Your store’s personal information has become far easier to collect, store, analyze, and share vast amounts of personal data in the digital age, as demonstrated by big tech players in social media and search engines. These big tech players can permanently store massive records of our personal data and online activities even without our knowledge. There is hardly a technology company today that does not collect and store the personal data of its users.
What is a DSAR?
For this reason, it has become more critical than ever for data subjects (identified or identifiable persons whose personal data is held by companies) to have the right to know if an organization is storing and using their data, and also to have the right to access and possibly receive a copy of that data. This is commonly referred to as Data Subject Access Requests (DSAR).
A DSAR is a request made by a data subject to a data controller (organizations that collect and hold personal data and determine how it is processed) to access their data collected concerning them.
If an organization collects and uses an individual’s data, that organization must grant that individual access to their data. DSAR is one of the most fundamental rights in data protection laws around the world. The EU, US, and other developed democracies have all implemented laws that regulate access to personal data and other data subject empowerment measures that give back individuals control over their data.
The EU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA), among others, have all implemented DSAR as part of the fundamental right to data protection.
For example, recital 63 of the GDPR states that: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, to be aware of, and verify, the lawfulness of the processing.” Furthermore, section 2 of the CCPA states thus: “...The Legislature intends to further Californians’ right to privacy by giving consumers an effective way to control their personal information by ensuring the following rights:…(4) The right of Californians to access their personal information.”
|Deletion rights||Applies to all data concerning a data subject||Applies only to data collected from consumers|
|Response format||If delivered electronically, the format should be something familiar and easily accessible.||Must be delivered by mail or electronically. If provided electronically, it should be portable and in a usable format|
|Consent and notification||Businesses must inform consumers of their rights at the point of data collection.||Businesses must inform consumers (at or before collection) of the kind of personal data to be collected and what it will be used for|
Table 1.0 | DSAR under GDPR vs. CCPA
Most DSAR implementations give an individual the right to receive confirmation that a company is or is not collecting their data and grants them insight into how their data is being used, including the ability to request correction or erasure of data collected. However, there may be slight variations depending on your local data protection laws. This helps individuals exercise control over their data held by an organization and check that they are using it lawfully. In the following sections, we will dig deeper into the concept of DSAR within the context of GDPR compliance.
How is DSAR different from FOI request?
People sometimes confuse DSAR with Freedom Of Information (FOI) requests. This usually leads to misunderstandings when making access requests. Although they sound similar, they are a lot different.
The best way to determine if you need to initiate a DSAR or FOI request is to think about the kind of information you are requesting. Ask yourself the question: what information am I asking for?
If the information you are asking for is related to you and your data, then a DSAR is needed. If the information you are asking for is about the number of unique mobile internet users in a given year, for example, then an FOI request is what you need. FOIs are commonly used by journalists who want to find national data to back up their news reports. The table below highlights the key differences between DSAR and FOI:
|What data are you requesting?||Public information---information not related to myself||Personal information---information about myself|
|Will I always get the information I want?||Not always. Some can be withheld to protect the government and the public||Organizations are expected to provide you all your data|
|Do charges apply?||In some cases, yes. Mainly if the request requires a fair bit of admin||Generally no (unless the demand is excessive or unfounded)|
|Can I complain if I’m not satisfied with the quality of the response?||Yes||Yes|
Table 2.0 | Difference between DSAR and FOI
How should data subjects initiate DSAR?
DSAR can be initiated by anyone whose personal data is held and processed by a data controller. There’s no formal process for starting or making a request. A data subject can initiate DSAR on social media, verbally over the phone, complete and submit a DSAR form on an online portal, or send an email. The individuals are not obligated to provide any reason for initiating a DSAR, and no specific form of words is required. You could simply say, “I’d like to receive a copy of the data you have on me,” and that would be considered a DSAR. However, it is recommended that data subjects submit requests in writing. This creates a record of the demand for both parties, including the date it was made, the types of data being requested, and other relevant information for easier tracking.
A DSAR is valid if it is clear that the data subject or individual concerned asks for their data. The data subject may ask a third party (such as a lawyer, contractor, relative, or friend) to initiate a DSAR on their behalf. The third party’s responsibility is to provide evidence of their authority to act on behalf of the individual.
How should data controllers fulfill a DSAR?
In many organizations, the Data Protection Officer or DPO (someone whose job ensures that the organization is correctly protecting personal data according to the prevailing local legislation) is responsible for handling DSARs. But whatever the case may be, there should be someone designated within the organization to oversee DSAR processes and document all requests to demonstrate accountability and compliance and ensure responses are provided within agreed timeframes.
Since time is of the essence when responding to a DSAR, it’s a good idea to ensure you have an established DSAR process beforehand to deal with access requests promptly. The following steps are recommended when dealing with DSAR:
- Verify the subject’s identity: The first step in dealing with a request is to verify the requester’s identity to ensure you are not dealing with an impostor. If you send subject data to the wrong person, you may commit a data breach. Once you have identified the requester’s identity, you can then determine whether you have all the information you need to fulfill the request before securely distributing the information.
