How to Respond to Data Subject Access Requests (DSARs) for Ecommerce
Table of Contents
A data subject access request (DSAR) lands in your inbox. Someone wants you to send over all the personal data you hold on them, and there’s a deadline staring at you. What do you do with it? How do you respond? How do you know if it’s genuine?
In this guide, we’ll explore the world of data subject access requests (also known as DSARs) to help you understand what they are and how to manage them in a compliant and efficient way.
What is a Data Subject Access Request?
The phrase “data subject access request” might sound complicated and technical, but when you strip it back a DSAR is simply a request from someone that you hold personal data on. They’re known as the data subject, and often want to access their data, hence the term data subject access request.
Most data subject access requests will be from individuals looking to clarify the personal information that you hold about them. They might want to understand every item of data you have that relates to them, or specific categories of personal data that mean the most to them — like their religious beliefs, health information, or biometric data.
DSARs aren’t submitted just to review the information you hold on someone, however. Data subjects can also use requests for reasons beyond this — for example, to alter the personal data you hold, find out who you’ve shared it with, or request that you delete it.
Data access requests have been around for a while, but the introduction of privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) has made it easier than ever for people to be conscious of data privacy and act on it. With more and more people waking up to the importance of data privacy and security, it’s essential to have a plan for responding to DSARs.
Who Can Submit a Data Subject Access Request
In most cases, you’ll find that the person making a data subject access request is the data subject themselves. Sometimes, they may appoint someone to make the request on their behalf. Examples of this include:
- A person appointed by the court to manage someone else’s affairs — for example if they have power of attorney
- A representative from an organization making the request on behalf of their employer or client — for example a solicitor representing a company
- A parent, carer, or guardian making the request on behalf of a child
- A friend, relative, or supporter helping someone else to manage their data privacy for them.
A data subject (or someone making the request on their behalf) doesn’t need to be a customer of your eCommerce store for their request to be valid. They may be a current or ex employee, corporate partner or sponsor, supplier, contractor, or anyone else that believes you may hold personal data on them.
All these individuals could have a right to access relevant information from your database. This means there’s a wider scope for incoming DSARs than you might think, as even with a new eCommerce business you’ll have some or all of these people in your network.
What a Data Subject Access Request Looks Like
There’s no uniform way for someone to make a data subject access request. There’s a deliberately low barrier to making one, so that there’s no burden on someone to use a specific system or make their request via a medium that they’re uncomfortable with.
Your data subject access requests could come via email, phone, live chat, social media DMs, letter, and more. It’s up to the individual or their representative to choose a medium that makes sense for them.
Submitting a data subject access request should be free, and you can’t make a charge for dealing with them. An exception for this is if the request is considered excessive or unfounded, where you can charge a reasonable fee that covers administrative costs only.
Although there’s no one accepted way of making a DSAR, most of them contain the key information you need in order to start the process. Expect to see the following information in a data subject access request:
- A clear header or subject line, if sent by email
- The data subject’s name (and what they may be known as in your system)
- A list of the personal data requested
- The reason for making the request — for example to view, change, or delete data
- Relevant supporting information help you identify the data — for example a customer account number or username, a specific time period, a location, or the types of files or data
- How they’d like to receive the information back — for example by email or letter
You may not receive all this information at once, and you might need to enter a conversation with the data subject to clarify anything that you’re not sure about. If the request comes in by phone, it’s helpful to take notes and suggest they follow up their request by email.
Even if you provide an easy way for someone to make their DSAR online — for example by using our privacy platform — users can still submit their DSAR through any method of their choosing. Having a central system is still beneficial, as you can manually add any outside requests to track and manage them in one place.
Reasons You Can Refuse to Respond to a DSAR
Privacy laws like the GDPR and CCPA give individuals greater rights of access over their personal data than ever before. This doesn’t mean that you always need to disclose this however, and there are some exemptions that mean you don’t need to respond to a DSAR.
