If personal data privacy laws have yet to impact your business, you’re sure to encounter them soon. Over 71% of countries worldwide, including parts of the United States and EU, have implemented legislation protecting consumers’ data privacy, empowering them to control the collection and sale of their personal information.
As consumer privacy protections continue to develop, companies should remain informed about Data Subject Requests (DSR) and DSR requirements. In this guide, we’ll break down everything you need to know about DSR, your compliance obligations, various DSR requirements, and what DSR looks like under two far-reaching data privacy laws—the CCPA and GDPR.
What is a DSR?
Data Subject Request (DSR) and Data Subject Access Request (DSAR)—interchangeable terms in the field of data privacy—are part and parcel of consumer protections against unauthorized data collection, use, and sale.
While different laws provide consumers with unique protections, most stipulate one or more of the following rights:
- Consumers’ rights to access personal information a company has collected from them
- The right to request that their personal information be deleted
- The right to secure delivery of their personal data
- The right to opt-out of data sales to third parties
Via DSR and DSAR, consumers can file formal requests to invoke any of the rights above per the laws of their jurisdiction. And, in order to remain in compliance with the law, businesses must:
- Complete the requests as required by law
- Acknowledge consumers’ requests
But, the extent of your company’s obligations to fulfill DSR requirements depends on the specific laws that govern its data security operations.
What is DSR Compliance?
Let’s dive deeper into DSR request compliance.
Your company may be operating under the jurisdiction of one or more global data privacy laws if it conducts business in more than one country. Even if your business only maintains brick-and-mortar facilities in one country, it’s important to note DSR compliance stipulations of nearly all new consumer protections.
They apply to businesses operating in the country that passed the law—and they empower residents of those countries to invoke their privacy rights, no matter where the individuals’ data is being collected. Let’s explore an example:
- A student residing in France attends an English-speaking university.
- They purchase a textbook from a Canada-based bookseller.
- The bookseller collects various personal information to complete the transaction, like:
- Their name
- Their delivery address
- Their email address and phone number
- Their payment method
- The bookseller stores the customer’s information for future use or sale to a third party.
- The student submits a DSR to the Canadian bookseller, which must oblige it.
Even though the student purchased the book from a Canadian company, the student is a citizen of and maintains residency in France—thus, they’re protected by the General Data Protection Regulation (GDPR), a law that requires the Canadian company to honor the request to the extent that the GDPR requires.
DSR Under CCPA and GDPR
We touched upon the GDPR above, but let’s explore it—and another significant data privacy law, the CCPA—in more detail with regards to DSR requirements.
The GDPR requires that companies in the EU and businesses that collect information from EU citizens must handle consumer data with:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Per these requirements, consumers protected by the GDPR can file a DSR to access, delete, update, or opt out of sales of their information.
The California Consumer Privacy Act (CCPA) is similar to the GDPR—it governs businesses in California and companies that collect information from California residents. The CCPA stipulates four key consumer rights to meet the regulatory requirements:
- The right to know what a company does with their data
- The right to delete their data from a company’s records
- The right to opt out of third-party data sales
- The right to receive a completed DSR without discrimination
Requirements for the DSR Process
So, your company is subject to a data privacy law and you receive a DSR from a consumer. What happens next? How do you complete a DSR response?
Most laws require the business to provide a response within 30 days of DSR requests, but an extension of 15 days may be allowed for DSR fulfillment. While you may only be legally obligated to complete the request and inform the inquirer that the request is complete, experts recommend establishing and following a standard operating procedure (SOP) for DSR processing and resolutions. Your company should consider implementing the following steps:
- Logging and tracking requests
- Securely compiling the relevant data
- Completing the consumer’s requested task
- Responding to the customer in a standardized manner
Your company may opt to integrate a data privacy platform to assist with DSR compliance, which can increase the efficiency of resolutions and ensure thorough, lawful privacy operations.
DataGrail: Compliance and Protection at Scale
As your business continues to navigate digital operations, it’s crucial that you comply with DSR requirements and stay informed with regulations. But, if your company is trying to navigate the sometimes choppy waters of data privacy laws, you don’t have to go it alone.
DataGrail can help your business stay in compliance—we’re the data privacy solution making it easier than ever for modern businesses to tackle current and future security challenges.
Our all-in-one platform can align your company with compliance regulations and protect your business from data breaches and unauthorized access. Our software pairs with your digital tools—like Slack, Salesforce, and Okta—to ensure data security throughout your entire network.
Keep your information secure and your procedures compliant with help from DataGrail.
United Nations Conference on Trade and Development. Data Protection and Privacy Legislation Worldwide. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
National Law Review. Employee Data Subject Access Requests: Part 1 – Where Are We Now and What Questions Remain? https://www.natlawreview.com/article/employee-data-subject-access-requests-part-1-where-are-we-now-and-what-questions
UK Information Commissioner’s Office. Right of Access. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
GDPR.eu. What Is GDPR, the EU’s New Data Protection Law? https://gdpr.eu/what-is-gdpr/
State of California Department of Justice. California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa