Origin of DSARs
The origin of DSARs can be traced back to the emergence of concerns over data privacy and the need for individuals to have some type of control over the increasing amounts of personal information that organizations were collecting about them. These concerns prompted the development of comprehensive data protection laws, such as the General Data Protection Regulation (GDPR) in the EU – considered the first comprehensive privacy legislation – and the California Consumer Protection Act (CCPA), largely modeled after the GDPR and the first comprehensive privacy legislation in the U.S.
When the GDPR took effect in 2018, it introduced the concept of DSARs as part of its mission to give individuals more control over their personal data. Under the GDPR, organizations are obligated to provide individuals with their personal data upon request, and this process is known as a DSAR.
Similarly, the CCPA, which took effect in 2020, enshrined the right of California residents to make DSARs. The CCPA gives individuals the power to demand access to their data, find out how it is being used, and even request its deletion. The introduction of these regulations was at the vanguard of a growing global awareness of the importance of personal data rights and privacy.
How the DSAR Process Works
The DSAR process is relatively straightforward, designed to be accessible to data subjects. There are seven key steps:
- Request Submission: The data subject submits a request to the organization, typically through an online process but sometimes in written form. The request should clearly state that it is a DSAR.
- Verification: The DSAR must include the individual’s identity for verification purposes. Some organizations might require physical proof of identity, while others present verification questions as part of the process.
- Data Retrieval: Once the identity is confirmed, the organization retrieves all the personal data it holds that is associated with the data subject. This data can encompass a wide range of information, from contact details to transaction history.
- Data Presentation: The organization compiles the requested data and provides it to the data subject in a commonly used electronic format, unless the individual requests a different format.
- Response Time: The GDPR stipulates that organizations must respond to DSARs within one month, with the possibility of extending this period to two months for complex cases. Under the CCPA, organizations have 45 days to respond to a DSAR, with an additional 45-day extension under certain circumstances. The timeframes vary under different regulations.
- Data Review and Correction: After receiving the data, the data subject has the right to review it, request corrections if necessary, and even challenge the processing of certain data points if they believe the organization is processing their personal information for purposes other than those for which it was collected.
- Closure: The DSAR process is concluded when the data subject is satisfied with the information received and any necessary corrections have been made.
How Organizations Comply
Compliance with DSARs can be a complex process for organizations, especially for companies that collect significant amounts of data about their customers and share it with third parties. Compliance requires not only efficient handling of individual requests, but also a commitment to data protection and privacy principles. The essential components for organizations to ensure DSAR compliance include:
- Data Management: To comply with DSARs, organizations must maintain accurate and accessible records of personal data. They should be able to quickly identify and retrieve relevant information when a DSAR is submitted.
- Identity Verification: Because one of the initial steps in the DSAR process is verifying the identity of the data subject, businesses must establish reliable methods for identity verification to prevent unauthorized access to personal data.
- Data Retrieval Systems: Efficient data retrieval systems and processes are essential for responding promptly to DSARs. Organizations need to have mechanisms in place to extract and compile data requested by data subjects.
- Data Privacy Training: Properly trained staff is crucial for DSAR compliance. Employees who handle DSARs must stay knowledgeable about relevant regulations – including new and modified privacy laws – and understand their responsibilities in processing these requests.
- Communication and Transparency: Open and transparent communication with data subjects is vital. Organizations should maintain clear and accessible channels for DSAR requests and provide updates on the status of ongoing requests.
Benefits of Compliance … and Consequences of Non-Compliance
Compliance with DSARs offers several advantages:
- Legal Obligation: By adhering to DSAR regulations, organizations avoid potential legal repercussions and monetary penalties that may result from non-compliance. The GDPR, for example, can impose substantial penalties for mishandling DSARs – generally up to €10 million or 2 percent of a company’s global turnover (annual revenues).
- Enhanced Trust and Reputation: Meeting DSAR requests builds trust with customers and demonstrates a commitment to respecting their privacy, which can contribute to improved customer loyalty and a positive reputation.
- Improved Data Management: DSARs can drive organizations to implement more effective data management practices, resulting in better data accuracy and organization.
Non-compliance with DSARs can have the opposite effect on an organization. Violations with DSAR requirements can lead to significant fines, loss of customer trust and confidence, and operational inefficiencies, including wasted time and resources and a disruption in operations.
Tips for Compliance: Embracing Automation
The efficient management of DSARs is a complex task that can be significantly enhanced through the use of automation.
- Invest in Data Management Software. A comprehensive data privacy management platform can centralize and streamline access to personal data, making it easier to retrieve and compile the requested information.
- Automate Identity Verification. Automated identity verification tools can confirm the identity of data subjects quickly and securely, reducing the risk of unauthorized access.
- Create Standardized Response Templates. A data privacy management platform typically offers standardized response templates for DSAR requests, ensuring that responses are consistent and compliant with regulations. Automation can help generate and send these responses, and track activity for auditing purposes.
- Monitor Deadlines. Automated tracking systems ensure an organization responds to a DSAR within the required timeframe, helping organizations avoid legal penalties and maintain a positive reputation.
- Train Employees in Data Protection. Automation can assist in conducting online training and tracking employee progress, ensuring that employees receive education on data protection, privacy regulations, and the proper handling of DSARs.
An Example of a DSAR in the Wild
To illustrate the practical significance of DSARs, consider an example that occurred several years ago in the EU. Under the GDPR, individuals have the right to be forgotten, meaning they can request the deletion of their personal data.
In 2019, a Spanish citizen requested that a major online search engine remove the search results linked to a decades-old newspaper article mentioning his previous debt issues. The search engine initially refused, leading to legal proceedings. The case ultimately went to the European Court of Justice (ECJ), which is the supreme court of the EU in matters of European Union law. The ECJ ruled in favor of the data subject, emphasizing the importance of the right to be forgotten and the power of DSARs in protecting an individual’s privacy.
Empowering Individuals and Ensuring Compliance
DSARs are a fundamental aspect of modern data protection regulations, providing individuals with a powerful tool to access, review and control their personal information. Organizations must take DSARs seriously, ensuring efficient compliance to avoid legal penalties and maintain trust with their customers. By embracing automation and following best practices, businesses can streamline their DSAR processes and enhance their overall data protection initiatives.