- Understand the nature of the request: Review the DSAR to determine what the requester wants to know. Is it merely an access request, or are they invoking other rights such as erasure or the correction of inaccurate data? You also need to establish how long it will take you to respond to the request to know if you’ll need more time to respond. If more time is required to respond, explain this to the data subject and ask for an extension.
- Inspect the data: Once you have collected the data, check whether the data needs to be amended. Before sending the data to the data subject, you’ll need to scrutinize it to ensure that it doesn’t include any other data subjects; otherwise, you may be committing a data breach.
- Package the data: Once you’ve collected all the data, determine the most appropriate format to provide the information. This will depend on the kind of information you’re providing, and the design must be something familiar and easily accessible.
- Send the data to the subject: The final step is to send your response to the data subject. Document your communications with requesters, so there’s an audit trail to demonstrate accountability and compliance. Before sending the information, ensure the data subjects know their rights, including the right to complain. Where possible, it is recommended that you give data subjects secure remote access to download their data.
Under GDPR, for example, data controllers are not allowed to charge a fee for DSAR fulfillment. However, there are a few situations where a reasonable price can be set for administrative costs if the request is unfounded or excessive. You can also refuse to comply with a DSAR if it is manifestly unfounded or manifestly unreasonable. If you refuse to comply with a request, you must inform the individual of why, their right to make a complaint to the supervisory authority, and the option to enforce their freedom through the courts.
What information are data controllers obligated to provide in a DSAR response?
Generally speaking, a data controller is obligated to confirm that they are processing personal data. They are also obligated to provide a copy of that personal data on request within a specified timeframe.
Depending on the information being requested, the data controller is also obligated to provide other specific information such as:
- Information about rights to rectification, restriction of processing, as well as rights to be forgotten or erased.
- Information about automated or AI-based decision-making algorithms using personal data
- Sources used to collect personal data (if the data is not collected directly from the individual)
- Information about how long the organization keeps personal data (data retention period)
- Third-parties with whom the organization is sharing personal data if any
- Categories of personal data the organization is processing
- Purpose of personal data processing
How to prepare for challenges associated with DSAR
The amount of effort required to respond to a DSAR is not as easy as most people imagine. Finding the personal information you’re supposed to provide can be challenging, primarily if your organization is engaged in massive data collection and processing. Therefore, responding to DSARs requires a careful understanding of what personal information you store, where it’s located, and its purpose.
It’s also important to note that there are risks associated with fulfilling a data subject request which you must be aware of, some of which include:
- Data processing should be centralized in a safe workplace to avoid personal data leakage.
- The activity must be documented to demonstrate accountability and compliance.
- Requesters cannot be trusted; you must authenticate to establish their identity.
- Consumer responses should be encrypted to avoid data breaches.
- Managing deadlines is critical to successfully fulfilling DSARs.
- Data delivered to the wrong person can be catastrophic.
However, there are ways you can better prepare your organization your store’s personal information for the challenges that come with responding to DSARs. The following measures are recommended:
- Implement data governance policies: Organizations with established data governance policies are better positioned to respond to DSARs appropriately and defend themselves if they’re ever brought before regulators.
- Have a straightforward DSAR process in place: Since time is of the essence when responding to a DSAR, it’s a good idea to ensure you have an established DSAR process beforehand to respond to requests quickly. You may want to create a standard operating procedure or process flowchart to help you handle requests thoroughly and promptly, in line with the requirements of existing local regulations such as the GDPR.
- Train your staff: Data subjects can theoretically submit a DSAR whenever they’re communicating with a member of your team. Therefore, you need to ensure that employees saddled with handling requests can recognize one when they see it and know how to respond.
- Appoint a DPO: You should appoint someone or a team of experts to take responsibility for responding to DSARs. This might be your Data Protection Officer, Chief Privacy Officer (CPO), or other competent employees familiar with the compliance requirements.
What is a DSAR under GDPR?
The General Data Protection Regulation (GDPR) includes a requirement that the holders of information should allow the subjects of those records to get a report of the information held about them. The person that the data relates to is called a “data subject” and the demand for details is called an access request, thus, an inquiry for details by a person to discover the personal information held about them is called a data subject access request (DSAR).
What should be included in a DSAR request?
The response to a DSAR request must include a number of fields. Many companies fulfill the requests with a template that can be automatically populated from stored data. If the company holds several records on a specific person, it is only obliged to supply the details of the requested context.
As well as the data itself, the company is obliged to provide information on how that information is held and used. Here is a list of the factors that an individual can request information about:
- Personal information
- Confirmation that you process their personal data
- The legal basis for processing the data
- The period for which you’ll store their data
- Information about how the data was obtained
- Information about automated decision-making and profiling
- The details of the third parties with which you share their information
What is the difference between DSAR and SAR?
SAR stands for Subject Access Request and DSAR stands for Digital Subject Access Request. For data protection standards, such as GDPR, these two terms effectively mean the same thing. While DSARs relate only to data held on computers, data protection standards do not cover paper-based records, so there is no access request possible other than a DSAR. Even though SAR is shorter than DSAR, it is rarely used. The industry standard is to refer to DSAR when discussing requests for details on the storage and processing of personal data.