In line with guidance shared from the Information Commissioner’s Office (ICO) about GDPR DSARs, you’re within your rights to not respond if the request is:
- Manifestly unfounded — for example it’s malicious, part of a targeted campaign of disruption, or made with a suggestion that it’ll be redacted in exchange for a discount or product
- Manifestly excessive — for example there’s a series of overlapping requests, multiple requests for the same thing over a short period of time, or resource reasons why your team can’t manage a large scale response
It might be tempting to look at a request and decide that it’s excessive or unfounded, even if in reality you could probably manage it. For any refusal, you’ll need to respond to the data subject and let them know why you can’t process their DSAR. As part of this, you need to alert them to the fact that they can enforce their rights through the courts if they wish. For this reason, and for compliance, it’s best to only refuse to handle a request if you’re sure you can prove — with evidence — that it meets one of the exemptions above.
Keep in mind that you can’t set a “one size fits all” policy for responding to or denying DSARs. You can’t make an automated decision on this — you must view each and every request personally, and make a judgement based on this.
How to Respond to a Data Subject Access Request
Unless the request falls into one of the exemptions, you’ll need to respond to it properly and within the right time frame. Here’s how to approach DSAR responses and how to create a response process that works.
1. Log and Review Your Data Subject Access Request
As soon as a DSAR lands in your inbox or enters your process, make sure you log it correctly. Make a note of when it was received, who the data subject is, and any dates you need to be aware of. This means you can create a record that you can update, manage, and track right through the process.
Privacy regulations set out a time limit for how long you have to respond from receipt of the request, so check to see which law is applicable to your data subject. For the GDPR, you have 30 days to respond, and for the CCPA it’s 45 days.
It’s helpful at this stage to review the request in detail and determine what the data subject is asking for. Identify whether they’re requesting data access, change, or erasure, and which personal data categories their request covers. This helps you plan ahead and make sure you gather the correct information, or route the request to the right member of your team.
2. Run Verification and Authentication Checks
Anyone could make a phone call or send an email pretending to be someone else. When a DSAR makes its way to you, it’s essential that you run authentication checks to avoid disclosing information to the wrong person.
There are a number of ways you can verify that an individual is who they say they are, but the most commonly used methods include:
- Using personal data that you hold about them already
- Using an existing two factor verification method
- Using a new third party verification service
It’s best to avoid seeking new personal information to verify someone’s identity, if possible. Requesting a copy of a government issued ID is not only excessive but highly sensitive, when other methods may be more appropriate.
If you can’t complete identity verification, you can request that they provide more information to help you do so. In the event that you still cannot verify the requestor's identity, you should inform the data subject of this within the same timescales as above.
3. Collect the Required Personal Data
Once you’ve verified the requestor’s identity, you can move on to collecting all the requested information. This is often the most challenging step of the process — especially if you hold data across multiple databases, tools, teams, or locations.
Check again what the data subject’s request was for, and seek the personal information they have asked for. You may need to log into and search for data across different tools — like your CRM system, shipping plugins, email marketing software, payment gateway, and more. Document the data you find (or don’t find) as you go, so you have an evidence trail to support your response.
If you haven’t done so already, it’s a good idea to complete a data mapping exercise. This will help you match data across different databases to give you a clearer picture of all the personal data you hold. It’s time-consuming, but you can often use software to help speed up the process, and it means you’re in a better place to respond to future DSARs more swiftly and with greater confidence.
4. Review Before Sending
One of the most valuable stages of the whole DSAR response process is reviewing and checking the data before you send it to your data subject. It’s crucial that nobody else’s personal data gets mixed in, and to make sure you’ve matched up the data files to the right request.
After you’ve collected the requested data, review it to make sure it both meets the individual’s request and that it contains only their personal data. This is your opportunity to remove any data belonging to someone else that was gathered in error, before the report or files are sent out. In some cases a file or document might reference someone else or something that isn’t relevant to the request. In those cases, you can redact this information before sending.
Manually reviewing data and files can take time and isn’t the most exciting task, but this step is a must-have if you want to avoid a costly data breach. If you’re running a busy eCommerce business it’s easy to accidentally send the wrong files to the wrong individual, but this step of the process helps to eliminate that risk.
5. Send Your Response
With the request verified, data collected, and everything thoroughly checked, you can send your response through to the data subject. Your response should come from your data protection officer (DPO), data controller, or an individual with a comparable level of authority.
Within your DSAR response, include the following:
- An acknowledgement of their data subject access request
- Confirmation that you hold, process, and/or share their personal data
- A copy of the personal data requested (in an easily accessible format)
- Information on how and why you hold this data — for example your lawful basis for collecting and processing this data (this may differ for each category of personal data within a request)
- Information on how this data is held, shared, or disposed of — for example how long you hold it, third parties it may be shared with, and your policy on data deletion
- A statement about data subject rights and how to make a complaint with the relevant supervising authority
It’s helpful to create a template for responding to DSARs or use one that’s built into your privacy software. This means that your data subjects get the same high-quality response, and reduces the risk of any errors or omissions from your team.
Where possible, send your DSAR response via a secure method — like encrypted email or a password-protected web service. Choose a method that you can track too, as this makes it easier to prove you’ve met the required timescales and compliance requirements. And before you hit send, make one final check that you’re sending the right response to the right request.
Make Data Subject Access Requests Easier to Manage With Enzuzo
Manually keeping track of your data subject access requests can quickly become a challenge — especially if you’re experiencing an influx of them, or you’re worried about staying compliant. That’s where Enzuzo can help — we’ve created a privacy portal where you can manage your DSAR process confidently from one dashboard.
These data requests then feed directly into your privacy portal, where you can view, manage, and track them from a clean and clear dashboard. Any requests that you receive through other channels — like email or social media — can be added to your dashboard manually, so everything is in one place.
From your dashboard you can automatically complete the data request and send this information through to your customer or data subject. You’ll see the due date listed, and be sent reminders too, so it’s easier than ever to make sure you hit those all important deadlines.
With Enzuzo’s privacy platform, you can streamline your DSAR response workflow from that initial request right through to sending out the data and proving compliance. It’s a simple yet effective way to help you manage data privacy risks, so you can focus your energy on running and growing your eCommerce empire — instead of worrying about deadlines and legislation.
3 Tips to Help You Avoid an Influx of DSARs
The number of data subject requests you’ll receive depends on a lot of things — like the size of your eCommerce business, and your overall approach to data privacy. If you’re looking to minimize the number of DSARs your business receives, here are some ways to make that happen.
1. Have Clear and Compliant Privacy and Terms Available
2. Don’t Send Emails to People That Have Unsubscribed
One of the easiest ways to get hit with an onslaught of DSARs is to mistakenly send out your next email marketing campaign to email addresses that should have been unsubscribed. With our inboxes overflowing, people are quick to submit a privacy request or DSAR in response to unwanted emails.
To help you avoid this, use email marketing software that offers a simple, one-click opt out of future marketing emails. Look for a tool where there’s no delay in removing an email address from your system — especially if you send daily promotional emails. If you run multiple systems, be sure to remove an email address across every tool. Better still, move all your email marketing operations to one system or integrate your email tool with your CRM.
While your focus is on email marketing, now is also a great time to make sure you know all about the various email marketing laws and how to comply with them. Understanding what matters and how to stay compliant is another way to help make sure you don’t receive lots of DSARs or complaints from your customers.
3. Give People a Way to Manage Their Own Data and Consent
While lots of people use DSARs to find out what you know about them, plenty of people also use them to simply request the change or deletion of their data. If you can introduce a self service consent management and data deletion tool, you can avoid them sending a DSAR.
An easy way to introduce a way for people to manage their data is to make this part of your online account system. Allow your users to log in to their account and change details like their email address, shipping address, and credit card information. You could also give them the option to close their account temporarily or permanently. Giving people choice and the opportunity to take control of their own data means they can do this quickly when they want to, so they avoid waiting for the DSAR process and you have fewer requests to respond to.
Manage Your DSARs With Confidence
While DSARs might sound complicated, when you break it down they’re simply a way for someone to make a request and for you to respond to it. With the right tools in place, it becomes easier to manage the process and get those DSAR responses out on time.
If you’re looking for a better way to manage your data privacy, try Enzuzo. Our free privacy platform not only lets you manage DSARs but helps you with standard legal policies, automatic compliance, and compliance reporting. It’s designed for busy eCommerce store owners that care about data privacy and creating a streamlined, user friendly experience for both your team and your customers.
Nicola is a freelance content writer for HR tech & SaaS. She's written for Polly, Zapier, Pyn & more and is passionate about remote work, employee wellbeing & productivity.