How to respond to DSAR?

Automate Data Subject Request - Mandatly Inc.

What is DSAR?

A DSAR, which stands for “Data Subject Access Request,” is a written inquiry that individuals can submit to an organization to gain insight into the personal information the organization holds about them. It is a legal right under data privacy laws, such as the The California Consumer Privacy Act of 2018 (‘CCPA’), EU General Data Protection Regulation (‘GDPR’), Lei Geral de Proteção de Dados (‘LGPD’), Consumer Data Protection Act (‘CDPA’), Colorado Privacy Act (‘CPA’) that allows individuals to request access to their personal data that an organization or company holds. When someone submits a DSAR, they are essentially asking to review, receive copies of, or even request the deletion of their personal information that the organization has collected and is processing. DSARs are a fundamental part of data privacy regulations, as they empower individuals to have greater control over their personal data.

3 Steps to DSAR (Data Subject Access Request) handling procedure

The three steps to the DSAR response process include identifying and classifying the request, performing data discovery to collect the requested information, processing the request by sending a comprehensive response, and documenting all stages and steps of the request. Additionally, it’s crucial to evaluate and mitigate the risks associated with responding to a DSAR. While the data subject access request procedure (GDPR or CCPA data subject access request) may vary under different data privacy regulations, having a structured process is important to ensure compliance with the law.

1. Identify and classify request

First, identify the modes of how organization or company receives subject rights request.

While many use online forms, some may prefer sending an email or using other methods. Make sure all these ways are working properly so you can keep track of and handle the requests effectively. These requests can have different names like ‘consumer data access request,’ ‘right of access request,’ or ‘data access request.’

After identifying the request, perform identity verification of the requestor. If your company offers services online, customers might have to log in and confirm who they are. For regulations such as GDPR, which also covers employees and vendors, you’ll need to make sure the person is part of your system and find the right information to give them.

2. Data Discovery

Data discovery is a critical step in the GDPR DSAR process and the CCPA DSAR process (Data Subject Access Request CCPA). It involves the systematic and thorough search for an individual’s personal data within an organization’s data ecosystem. The goal is to identify, collect, and prepare the requested data for a comprehensive DSAR response.

Key aspects of data discovery for DSAR response include:

Identifying Data Subject: The process begins by identifying the data subject for whom the DSAR is made. This step helps determine the scope of the search and which systems or databases may contain the requested information.

Defining Data Categories: Data discovery includes categorizing the types of data associated with the data subject. This categorization can encompass personal information as defined under the CCPA and GDPR, such as names, contact details, financial information, and more.

Locating Data Sources: Organizations must identify the systems, databases, and repositories that may contain the relevant data. This can include customer databases, email archives, document management systems, and more.

Data Retrieval: Once the potential data sources are identified, the next step is to retrieve the requested information. This process can involve searching and exporting data from various systems while ensuring the data remains accurate and unaltered.

Data Validation: The data discovered needs to be validated for accuracy, completeness, and relevance to the DSAR. This includes verifying that the data pertains to the specific data subject and corresponds to the request.

Throughout the data discovery process, it’s crucial to maintain the security and privacy of the data. Encryption, access controls, and other security measures should be in place to safeguard the data.

3. Process and document request

Once the documents have been reviewed and exported, they should automatically be made available to the data subject by the organization, website, or online portal in an easy but secure way. If the data package is to be sent to the subject, it should be encrypted or secured. Then, you’ll want a process to close out the DSAR and notify your internal teams that the request has been completed.

Organizations must keep all the process records and documentation, and all data subject notifications, in a single, central location. This should be a robust business continuity system, which is designed to support your compliance activities, and can be replicated across every location in your company. This will help minimize the amount of time you are required to take in-depth action to address the data subject’s request.

Readymade response templates can help ensure an efficient and consistent DSAR fulfilment process. All communications and activities should roll into a reporting dashboard and audit trail to demonstrate accountability, compliance, and progress towards resolving requests.

How long do you have to respond to a DSAR?

Various regulations mention different timelines for responding to Data subject requests. For example, in CCPA its 45 days whereas in GDPR its 30 days, etc. If requests are numerous and burdensome, you are provided with an option to extend the request after informing the reason of extension to data subject.

