Data Subject Access Request (DSAR) for GDPR Compliance

Individuals submit a Data Subject Access Request (DSARs) to organizations to access their personal information or related materials and find out how that information is being used. These requests should be observed as an expression of the individual’s privacy rights as described in Europe’s General Data Protection Regulation (GDPR) and now in other privacy laws like the California Consumer Protection Act (CCPA). These written or verbal requests may be communicated to an organization via all verifiable platforms and can be submitted by a third party on an individual’s behalf.

Unless a valid exemption or restriction applies, or a request is demonstrably incoherent or unreasonable, the organization must fulfill the DSAR within a specified time frame to remain compliant with the GDPR’s data subject rights and other similar privacy laws.

What is a Data Subject Access Request (DSAR)?

DSARs are requests submitted by anyone a business may hold data on. A “data subject” can be a consumer, an employee, a vendor, or anyone else with data held by an organization. Across the industry, DSARs may be known as privacy requests, consumer privacy requests, and more.

For the purposes of this glossary entry, we’ll mostly refer to DSARs as “requests” or simply, DSARs.

DSARs vs DSRs

When it comes to DSARs and Data Subject Requests (DSRs), some are starting to use the terms interchangeably. However, it’s important to understand their distinct differences.

Where DSARs serve the specific purpose of requesting access to held data and its use, DSRs encompass the many other data subject rights available to requesters, including rights to:

• Correct data
• Pause data processing
• Delete data
• Restrict data usage
• Transfer data to a different controller (data portability)

Why would someone submit a DSAR or DSR?

Privacy is becoming more than just a compliance issue. According to our Great Privacy Awakening report, 79% of people expect to have control over how their data is used at a business. 

• Data Privacy Concerns (DSAR)
  • An individual may want to submit a DSAR if they want to know what data a company holds on them, and how it’s using that data.
• Data Deletion & Erasure (DSR)
  • An individual may want to delete the data a company holds on them and would submit a data subject request for deletion, instead of a request for access.
• Data Breach Recovery (DSAR)
  • An individual may be worried their data was involved in a security breach. 
• Data Correction & Management (DSAR)
  • Information held by a company may be incorrect or outdated, and a DSAR is the best way to receive a full data summary to check.
• Summary of Data Collection (DSAR)
  • Organizations are responsible for providing a full summary of data they hold on an individual.

Who can submit a DSAR?

Any data subject — an employee, contractor, supplier, partner, or customer — can submit a DSAR to an organization responsible for protecting their personal data in any clearly communicated way. This includes verbal, written, and electronic requests via email or social media. 

In some cases, a third party may submit a DSAR on behalf of an individual. Some examples include:

• A friend or relative is acting as an authorized agent to assist with a request
• A parent or guardian requests information on behalf of a child
• A legal official submits a request on behalf of a client
• A person designates an authorized agent to process requests on their behalf

What’s included in a Data Subject Access Request response?

A DSAR response should include a summary of all data held by a company on the requester, as well as a summary of whom that data may have been shared with or sold to.

What are the categories of personal data?

The categories of personal data can differ across different privacy laws. For example, according to the GDPR: 

• “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The GDPR specifically outlines the categories of personal data as:

• Race
• Ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where this Is used for identification purposes)
• Health data
• Sex life
• Sexual orientation

What are subject rights?

Remember: DSARs are only for accessing a data collection and use summary. However, for example, the full list of rights offered by the GDPR is:

• The right to be informed about the collection and use of personal data
  • The data subject must be notified when their data is recorded
• The right to access personal data and how it's processed
• The right to rectify inaccurate or incomplete personal data
  • A request to rectify inaccurate data requires fulfillment/compliance within a month. 
• The right to erase data
  • Data subjects can request the erasure of their personal data — this must be completed within 30 days
• The right to restrict the processing of personal data
• The right to data portability 
  • Data subjects can move their data from one platform to another with ease, safety, and security
• The right to object 
  • Subjects can object to their information being used for marketing, sales, or other purposes
• The right to object to automated decision-making and profiling
  • Subjects can say no to automated decisions concerning their data

What’s the standard DSAR Response Process?

Step 1: Collect and log requests

Note: DataGrail makes collecting and organizing inbound DSARs easy with user-centric forms that automatically populate a centralized dashboard.

