Data Subject Access Requests

Data Subject Access Requests

The General Data Protection Regulation (GDPR) was implemented in 2018 with the goal of restoring individuals' control over their personal data. This is accomplished by giving eight data subject rights, one of which, the right of access, allows individuals to learn what data the organization keeps on them, why it is held, how it is used, and other details.

Despite the fact that the right of access is not new, the GDPR enhances it by requiring organizations to reveal additional obligatory categories of information and making it simpler for individuals to file requests, access their data, and get information. The access request is one of the most typical sorts of requests that businesses receive, thus you will have to deal with it sooner or later as an organization. We'll go over all you need to know about data subject access requests in this article.

What is a Data Subject Access Request?

A Data Subject Access Request (DSAR) is a petition to a data controller by a data subject or an identified individual about whose personal data is maintained. A data controller is an organization or individual that establishes personal data processing guidelines for its members. A data subject has the right to seek access to their personal data record, revisions or corrections to their personal data record, or the deletion of all or part of their personal data record with the company. Unless an exception is granted, the entity receiving this request, whether it is a data controller or a data processor, is expected to comply with it within 30 days.

An individual has the right to get confirmation that your company is collecting or not collecting his or her data, as well as information about how the data is being used. From there they must have the ability to seek the erasure, rectification, or deletion of data gathered, via a DSAR. If your firm collects his or her personal information, it owes it to the data subject to give them access to that information. The following are two examples of when a data subject may use their GDPR right to view, modify, or delete their personal data.

What Information Needs to Be Provided in a DSAR?

The enterprise is required to give proof that personal data is being processed as well as provide the individual with a copy of that data. This must also include additional information, such as the aim of personal data processing, third parties with whom the organization may share personal data, and the types of personal data the organization processes. Organizations must additionally include a data source, the data retention term, information regarding automated decision-making, and information about the consumer's GDPR rights if the data was not gathered from the individual. The organization is required to submit a copy of personal data as well as the information stated above when responding to a DSAR.

Anyone whose personal data is processed by the organization can file a DSAR. Individuals are not required to give a cause for submitting a DSAR and can obtain a copy of their information at any time.

DSAR does not just apply to workers, but also to customers, partners, and contractors, contrary to popular opinion. Customers, rather than workers, make the majority of requests, according to some studies on the situation of data rights. This is particularly true in the United States. Workers of firms located in the EU, on the other hand, seek personal data at a far greater rate than employees of organizations situated elsewhere in the globe.

How to Prepare and Submit a DSAR

Many believe that after the CCPA, the number of people obtaining DSARs will continue to grow dramatically. So, let's look at what's needed and how to be ready:

1. Respond to a Request for Information from a Data Subject

A customer's data subject request must be responded to and fulfilled in a transportable electronic format within 45 days. These responsibilities may differ based on the customer's request and how their data is handled. We’ll dig into this in a bit more detail later in this guide.

2. Manage Requests for Deletion

Requests for deletion affect not just internal team members, but also any third-party suppliers and partners with whom personal information has been provided.

3. Communication with Customers

The CCPA, like the GDPR, mandates the disclosure of rights and information concerning DSARs. Consumer rights under the CCPA and GDPR are comparable but not identical. As a result, businesses will need to adjust their communication strategies.

Responding to a DSAR

Responding to a DSAR is quite simple. The processes for processing and completing a DSAR are as follows:

1. DSARs must be registered, logged, and authenticated. Before beginning work on data requests, organizations must register them, log them in a system of record, and authenticate the user, either manually or automatically.
2. Take down personal information. In order to prepare for DSARs, businesses must first identify and categorize the personal data they collect and hold. This information is frequently saved on a variety of internal and external platforms. To enable the processing of DSARs, personal data must also be mapped to the individual owner of that data. This procedure can be sped up by using a People Data Graph. This data must also be collected in a secure manner to avoid increasing data sprawl, which might lead to increased liability.
3. Examine the data and give your approval. Following the collection of the essential data, businesses must examine the data to ensure that it complies with the DSAR standards while protecting proprietary information and the personal data of other data subjects.
4. Deliver consumer information in a secure manner. The final response must then be securely provided to the customer. It might cost thousands of dollars for each leaked record if there is a data breach or leak.