Failure to respond to DSAR requests within the prescribed time can result into hefty fines and penalties. It also affects your reputation.

Can you charge a fee for a DSAR?

As per most of the privacy regulations, you cannot charge any fee to respond for DSAR requests. However, in some situations, for example: when the request is manifestly unfounded or excessive then you can charge a reasonable fee to cover your cost. The burden to demonstrate the request as manifestly unfounded or excessive is on the Controller.

Who should respond to a DSAR?

It’s always helpful if you authorize a person for the specific responsibility, it can be the Data Protection Officer (DPO). This can be the one with the knowledge of various privacy regulations and ready to take this responsibility. The main role of your DPO can be to complete the data subject requests timely and document the procedure for future reference.

You can also adopt an automated process to compile responses if you deal with a large volume of DSARs. This can be a time saving and cost-effective alternative.

How Mandatly helps?

Mandatly’s DSAR solution provides you with seamless and efficient data subject access request management from submission to fulfilment.

  • DSAR Portal: Centralizes Data Subject/Consumer rights request management.
  • Identity verification: Allows you to verify the identity of the requestors in multiple ways.
  • Auto data discovery: Identifies the system and discovers the data automatically to fulfil subject or consumer requests.
  • Response: Pre-defined response templates with secure delivery of information to the requestor.
  • Reporting: Demonstrates compliance by reporting/logging every action performed in the DSAR process.
Mandatly Privacy Management - Mandatly Inc.

Related Blogs

Why Data Redaction is Essential for Fulfilling Data Subject Access Requests?20240903035039

Why Data Redaction is Essential for Fulfilling Data Subject Access Requests?

Why Data Redaction is Essential for Fulfilling Data Subject Access Requests?In today's data-driven world, organizations are c...
Navigating Data Subject Access Requests: Insights from Case Studies20240806035542

Navigating Data Subject Access Requests: Insights from Case Studies

Navigating Data Subject Access Requests: Case Studies and Best Practices for ComplianceIn today’s data-driven world, organiza...
Building customer trust through data privacy: The role of DSRs20240219083741

Building customer trust through data privacy: The role of DSRs

Building customer trust through data privacy: The role of DSRsBuilding Consumer Data Privacy and TrustIn today's data-driven ...
Getting Started with Privacy Impact Assessment (PIA) Software20231221064257

Getting Started with Privacy Impact Assessment (PIA) Software

Getting Started with PIA Software: Step-by-Step Implementation GuideIntroductionPrivacy Impact Assessment (PIA) software has ...
LGPD Compliance: Checklist & Best Practices20231109071852

LGPD Compliance: Checklist & Best Practices

Preparing for LGPD: Compliance Checklist and Best PracticesOverview Of LGPDThe LGPD, or Brazil's General Data Protection Law,...
Brazilian Data Protection Law (LGPD)20231030043222

Brazilian Data Protection Law (LGPD)

Data Subject Rights Under LGPD Access, Rectification, and ErasureIntroductionThe LGPD, or the Brazilian General Data Protecti...
From Manual to Automated: Transitioning Your DSAR Process20230926112909

From Manual to Automated: Transitioning Your DSAR Process

From Manual to Automated: Transitioning Your Data Subject Access Request (DSAR) ProcessIntroduction to DSAR for Privacy Compl...
CCPA vs CPRA: What is new in DSAR?20221111105135

CCPA vs CPRA: What is new in DSAR?

CCPA vs CPRA: What is new in DSAR?What is CPRA?The California Privacy Rights Act (CPRA), also known as Proposition 24, is a b...
Understanding the 7 Foundational Principles of Privacy by Design20210331035135

Understanding the 7 Foundational Principles of Privacy by Design

7 Foundational Principles of Privacy by DesignAbout Privacy By DesignIn our rapidly evolving digital landscape, where data fl...
Key Consideration for Data Inventory Mapping20201005155051

Key Consideration for Data Inventory Mapping

Key Consideration for Data Inventory MappingData inventory and mapping need to be planned properly to help with analytics cap...
What is Data Subject Access Request (DSAR)?20200305100635

What is Data Subject Access Request (DSAR)?

What is Data Subject Access Request (DSAR)?What’s DSARAll about DSAR Compliance (Data Subject Access request)A data subject a...