Table of Contents
Every time you make a transaction on the internet — purchase a pair of shoes, fill out a form to get an e-book, or hand over your contact information for a basement renovation quote, you’re willingly exchanging personal data for a good or service.
That data is stored somewhere. For the most part, trust is implicit — you believe the site you’re transacting with has your interests at heart and won’t use the information maliciously. But that doesn’t mean you’re not concerned about what might happen — 79% of Americans reported being wary of how their personal information was used and stored by third-parties and 81% said that the risks of collecting data outweigh the benefits.
Data privacy laws understand consumers’ concerns and make an effort to protect their rights. The GDPR, CCPA, PIPEDA, and other regulations compel businesses to be transparent about how they collect, use, and process personal information. Businesses are liable for huge fines if they fail to comply with best practices — the EU alone has fined many companies that failed to follow GDPR rules & regulations.
DSAR — that stands for Data Subject Access Request — is a way for businesses to comply with legal requirements under the CCPA and GDPR, that compel them to be transparent and open about how they process data.
Read on to understand the definition of DSAR, its purpose, how to submit a DSAR, and other business obligations when you receive a DSAR submission.
What Is a DSAR?
A Data Subject Access Request (DSAR) is a way for regular folks (specifically, data subjects) to ask (request) a company for the personal information and data they have on you. Data subjects can request that their information be modified or deleted via a DSAR submission.
Apart from the data itself, a DSAR may also request information on what your company's done with the information and whether the data has been shared with third parties.
Anyone can submit a DSAR, usually submitted via email or contact forms. But your customers aren't the only people who can request a copy of their information. Other people who can submit requests include suppliers, business partners, and previous employees.
Once your business receives a DSAR, it has to respond to the request promptly. Although this time varies from case to case, you usually have one month to provide the requested data.
What Is the Purpose of DSAR?
The purpose of a DSAR is to give users (subjects) more control over their information. An individual may consent to exchange their data to facilitate an online transaction, but that doesn’t give the corporation carte blanche to keep and process the data forever.
Hence, a DSAR enables transparency between a company and client by giving subjects a clearer understanding of how their data is being used.
DSAR Under GDPR: Is it Required?
The General Data Protection Regulation (GDPR) includes a requirement that companies holding and processing data have to allow users to request a report of all information held about them.
The person that the data relates to is called a “data subject” and the demand for details is called an access request, thus, an inquiry for details by a person to discover the personal information held about them is called a data subject access request (DSAR).
Hence, yes GDPR regulations mean that businesses have to comply with DSAR requests. Failure to respond can lead to tens of thousands of dollars in fines.
Is a DSAR required under CCPA?
The California Consumer Privacy Act (CCPA) has similar provisions to the GDPR. It says that consumers have the right to request businesses about the personal information collected, the commercial purpose for collecting information, the third parties to whom the business discloses said information, and the specific pieces of information collected.
However, the CCPA provides a 45-day window to respond to a DSAR, as opposed to 30 days for the GDPR. There is also a possibility of a 45-day extension if the business needs more time.
What Is Included in a DSAR?
Although no two DSARs will be exactly the same, you can usually expect some commonalities between them. Here are a few things that should be included in a DSAR:
- The data subject's name or their name in your contact list
- A header or subject line stating their reason for the email or letter
- A list of the data they're requesting from your business.
- A statement with their reason for requesting the data. For example, they may want to see their data or who else has access to it or request that their data be removed from your business's records.
- Further details to help your company find their information. This may include their contact details, a reference number, or the time frame of when they interacted with your company. If these details are necessary to find the data subject's data but aren't provided in the original DSAR, you might need to request them from the data subject.
DSAR Request Template
Use the text below as a template for when submitting a DSAR.
SUBJECT: Data Subject Access Request
To whom it may concern,
My name is Sam Smith, and I've been a customer of your shop since June 2019.
Kindly supply the personal data that your company has collected from me. I am entitled to receive this information under the Data Protection Law 2018.