• Your first DSAR fulfillment task is to formalize the request collection process. Individuals must know their data rights and have an easy way to submit a request. Setting up customer-facing webforms is one of the multiple ways to enable this. To make the process as intuitive as possible, these forms should be branded, compatible with all devices, easily accessible, and user-friendly. 
• Organizations must accommodate DSARs within a legally specified time frame and creating a log of inquiries is crucial to successful request management. Privacy leaders need to establish an infrastructure to handle DSARs, including:
  • Consumer request channels, like:
    • An online form
    • A dedicated email address
    • A phone extension or hotline
    • An in-person request
  • Intake and logging standard operating procedures
  • A logging system to track various metrics (consumer name, request date, deadline, and more)

Step 2: Verify the subject’s identity and review requested information

Note: DataGrail’s Smart Verification™ uses pre-existing data to automatically authenticate user identities

• To protect individuals’ data, it’s critical to verify a requester’s identity prior to processing the request.
• Caution is important, but so is restraint. The Irish Data Protection Commission’s (DPC) guidelines advise organizations to tread carefully when responding to a DSAR, stating that:
  • Proof of identity should only be requested where reasonable and proportionate to do so
  • Controllers should only request the minimum amount of further information necessary 
• Verification is crucial, but companies should avoid asking customers to submit additional data or resubmit passports and IDs. How then can you stop fraudulent DSR requests while still upholding data subject privacy? The least intrusive verification method should leverage pre-existing data and request two-factor authentication. For instance, to finalize a request, an organization may ask the data subject to: 
  • Provide their phone number 
  • Receive a text or call to the number, containing a verification code
  • Enter the verification code
  • Select a security question
  • Answer it accurately
• When the requester’s identity is verified, ensure the request’s specific ask is clear to the person or team handling the DSAR fulfillment process.
• After reviewing the request, it’s best practice to acknowledge the contact. Recognizing the request gives the data subject peace of mind knowing the DSAR arrived and the appropriate actions will be taken.

Step 3: Gather, package, and review the data

Note: DataGrail’s powerful Privacy Control Center automates this process to reduce business risk via human error and build trust with customers. Below is a step-by-step manual fulfillment guide.

• Standard operating procedures for manual DSAR fulfillment should outline:
  • The various network locations employees should search for stored data
  • Where employees should compile an individual’s information
  • Which employees may access the stored data and the compilation document
• Data is often fractured or duplicated across a company’s operations, systems, and networks. Whether it’s stored in a CRM, PDF file, or application, organizations must be accountable for every bit of personal data used, processed, or stored.  
• Collecting the requested data and information could require different permissions based on your industry or the type of consumer submitting the DSAR. Some examples:
  • If a former client of a law firm files a request, only specific employees may have access to their information per their jurisdiction’s counsel-client confidentiality laws
  • If your company is transitioning from paper files to a fully electronic system, customer data could temporarily be stored both digitally and physically — and different employees may have access to each storage type
  • If you’re in the healthcare industry, your business and employees must also accommodate medical confidentiality laws — like HIPAA, for US-based companies
• Reviewing the gathered data is vital: It’s important to ensure the data meets internal requirements for upholding or rejecting the request. For instance, data can’t be revealed if the disclosure infringes upon another person’s privacy rights.
• It’s crucial that a logging system accommodates the various workflows in the DSAR fulfillment process. As employees complete requests, they should log:
  • The date and time of task completion
  • The authorization they requested and/or received to complete the task
  • The locations of the data they accessed
  • Internal and external communications required to address the request
• While complying with the law and consumer requests are the most important parts of the DSAR process, logging the steps taken will help a company remain transparent in the event of a regulatory audit or future requests from the same consumer.

Step 4: Provide the data to the requester

Note: For DataGrail users, this step is also automated. 

• Once the logging process is complete and all relevant data is collected, it’s time to complete the request and send the requester their data.
• Deliver the report using clear and plain language so that it’s easy for users to understand. This will include: 
  • A copy of the personal information 
  • The purpose of processing that data 
  • The categories of personal information collected 
  • The timeline for data retention
• It’s important to note that different regulations stipulate specific acknowledgment procedures. For example, the GDPR requires that requests made electronically must be acknowledged electronically unless otherwise requested by the consumer.
• The request can now be marked “complete.”

What is the role of a Data Protection Officer (DPO) in the DSAR process?

Per the European Data Protection Supervisor, the DPO’s primary role is ensuring their organization processes personal data from employees, customers, providers, or other data subjects in compliance with applicable laws and regulations.

Note: While ensuring the compliant processing of DSARs may be the responsibility of a data protection officer, any individual in an organization may receive a subject request and must comply in a timely manner.

Who should respond to a DSAR request?

For companies building a DSAR fulfillment program from the ground up, it’s beneficial for candidates to have previous DSAR fulfillment experience and privacy regulation knowledge. However, once a streamlined, robust subject request fulfillment program is in place, specific privacy knowledge and training become less important for day-to-day operations, as key decisions are elevated.

How much time is allowed to respond to a DSAR?

The amount of time an organization has to complete and respond to a DSAR depends upon the jurisdiction. Most laws require that businesses oblige and acknowledge requests within 30-45 days. However, some jurisdictions allow companies to request extensions of up to 15 days, and GDPR allows extensions of up to two months.

What happens if you don’t respond to DSARs in time?

Implementing a working DSAR fulfillment model is critical for long-term organizational health and success. There are several reasons to prioritize request fulfillment, but three stand out:

1. GDPR Compliance Issues — Want to avoid illegal actions, costly fines, and penalties? Complying with the GDPR means fulfilling DSARs promptly.
2. Loss of Customer Loyalty — DSARs empower users to take agency over how companies use their personal data. If a company doesn’t provide a quick, transparent fulfillment process, it can seem disrespectful toward data subject privacy rights.  
3. Security Issues — Companies may receive sharp increases in DSARs which can create system-wide log jams. As requests build up and overwhelm internal staff, an organization may be at risk for a Denial of Service (DoS) attack, especially if it relies on a manual DSAR fulfillment system.

Can my company charge a reasonable fee for DSAR response?

In most cases, organizations aren’t allowed to charge fees for DSAR fulfillment. However, if the fulfillment team feels as though the request is unfounded or excessive, they can apply a “reasonable charge” to cover costs. Please note that DSAR-related charges can’t provide profit to a company.

What are some common DSAR response challenges?

Understanding DSAR requirements and the impact of privacy regulations.

• Fulfilling DSARs can be extremely confusing, especially without a dedicated privacy team. We often see organizations swamped with DSARs because the fulfillment team lacks the empowerment and knowledge that a properly efficient and foundational program provides.
• The privacy laws and regulations that apply to DSARs can be complex, especially because legislation is rapidly changing along with the world of privacy. Deadline and requirement differences between jurisdictions as a national company in the U.S. or an international company spanning countries can also present roadblocks. 

Developing a streamlined workflow for fulfilling DSARs.

• It can be difficult to create a streamlined workflow for DSAR fulfillment, especially if the process depends heavily on manual action. The amount of data spread across an organization is massive, and without implementing automated systems to help track, gather, and summarize information as needed, streamlining DSAR processes will be a challenge.

Administrative costs associated with handling DSAR requests.

• The largest costs related to DSAR fulfillment come from lacking a streamlined process. If the team in charge fully relies on manual processes to manage and fulfill all DSARs, this can create massive bottlenecks and result in compliance-related fines and penalties. Our Privacy Trends 2023 report highlights these costs: Gartner estimates the average cost of manual DSR fulfillment to be $1,524 per request. 
• Using a privacy partner like DataGrail to help build a comprehensive program to assist a DPO and trained privacy team also incur costs, but they’re much lower in the long run.

Managing the sheer number of requests.

• Depending on the number of “identities” they hold, organizations can receive hundreds of requests a year — our Privacy Trends 2023 report notes some businesses can expect an average of around 650 requests per 1 million identities. Some large companies can expect even more. DSARs are fairly easy for subjects to submit, and the low barrier to entry combined with increasing privacy awareness means that some folks may submit requests just because they can. As privacy awareness continues to increase, so too will the number of DSARs.

Maintaining compliance with data privacy laws:

These are just a few examples of data privacy laws requiring DSAR fulfillment compliance. 

• GDPR
  • Established in 2018, complying with the General Data Protection Regulation (GDPR) is extremely important as it remains one of the most nuanced, ironclad data privacy laws in the world, and stipulates legal obligations for both EU-based companies and businesses collecting information from EU residents.

• CCPA/CPRA
  • The California Consumer Privacy Act of 2018 (CCPA) requires businesses operating in California or providing services to California residents to honor requests from data subjects to access their collected personal data. The California Consumer Privacy Rights Act (CPRA) amended and expanded the rights stipulated in the CCPA as of January 2023.

How can DataGrail help with managing DSARs?

DataGrail is the Privacy Control Center modern brands rely on to build customer trust and outsmart business risk. Our platform makes dealing with privacy easier by implementing automated processes thanks to 2,000+ integrations with popular apps and infrastructure.

Request Manager is DataGrail’s DSAR solution for companies looking to take their privacy program to the next level.