place which grants them data subject rights. The types of DSRs an individual can submit are also mandated by the privacy law, so these may be different from one jurisdiction to the next. This includes customers, potential customers, employees, and others whose data your organization collects.

The process for submitting a DSAR or any type of DSR may vary but is often facilitated through designated channels provided by your organization, such as data subject request forms, email, or dedicated portals. The individual submitting the request usually needs to provide sufficient information to verify their identity to ensure the security of personal data. In certain situations, data subjects can have authorized representatives submit requests for them. Additionally, advancements in technology now permit authorized agents, such as Universal Opt Out Mechanisms like Global Privacy Control (GPC), to submit requests.

For example, these agents can file a Data Subject Request (DSR) for the Right to Opt-Out of certain processing activities. These activities include targeted advertising, selling personal data, or profiling that leads to significant legal decisions affecting a consumer.

Understanding who can submit a DSR and establishing clear and accessible submission methods are crucial aspects of your organization's compliance with data protection laws, as they empower individuals to exercise their rights over their personal information. 

Clym's compliance widget stands out as a powerful solution for effectively managing Data Subject Requests (DSRs) or, specifically Data Subject Access Requests (DSARs). Our innovative tool provides organizations with a streamlined process to handle DSRs in compliance with data protection laws. The widget integrates seamlessly into websites and digital platforms, offering a user-friendly interface for individuals to submit their requests.

Clym's compliance widget facilitates the submission of DSRs and DSARs and  ensures a secure and efficient response process. It enables organizations to authenticate the identity of requesters, review and gather the requested information, and communicate transparently about the steps taken. By leveraging Clym's compliance widget, your business can navigate the complexities of DSAR management, demonstrating a commitment to data privacy and bolstering trust with your users. 

What are the response times for Data Subject (Access) Requests?

Generally, organizations have thirty (30) days to respond to a DSR after receipt, however, this deadline can be extended to ninety (90) days based on the complexity of the request. Other data privacy laws differ in their allowable DSRs and timelines, so companies need to familiarize themselves with what type of request each jurisdiction requires, the length of deadlines for response, and the financial penalties for failing to respond in a timely fashion. So the answer is a bit more complicated since it depends on the regulation, since there are some differences between major ones currently in existence. 

For example, under GDPR, generally, organizations have 30 days to respond to a request, while under CCPA, that time period is 45 days. There are extensions available depending on the size and scope of the request. Here's a general overview, but it's crucial to refer to the specific legislation for accurate and up-to-date information: 

• GDPR (General Data Protection Regulation): 30 days: In general, organizations under GDPR are required to respond to DSARs within 30 days from the date of receipt.
• CCPA (California Consumer Privacy Act): 45 days: The CCPA allows organizations 45 days to respond to DSARs. This timeframe includes a 45-day extension for complex or multiple requests.
• LGPD (Lei Geral de Proteção de Dados - Brazil): 15 days: The LGPD mandates a 15-day response period for DSARs, with a possible extension of an additional 15 days.
• PDPA (Personal Data Protection Act - Singapore): 30 days: The PDPA stipulates a 30-day timeframe for responding to DSARs.
• Australian Privacy Act: "Promptly": The Australian Privacy Act doesn't set a specific timeframe but requires organizations to respond promptly to DSARs.
• Japanese Act on the Protection of Personal Information (APPI): "Without Delay": The APPI states that responses to DSARs should be provided without delay, without specifying a specific timeframe.
• UK GDPR (United Kingdom General Data Protection Regulation): Similar to GDPR, the UK GDPR stipulates a one-month response time for DSARs, extendable by two months for complex requests.

Download this table with response times for DSARs  here.

It is very important for your company to have a full understanding of the types of DSRs individuals can make, and how those requests need to be managed. If you’re managing these DSRs via email and Microsoft Office tools, you’ll quickly find yourself unable to manage all of the DSRs in a compliant way. Clym’s compliance tool is built with an audit-ready trail which allows you to manage all the DSRs you receive in an efficient and cost-effective way, regardless of whether you receive 10 or 10,000. As the deadline for the request gets closer, we’ll send you multiple reminders via email so you don’t miss it.

What information do I need to provide with my Data Subject Access Request response?

The first question most businesses have is “Am I required to locate absolutely every piece of personal data requested within the DSAR?” 

While every regulation is different, generally complying with the DSAR means conducting a reasonable and proportionate request in light of the amount of data collected and how it is used. 

But what does “reasonable” mean? That’s a subjective term, so it will depend on a variety of factors and may require a judgment call. Having a policy in place at your company regarding the amount of employee time you deem reasonable to complete a request may be helpful as a guideline. Just don’t expect complying with DSARs to take the same amount of time every time. 

