As the line between the physical and digital worlds steadily blurs, data privacy becomes a more pressing concern with each passing year. For decades now, companies have openly collected personal data without consent from the data subject.
But that practice is coming to an end and data collection is becoming more transparent.
Data privacy laws like the General Data Protection Regulation (GDPR) now empower individuals to file a data subject request (DSR). Once filed, a DSR lets them see what personal data an organization stores, processes, and transmits. From there, they may be able to take further action—be it transferring, correcting, or deleting the data.
If you’re a company owner, this guide will answer the question—what is a DSR request?—and explore everything you need to know to maintain compliance with GDPR.
Understanding DSR and the GDPR
A data subject request needs to be understood within the greater context of the General Data Protection Regulation.
In 2016, the European Union released the GDPR, which set the legal framework for the collection and processing of personal information from EU citizens.
Considered one of the most stringent privacy law in existence, the GDPR imposes strict standards on any business—including those operating outside of the EU—that targets or collects the data of EU members. Organizations that collect personal data are referred to as data controllers or controllers per the GDPR.
What’s considered personal data?
The European Union defines personal data as “any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.”
The GDPR set the gold standard for individual digital privacy. Soon, other locations followed suit, using the GDPR as a blueprint to inform their own laws. For instance, California released its own comprehensive privacy data protection act and regulations in 2018, known as the California Consumer Privacy Act (CCPA).
What Is a DSR?
One of the digital rights championed by the GDPR is the “right of access by the data subject.”
Essentially, this means that individuals have the right to obtain a copy of their personal information and other supplementary information by filing a DSR request, not to be confused with a data subject access request (DSAR). Once received, the DSR will detail how and why the company uses the data.
But the GDPR isn’t limited to simply granting visibility. It also allows impacted individuals to act. By filing a data subject request (DSR), the data subject may ask the data controller to:
- Correct the data
- Pause its processing until corrected
- Delete the data
- Restrict the data’s usage
- Transfer the data to a different controller
Unless an extension is filed, organizations have 30 days to respond to a formal DSR request. Failure to respond appropriately and within the given time frame can result in significant fines and penalties.
Who Can Request a DSR?
The GDPR protects the digital rights of all EU citizens. Any EU data subject may file a DSR. And they can make such a request with any company that processes their data, even those operating outside of the EU.
The GDPR has influenced various other data privacy regulations globally. Other countries like Brazil and states like California and Virginia have trotted out their own laws, with more expected on the horizon. As such, larger companies have begun to get ahead of the issue by offering data subject requests to all their users, no matter their country of origin, to improve transparency.
How to Respond to a DSR
If an individual files a DSR with your business, what next steps must your company take in the DSR process? There are specific DSR requirements for responding.
As mentioned, you have 30 days to appropriately respond to the request. DSR fulfillment compliance then entails the following actions:
- Collect DSR – Organizations should provide an easy way for users to file a DSR request, whether through an online form or a designated email address. Once an access request is filed, all of the requests should be gathered and collated.
- Perform identity verification – With the threat of cybercrime, companies must be careful with private data. A bad actor could feasibly exploit the system to gain access to valuable personal information. Therefore, companies should install safeguards to screen and verify the identity of the requester.
- Provide access to the data – After identity verification is complete, the data controller must deliver the report on the personal information, using clear and plain language so that it’s easy for users to understand. This will include:
- A copy of the personal information
- The purpose of processing that data
- The categories of personal information collected
- The timeline for data retention
- Respond to request – If the data subject notices that their data is incorrect, they may request the company to rectify the mistake. If they wish to delete the data, the data collector may be able to deny the request so long as they have legitimate reasons to hold the data, such as tax reporting.
Automating DSR with DataGrail
The introduction of the GDPR has changed the way organizations must handle and think about data privacy. It’s now an essential aspect of effective cyber security and regulatory compliance. Every security and privacy law, such as GDPR and the California Consumer Privacy Act, continues to keep personal data protected.
For companies looking to comply with international data protection regulations, one of the most challenging aspects of DSRs involves pinpointing data across your systems, verifying the user, and then taking the proper actions—all within the allotted time frame.
But with DataGrail’s data privacy platform, modern companies have an easy-to-use solution that simplifies, automates, and scales their privacy programs. With the Live Data Map and Request Manager, you can foster organization-wide compliance, making sure that nothing falls through the cracks.
GDPR. What is GDPR? https://gdpr.eu/what-is-gdpr/
Office of Attorney General. California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa