What to Do After Receiving a Data Subject Access Request (DSAR)
In the digital age, organizations of all shapes and sizes should take steps to safeguard the personally identifiable information (PII) that it collects, processes and/or stores from any individual. Jurisdictions with a data privacy regulation generally include provisions for individuals to submit a Data Subject Access Request (DSAR) related to that PII; when that occurs organizations must act diligently to comply with the law in order to avoid violating various global regulations, which carry both significant financial penalties and reputational risk.
Most regulations require that organizations offer the option to submit DSARS online, and in our experience, most consumers prefer this methodology. Many organizations without a comprehensive DSAR management platform struggle to operationalize their DSAR management, resulting in missed deadlines, disorganized records, and expensive regulatory violations.
Talk to one of our experts today see how to handle Data Subject Access Requests smoothly! Speak to an Expert →
What is a Data Subject Access Request (DSAR)?
In short, a DSAR is a request made by an individual to an organization to access their personal data. In a typical scenario, a website collects information such as:
- Your name, address, and contact information
- Your purchase history
- Information about your browsing habits on a website
- Any data you've submitted to an app etc.
What’s the Difference Between a DSR and a DSAR?
While often used interchangeably, DSR generally refers to any request made by a data subject regarding their data, including requests for rectification, erasure, or restriction of processing. DSAR specifically refers to a request for access to personal data.
Data Subject (Access) Requests in 2024: The Complete Guide to DSRs
What Should the DSAR Include?
A DSAR should be clear and specific, detailing what data the individual seeks. It’s advisable for the requester to provide any information that can help the organization locate the data, such as date ranges or types of interactions with the company. Organizations can ask for identification to verify the requester’s identity to prevent data breaches. If you would like to learn more about the different DSR requests, see our in-depth Data Subject Request guide.What Should the DSAR Include?
A DSAR should be clear and specific, detailing what data the individual seeks. It’s advisable for the requester to provide any information that can help the organization locate the data, such as date ranges or types of interactions with the company. Organizations can ask for identification to verify the requester’s identity to prevent data breaches.
What Information Can an Individual Request from a DSAR?
Individuals are generally entitled to the following (this may vary based on jurisdiction):
- Confirmation that their personal data is being processed.
- Access to their personal data.
- Supplementary information, which often aligns with what is provided in a privacy notice. This includes processing purposes, data categories, data recipients, retention periods, and information about data sources.
See Clym in action today!
How to Respond to a DSAR Request?
Upon receiving a DSAR, an organization should:
- Verify the identity of the requester to ensure data is not disclosed to unauthorized persons.
- Log the request and begin data retrieval processes.
- Gather the relevant data and supplementary information.
- Review the data to ensure it doesn’t include information about other individuals unless consent has been obtained or it’s reasonable to disclose.
- Provide the data in an intelligible form, explaining any technical terms or codes used.
How to Respond to a DSAR Request?
Depending on the regulation, organizations must generally respond to a DSAR within one calendar month, though times vary from jurisdiction to jurisdiction. This period generally starts from the day the request is received or from when any further information needed to clarify the request or verify the identity is obtained. Extensions may be allowed, depending on the jurisdiction, for complex or numerous requests, but the individual generally must be informed of the extension and the reasons for it.
Can an Organization Refuse to Provide Information for a Request?
Generally yes, but only under specific conditions on a jurisdiction-by-jurisdiction basis. An organization may refuse to comply with a DSAR if it is manifestly unfounded or excessive. Examples include requests that are repetitive or harassing. If refusing, the organization generally must inform the individual of the reasons for refusal and their right to complain to the relevant supervisory authority within a specific jurisdiction and to seek a judicial remedy.
What Happens if an Organization Does Not Handle a Data Subject Request?
Failing to handle a DSAR appropriately can result in complaints to data protection authorities, investigations, and potential fines. Organizations may also suffer reputational damage and loss of customer trust. It’s crucial to document all DSAR processes to demonstrate compliance and accountability.
Key Takeaways
- Understand the scope and requirements of DSARs.
- Implement a clear, efficient process for handling DSARs.
- Ensure timely and accurate responses to avoid legal and reputational repercussions.
- Educate staff on the importance of DSAR compliance and data protection principles.
Resources Links
- Data Subject (Access) Requests in 2024: The Complete Guide to DSRs
- ICO: Right of Access
- IT Governance: How to Respond to a Data Subject Access Request
- EDPB Guidelines on Data Subject Rights
How can Clym help?
Without a robust compliance platform, managing DSARs can cause your organization a lot of headaches, especially with the ever-evolving data privacy regulatory landscape. Clym can help simplify this process for your organization in the following ways:
- Streamlined DSAR Management: Clym’s platform helps you navigate the intricacies of 40+ international data privacy laws, facilitating compliance with GDPR, LGPD, CCPA, and more. Built-in geolocation automatically adapts to regional regulations, so you can focus on your core business.
- Automated Updates: Clym stays current with regulatory changes, automatically updating DSR types whenever covered regulations are modified. No more manual monitoring or updates are required from you.
- Easy Processing: Clym makes DSAR processing easy. Our system logs all incoming requests, automates reminders so you can respond in a timely manner and provides templated replies. Each task is time-stamped in our system to provide you with an audit trail to demonstrate compliance with various regulations.
Michael is an experienced C-suite executive who has spent his career guiding organizations through an ever-evolving regulatory landscape. After starting his career at Ernst & Young, Michael worked as a CFO with large, global organizations before co-founding Clym to assist organizations of all sizes with their website regulatory compliance needs.
Learn More →
FAQs about Data Subject Access Requests
What is a DSAR?
A request from an individual to access their personal data held by an organization.
How long do I have to respond to a DSAR?
Generally, you have one calendar month, extendable for complex requests, depending on the relevant jurisdiction.
Can I refuse a DSAR?
Generally yes, if the request is manifestly unfounded or excessive, but you must inform the requester and provide reasons.
What should I include in a DSAR response?
The data requested, confirmation of data processing, and supplementary information about the data.