To make it easier, let’s look at the types of DSRs that may be submitted. For example, when someone asks for a DSAR, meaning for access to their data, your organization needs to give a complete list of their personal information. Sometimes, the person may want specific details, and you must provide what they ask for. They can ask for:

• Confirmation that you use their personal data;
• Access to specific information about them;
• Why you're allowed to process their data;
• How long you'll keep their data (or the criteria for deciding, like "as long as you're a customer");
• Where you got their data;
• Any details about automated decision-making;
• Names of third parties you share their information with.

Once they have a summary usually, data subjects may follow up with a data subject request (DSR) for deletion of personal information, meaning they might ask you to delete all or part of the personal information you have collected and processed about them. Once you’ve located the data, unless legally granted exceptions apply, i.e. an invoice or a contract, delete it and confirm this to the data subject. 

The same goes when your company receives a data subject request (DSR) for correction of personal data. If they notice an error in the personal data you hold about them, data subjects may ask you to correct this. Once you’ve done this, simply confirm to the data subject the completion of the request, within the legal timeframe for this. 

The scariest data subject request (DSR) is the one for opt-out, known also as the opt-out right, a request that data subjects can submit under the CCPA/CPRA in California, for example. However, this type of data subject request (DSR) simply means you can no longer share their personal data with third parties for the purpose of targeted advertising. Businesses covered by privacy legislation such as the CCPA/CPRA need the right tool to ensure that this side of compliance is also covered. 

The key takeaway here? 

DSARs give individuals the right to discover what data an organization is holding about them, why the organization is holding that data and who else their information is disclosed to. Are you collecting email addresses and phone numbers? That counts. Is your website using tracking scripts and cookies? Guess what, IP addresses are considered personal data, so that information is in scope. The more data you have, the more difficult, time-consuming and expensive responding to DSARs may become.

Clym's compliance widget stands out as a powerful solution for effectively managing Data Subject Requests (DSRs) and Data Subject Access Requests (DSARs), including those related to the CCPA/CPRA. With our compliance solution, you can easily and conveniently place a footer link on your website for the Do Not Sell or Share My Personal Data requirement of the CCPA/CPRA, which allows users to opt-out.

Clym's compliance widget not only facilitates DSAR submissions but also ensures a secure and efficient response process, including identity authentication and transparent communication about the steps taken, meaning your users and your company’s legal team can sleep well at night knowing commitment to data privacy is facilitated, and trust with users is continuously built. 

Who should respond to a Data Subject Access Request from my company?

The most common approach that businesses take is assigning a person within the organization responsible for privacy matters who possesses knowledge of data privacy regulations and data protection, be that a Data Protection Officer (DPO), or not. 

While the DPO isn't required to handle every request personally, they may supervise the process to guarantee that responses are precise, timely, and compliant. Not all companies are required to have a Data Protection Officer within the organization, but many privacy laws require to have a dedicated person assigned to oversee data protection matters. Also, remember that documenting your Data Subject (Access) Request response process is a wise practice that will allow any member of your organization to adhere to it.

Data Subject (Access) Request Templates

A data subject request template refers to a standardized data subject request form that your business makes available to data subjects so they can submit a data subject request with your business. This should be customized to be relevant to the applicable data privacy regulations in the jurisdictions where you conduct business. 

This standardized form should cover a few specific points, such as obtaining sufficient information to locate the individual in your company’s database, verifying their identity successfully, understanding the nature and scope of the data subject request, providing the data subject with proper information about the next steps in the submission process, and setting the right level of expectation in terms of timeframe. Many of these can be built into compliance management tools that give data subjects a way to submit a data subject request and verify it, for example, by clicking on a link that is generated and sent to the email address they provided in the data subject request form on your website. Once they’ve clicked the link, they can then be informed via automated email of the next steps in the process and the relevant timeline. 

In written form, a data subject request template example, one of many, can look like this: 

You can download the Data Subject (Access) Request template here. 

Clym’s data subject request management tool makes it easy for you to timely respond to DSRs through your admin account on our platform so that all responses and correspondence are time-stamped and tied directly to each request. We understand that nobody likes to be audited, but the reality is that you might be audited at some point and lack of an audit trail will cost you a pretty penny! 

Let us help!

To save you and your team additional time, Clym provides you with default reply templates for various data subject requests, however if you’d like to add your own language, feel free to make any tweaks you deem necessary. 

Here is an example of a template reply you can send a data subject that has submitted a data subject request for opt-out under the CCPA/CPRA: 

How to handle and document Data Subject (Access) Requests?

The specific steps for DSR handling can vary based on the applicable data privacy regulation in your jurisdiction, so you should always make sure to stay informed about any updates or changes to this regulation. That being said, certain steps are considered common, but businesses have a great deal of freedom with regards to their process for handling DSRs. Even data subjects themselves have the freedom to request their data in an app, over the phone, or in person. Bear in mind that a data subject doesn’t have to use terms such as DSR or data subject request; they can simply say “I want to know what data you have on” and this is a valid DSR for access,  DSAR. 

Here are some industry standard steps for how to handle and how to document a DSR:

• Acknowledge the Request: upon receiving a data subject request you should acknowledge its receipt.
• Verify the Requester's Identity: verify the identity of the person making the DSR to ensure that you provide information to the correct individual. This may involve requesting additional information to confirm their identity.
• Understand the nature of the DSR: check the DSR to gain clarity around the request and correctly identify whether it is one for access, rectification, etc.  Ask for specific details or clarification if the request is broad or unclear.
• Search for and Gather the Data: identify all relevant data associated with the data subject by searching through various systems, databases, and document repositories.
• Review any legal obligations: consider any legal restrictions or exemptions that may apply to the information requested. Some data privacy laws will allow you to withhold certain information in specific circumstances, for example, when it reveals commercial secrets or other information deemed confidential.
• Communicate any delays: for situations where you cannot  respond to a DSR within the stipulated timeframe, you are required to communicate the reasons for the delay to the data subject and provide an estimated date of completion. This is a crucial component for cases where an extension of the timeframe is required. 
• Seek legal advice for complex DSARs: for complex DSARs, seek legal advice to ensure your organization’s compliance and proper handling. If needed, involve your organization's Data Protection Officer (DPO) in the process, especially for complex or sensitive DSRs.
• Review the data and redact any relevant parts: review the collected data to ensure it does not contain any information about other individuals and redact any third-party or confidential data. Send the requested information: provide the requested information in a format that is understandable and easily accessible by the data subject, i.e., in electronic or paper format, and include a section at the end of your response in which you remind the data subject of their data subject rights, including their right to complaint. Make sure that the method of providing information is secure.
• Document the data subject request handling process: make sure to maintain a detailed record of the steps you took to respond to the DSR, as this will prove crucial later on for demonstrating compliance with data protection regulations.
• Review and update your internal policies: consider regularly reviewing and updating your organization's DSR policies and procedures to ensure ongoing compliance with data protection regulations.

What happens if I don’t respond to a Data Subject (Access) Request?

Regarding the fines for failing to comply with DSARs, as with most data privacy, this depends on the jurisdiction. Failing to respond to data subject requests can result in GDPR violations of up to €20 million or CCPA  violations of up to $7,500 per incident (read: each time you fail to respond to a DSAR). 

Typically, organizations are fined for failing to respond  to requests in a timely fashion and failing to conduct a reasonable search related to personal data, for a number of reasons, including the fact that they either:

• Aren’t providing individuals with a method to make these requests;
• Aren’t timely responding to requests; or
• Are managing data subject requests through emails and Microsoft Office or similar software that is neither timestamped nor scalable. 

DSR requests have expanded significantly in volume since GDPR was implemented. With the passage of data privacy laws such as California’s CCPA and Brazil’s LGPD, we can expect to see a spike in requests as awareness around the rights granted by these laws grows. Those companies that are not leveraging technology will struggle to keep up with growing DSARs and increase the likelihood that they’ll suffer significant financial penalties.

As a best practice for improving in this area, consider the following: 

1. Purge unnecessary data. This is called “data minimization,” a practice that involves deleting old and unused information, and is an ounce of prevention that can save you a pound of cure in the form of sifting through mountains of data for each DSAR.
2. Next, create a written procedure for your staff to deal with access requests to include:
   • details on how individuals can make an access request;
   • how the person’s identity is verified before granting the request;
   • how your company firm should search for the data; and
   • how the data is reviewed before being sent out.
3. Last but not least, leverage technology that can provide a flexible and scalable approach. Of course, we’re not talking about Microsoft Office tools, but rather about tools that can do the 4 things in point #2 above.

How can Clym help with Data Subject (Access) Requests?

Clym's revolutionary Cookie Consent Manager is a streamlined solution for DSR management  so your company’s DSAR compliance is facilitated. You can effortlessly navigate through the intricacies of 40+ international data privacy laws, encompassing GDPR in Europe, LGPD in Brazil, and CCPA in California. Our platform goes beyond compliance; it intelligently adapts to regional regulations through built-in geolocation rules, ensuring seamless adherence to diverse requirements.

In the ever-evolving landscape of data privacy, Clym is your ally, alleviating the challenges of staying current with regulatory changes. Our system takes the burden off your shoulders by automatically updating the DSAR types whenever there's a modification in the covered regulations. Bid farewell to the constant monitoring of data subject requests (DSRs) and manual logging of these—Clym does it all for you.

At Clym, we believe in harmonizing digital compliance with your business needs, offering a suite of benefits, including an all-in-one platform that combines Privacy and Accessibility compliance with global regulations at an affordable price.

Experience seamless integration into your website, adaptability to users' locations and applicable regulations, customizable branding, ReadyCompliance™ covering 40+ data privacy regulations, and accessibility options, which include six preconfigured accessibility profiles and 25+ display adjustments for visitors to tailor their individual experiences. Clym is not just a solution; it's a commitment to simplifying and enhancing your digital compliance journey.

Convince yourself and see Clym in action today by booking a demo or reaching out to us to discuss your specific needs.