I am specifically interested in the following types of data:
- Personal information
- Purchase records
- Communications between your company and myself
However, if any additional data has been stored and the Data Protection Law does not restrict its sharing, it should be provided as well. Furthermore, please include whether any of the aforementioned data has been shared with any third-party companies.
I require the information in PDF format. If additional information is needed from me to complete this request, please let me know.
Thank you and kind regards,
Phone: XXXX XXXX
How Do You Write a DSAR?
Data protection laws are meant to be accessible to as many people as possible, so there's no one way a DSAR should look. Data subjects can request a subject access request through a data request form on your website, over the phone, or email, or even on one of your business's social media platforms.
Types of DSARs
Laws vary as to what the data subject is allowed to ask for and what the company is obligated to provide them. Often, however, the response will greatly depend on the DSAR and the information requested by the data subject.
They might want to know exactly what information you have on file for them. Or they might be more interested in the way that the data is being used than in all its details. Broadly speaking, here are the 5 types of DSARs you can expect:
1. DSARs for General Information
A general DSAR report usually asks for confirmation of personal details such as name, phone number, email, home address. In fact, under GDPR, it is mandatory to include this information in your response regardless of the kind of DSAR requested.
But even when it isn't mandatory, your organization might choose to include this information in its report to aid in transparency.
For example, the report should let data subjects know that they:
- Have the right to object to data processing and capturing
- Are allowed to request corrections to their information
- Are allowed to lodge complaints if they feel their data has been used illegally or irresponsibly
2. DSARs for Summary of Data Captured
This is one of the most common DSARs that firms receive. A request for summary of data captured is meant to understand the exact information a firm has on the subject.
Here’s the information you should provide in your response:
- Confirmation that your business does process the requester's data
- A copy of all the personal information you have on file for them
- Reasons why it is lawful for you to process their data (for example, they gave access)
- An indication of how long you will keep the data on file — if this is not a set time, how it will be determined
- An overview of how the data was compiled
- An explanation of how the data factors into automated decision-making
- Any potential consequences that could come from automated decision-making based on their data
- Whether the data has been shared with third parties, and if so, names and information on those companies
3. DSARs for Erasure
Subjects have the right to ask you to delete their data, commonly known as the right to erasure or the right to be forgotten.
Of course, if the information has already been shared with third parties, it will be harder for the data subject to completely erase the information.
Erasure isn't all or nothing. The data subject could ask for their information to be deleted without knowing what you have. Or they could look at all the information and decide which pieces of information they are uncomfortable with. They might be happy to allow you to keep some information stored and request the deletion of a certain type of information. Compliance in this case is important too.
4. DSARs for Correction
When a consumer trusts a company, they might be completely comfortable with it storing their personal data. Trusted organizations could include banks and many others that use data to the benefit of their clients.
But a data subject still has the power to ask for a DSAR to ensure that the information stored is correct and up to date. They could then send in a request for corrections — to make sure that nothing is amiss.
5. DSARs To Opt Out of Data Sharing
Many DSARs aim to instruct companies to stop sharing personal data with third parties. Such DSARs can request specific names of any third parties that have access to their data.
The entire point of a DSAR is to promote transparency and goodwill. By not complying with the request, you run the risk of a negative brand image or a class action lawsuit.
Who Can Submit a DSAR?
Almost anyone that has interacted with your company can submit a DSAR. Here’s a more detailed overview:
Anyone who has used your services or transacted via your website in the past can submit a DSAR. This could be an individual or a business. The same rules apply in both cases — there is no differentiation between the two.
It’s possible that you discover no information once you process the request. If that is the case, it’s sufficient to tell the subject that you weren’t able to find any information.
In cases where you do have information, you will need to prepare a DSAR response.
An Individual on Behalf of Another
A person can make a DSAR submission on behalf of someone else. There are a few scenarios in which this can happen:
- A parent or guardian requesting information on a minor child
- A person who has been court appointed to handle the affairs of the data subject
- An employee who needs information on behalf of an employer
- Someone acting on behalf of a client
- A person helping a data subject, normally a relative or close friend
Data controllers need to be careful when they process such requests, and it is their responsibility to verify that the request is genuine. Accidentally leaking information to a false request can lead to fines, so it’s best to be extremely cautious.
Verifying the request is an important step — ask for a letter from the individual giving power of attorney to the person filing the DSAR. You can ensure that the relationships are genuine by requesting birth certificates with the parents’ names on them or paperwork proving they are the legal guardians of the child.
Doing your due diligence helps you avoid the trouble that comes with sharing personal information with someone who does not have the right to access it.
Previous and Current Employees
This type of DSAR is more tricky than regular consumer DSARs. This is because employee data is far more sensitive and requires special care.
Things like Social Security numbers, banking information, driver’s license numbers, and dependent information are all stored by employers. A failure to process this data in compliance with rules can result in hefty penalties.
Another reason that firms should be careful regarding employee DSARs is the motive behind them. Consumers tend to launch a data subject access request because they are curious about the information that is stored, or because they have doubts about a certain aspect of the stored information.
An employee who launches a DSAR is likely to be searching for a certain piece of information. For example, an employee could feel that they have been passed over for promotions or other responsibilities due to bias based on their stored personal information.
They could feel wronged in some way and believe that it stems from the private information that the company has compiled about them. But that does not mean that you should ignore an employee who requests a DSAR. They have the same rights as any individual to request a data subject access request.
Can You Refuse To Respond to a DSAR?
In most cases, it is very unwise to not respond to a DSAR. There are a few exceptions, but even then, it could be better for your company to just respond with a denial and the reasons why you are denying their request.
There are two main reasons that you can be justified in refusing a DSAR. The first is because it is excessive. For example, a user might submit a DSAR to a local business every month, knowing they still have the same information.
The second reason would be if the data subject isn’t planning on using their right of access appropriately. This could mean a few things — for example, if they are requesting the information with the goal of being able to make unfounded claims against the company.
It is not easy to prove either of these scenarios. That is why it is tricky to deny a DSAR. You need to be very sure before you respond with a denial.
Manifestly Unfounded or Excessive Requests
Knowing when a DSAR meets these criteria can be hard. But there are a few things that you can look out for that could be a good indicator of a data subject not acting in good faith. These could be signs of a manifestly unfounded or excessive request.
Some of these signs of a manifestly unfounded request include:
- The data subject states in their communications that they want the DSAR to cause disruptions.
- The request includes unsubstantiated accusations against the company or an individual employee.
- The request shows signs of targeting one employee or of having personal grudges.
- The data subject often sends DSARs to create disruptions — for example, if you get a new one weekly.
Some of the signs of an excessive request include:
- The same information requested when little time has passed
- A request that overlaps with other DSARs
Still, even with many indicators that the requester is trying to use a DSAR to cause disruption instead of finding information, you need to be careful when denying a response. If there isn’t enough proof of manifestly unfounded or excessive requests, you could still face fines for noncompliance.
Things To Include in a Refusal To Reply
If you believe that you have enough proof to refuse a response for a DSAR, then it is still good practice to send a reply outlining your reasons for refusal. There are a few things that you should include in this type of response. The primary ones are:
- Explaining your reasons for the denial
- Reminding them of their right to file a complaint with the correct authority
- Reminding them of their right to appeal the decision, even in court
Including these pieces of information covers your company better than just ignoring the request.
Can You Charge a Fee for a DSAR?
In most cases, you aren’t allowed to charge a fee for a DSAR response. But if you do decide to compile a response for an excessive request, you might be entering one of those few exceptions where you are allowed to charge a small fee for the response.
How Long Do You Have To Respond to a DSAR?
According to most DSAR and data security laws, you need to respond in a timely manner and send a response as quickly as you can. In most cases, you will have a calendar month to respond to a data subject access request. Under other laws, that could go up to 45 days, but a month is the average in most countries.
If they need to send you more information to find their data, then this time will start when they send your company the rest of the information you need to comply with their request. If you are receiving a lot of requests at the same time, or if they have a big DSAR that requires a lot of research and planning, then this month can be extended. This time can be extended up to three calendar months in some unique cases.
Still, if that is the case, communication is key. You need to respond and explain the reasons for the delay to your data subject.
Who Should Be Responsible for the Request?
It’s best practice to nominate one person that handles all DSAR submissions. This person is usually referred to as the Data Protection Officer (DPO). While this may not necessarily be a full-time role, they should know the data privacy laws in your jurisdiction and countries where you do business.
DPOs are responsible for each request and making sure that each DSAR is responded to correctly. They also need to ensure that it is done within the required time limit for your region and that it follows any other requirements that you need to be compliant with.
Step-by-Step Process For How To Handle a DSAR
So how do you handle a DSAR when received? There are a few things that you need to keep in mind.
Firstly, there are many ways a data subject can submit a DSAR. Even a simple request like an email or a message stating that they would like to see the information your company has on them is legally accepted as a DSAR.
Here’s what to do after you receive one:
Step 1: Check the Identity of the Data Subject
To be compliant, you need to make sure you aren’t giving out information to a person who is not legally authorized to have it. It's important to confirm that the data subject you are speaking to is the correct person and that you have their correct information.
Step 2: Find Out What They Need
Normally, this is straightforward — people just want to know the details of the data you have about them. But to ensure that you are compiling a DSAR response that will satisfy them, you need to look at the request closely.
This could be one of the few exceptions where they want more information than the norm. Their request could be detailed and take up a lot more time. Finding that out now could allow you to send a response warning that you will need more time than the average month.
Step 3: Start Reviewing the Data
Start to compile the response on the data that they have requested. You can give them all the personal information that you have. Often, an explanation that goes along with this goes a long way. Explaining what this information is used for and why you store it could help them understand the process better.
You also need to review the data carefully to ensure that you are not breaching any other data laws. Sharing data about other individuals would be a breach and could open you up to other problems.
Step 4: Compile the Data
Next, draft the response, making it simple to understand. The files you're using should be easily accessible so that the subject can easily look at all the information and understand what you have shown them. Otherwise, you could be accused of not being transparent and trying to confuse your data subject.
Make sure that your response includes all the information that they have requested. If they want everything, then even include any redacted documents to make sure that you are compliant with the laws on privacy data.
Step 5: Explain Their Rights
As mentioned, you need to include a section where you remind the data subject of their right to lodge a complaint. This will normally be one of the last pieces of information you add to your response.
Step 6: Send the Response
The final step is to send the entire document to the data subject. They could ask questions or complain about some of the data, but at this point, you have been compliant and done what is required of your company.
Responding to DSARs Can Be Challenging
It might sound like a simple task: find the information you have on an individual and respond to them. But in reality, compiling a data subject access request response may involve several major challenges. For example:
Laws on data privacy and DSARs are constantly changing. Keeping up with the laws can be a monumental task — especially as you expand your business and enter new geographical regions with varying regulations.
Locating Necessary Data
It sounds easy enough to find all the data that you have stored about one individual. But if you take into account the massive amounts of data that have been collected in recent years, this could be an uphill task.
One transaction could create multiple pieces of information, and in the past, they might not have been saved in the same files, so finding them and making sure that you don’t miss anything becomes complicated. Most companies are working toward keeping an individual’s information in one space, hopefully making it easier to compile in the future.
Often, you need to explain what has been passed on to third-party vendors and give an account of the information that they have on the data subject. But since you don’t have access to their files, this can be difficult too.
Volume of DSARs
Many companies are receiving a lot more data subject requests than ever before. Keeping up with them can be a massive challenge. Some businesses have reported receiving dozens of DSARs a week, meaning it can be time-consuming to dig up all that information and satisfy said requests.
How Can Enzuzo Help Me With a DSAR?
Understanding and managing DSARs should always be on your radar as a business owner. Luckily, an all-in-one privacy compliance software like Enzuzo make this process easy to fit into your business's flow.
Enzuzo focuses on automating data subject access requests, making them less of a burden for small and medium businesses.
No matter what your business size is you can respond to DSARs quickly and efficiently. This minimizes your risk of expensive fines while helping you maintain your customers' trust.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.