What is Data Subject Access Request (DSAR)?

All about DSAR Compliance (Data Subject Access request)

A data subject access request (DSAR) is a request for information from the data subject whose personal data you hold. If your organization collects personal data, anyone whose data you have can request access to their information. This includes employees, contractors, suppliers, partners, and so on.

DSAR Meaning

A DSAR is a request an individual makes to know what data you have collected about them. GDPR states in Recital 63: “a data subject should have the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals, to be aware of and verify, the lawfulness of the processing.” The key factor is whether you are the controller of the data being requested.

Managing DSAR processes With Data Protection Officer

If you are the controller, you should appoint someone to manage the process. Organizations with a data protection officer (DPO) or someone in a similar role might find it convenient to assign the request.

If you are a data processor, you do not need to respond to the request yourself but pass that request on to the controller. It is likely that you also have contractual obligations to help the controller respond to DSARs.

The GDPR gives data subjects the right to know if you are processing personal data relating to them. If you are, you must give them access to the following information:

• The purposes of the processing.
• The personal data relating to them that you are processing.
• The category of personal data.
• How long the personal data will be held.
• Information about their rights such as the right to object to processing; the right to request rectification, erasure, or restriction.
• Information about their right to complain with the ICO.
• From where their data has been taken if you didn’t get it directly from the data subject.
• The security measures you provide if you transfer personal data to a third party.

For DSAR (Data Subject Access Request), there is a process in which a data protection officer (DPO) has the skills to handle DSARs. The stages to the right act as a reminder that you have one month to respond to the initial DSAR from the date that it is initiated and that you should keep records demonstrating that your response DSAR processes have been followed.

• Verify identity: One of the first steps is to verify the identity of the requester. An Organization must protect the confidentiality of personal data, so Organization must have methods for verifying the identity of the person submitting the DSAR. If the data subject is not the person making the request, the organization will need to request appropriate proof to prove that they are legally acting on the data subject’s behalf, such as proof of guardianship, power of attorney, etc.
• Identify the request: A data subject may assert other rights, such as the right to rectification or the right to erasure. Failure to facilitate these rights could result in a fine in the higher bracket or another administrative penalty.
• Clarify the request: For DSAR, organizations have 30 days, and in certain DSAR request conditions, it can be extended based on the type and complexity of the request, although the individual should be informed as soon as this becomes apparent. An organization has to contact the individual to clarify the personal data which they wish to receive.
• Know personal data to disclose: As part of collecting the data, you may need to remove certain elements because your DSAR response should not reveal personal data relating to another person unless they consent to share it or if it is “reasonable” to provide the information without their consent.
• Format: Once DPO collected all the data, determine the most appropriate format to provide the information to the data subject.
• Extra Information: Your response to a DSAR (Data Subject Access Request) must also include information about the data subject’s rights and how to exercise them; before sending the information, ensure that the data subjects know their rights, including the right to complain.