Data Subject Access Request and What it Means
To you, your job as an eCommerce business owner or manager is pretty straightforward. You offer a product or service, sell this offer or service, and repeat.
Then one day, you receive a DSAR — a data subject access request — and it throws you for a loop.
But there's no reason to stress. We're here to explain the ins and outs of the DSAR process flow. Read on to find out why your business must understand the process and have a DSAR strategy in place.
What Does DSAR Mean?
DSAR stands for Data Subject Access Request.
A DSAR is way for people like you (specifically, data subjects) to ask (request) a company for the personal information and data they have collected on you.
You might make a data subject access request to an eCommerce brand you've purchased from, or a service provider you use.
Apart from the data itself, a DSAR may also request information on what your company's done with the information and whether the data has been shared with third parties.
Anyone can submit a DSAR, usually submitted via email or contact forms. But your eCommerce clients aren't the only people who can request a copy of their information. Other data subjects who can submit requests include suppliers, business partners, and even previous employees.
Once your business receives a DSAR, it has to respond to the request promptly. Although this time varies from case to case, you usually have one month to provide the requested data.
Data Protection Act
DSARs exist to protect the data and privacy of data subjects. Below is a list of data subjects' rights under the UK's Data Protection Act 2018:
- Data subjects have the right to know whether your company is storing their personal data.
- They are entitled to ask your company for a description of the data you have on them. If your company has no practical or legal reasons for withholding their data, it must be supplied on time.
- Users or clients can ask why their data is being processed.
- Data subjects have the right to know where their data is being stored and how it was gathered.
- People can request to be informed of their information, especially third parties, are being shared with.
- Your company should provide the requested data within about 30 days. This deadline may be extended by law or if the requested information can't reasonably be gathered and sent within that time.
- If the collected data is being used to make automated decisions, a data subject may ask which systems are used to make those decisions (and using what logic). During this stage, human intervention may be requested by the data subject.
- Lastly, a data subject has the right to data portability. This means that a data subject may ask your company to transfer their personal data to a third-party organization.
How Do You Write a DSAR?
Data protection laws are meant to be accessible to as many people as possible, so there's no one way a DSAR should look. Data subjects can request a subject access request through a data request form on your website, over the phone, or email, or even on one of your business's social media platforms.
What Is Included in a DSAR?
Although no two DSARs will be exactly the same, you can usually expect some common pieces between them. Here are a few examples:
- The data subject's name or their name in your contact list
- A header or subject line stating their reason for the email or letter
- A list of the data they're requesting from your business.
- A statement with their reason for requesting the data. For example, they may want to see their data or who else has access to it or request that their data be removed from your business's records.
- Further details to help your company find their information. This may include their contact details, a reference number, or the time frame of when they interacted with your company. If these details are necessary to find the data subject's data but aren't provided in the original DSAR, you might need to request them from the data subject.
Example of a Data Subject Access Request
SUBJECT: Data Subject Access Request
To whom it may concern,
My name is Sam Smith, and I've been a customer of your shop since June 2019.
Kindly supply the personal data that your company has collected from me. I am entitled to receive this information under the Data Protection Law 2018.
I am specifically interested in the following types of data:
- Personal information
- Purchase records
- Communications between your company and myself
However, if any additional data has been stored and the Data Protection Law does not restrict its sharing, it should be provided as well. Furthermore, please include whether any of the aforementioned data has been shared with any third-party companies.
I require the information in PDF format. If additional information is needed from me to complete this request, please let me know.
Thank you and kind regards,
Ph: XXXX XXXX
What Can Be Excluded From a Request?
When responding to a DSAR, you're required to exclude some types of data.
First, the information you send to the data subject shouldn't include any personal information that doesn't belong to the data subject. You may run into this when the requested data is found among another client's personal data.
Second, a data request can be made on behalf of someone, including when:
- A court appoints someone to handle a data subject's affairs
- A parent or guardian wants to protect information about a child
- A lawyer requests information on behalf of their client or employer
- A data subject asks a friend or family member for help with making the request
In these cases, it's important to leave out some sensitive information about the data subject, such as social security numbers, driver's license information, and addresses.
Third, when an employee makes a DSAR of your business, you can redact all information that isn't relevant to the employee themselves. For example, their name might be on an email containing confidential business information or in the body of an email about a different employee. In both of these cases, you don't need to share the information that doesn't directly concern the employee.
DSARs — GDPR vs. CCPA
There are currently two significant data privacy laws in place that you should be aware of — the GDPR and CCPA.
The Global Data Protection Regulation (GDPR) was established in 2018 and strictly monitors a vast amount of online data. It's focused on protecting the data of each person in the EU, whether it's collected online or in person and regardless of the location of the company doing the collecting.
The California Consumer Privacy Act (CCPA), on the other hand, went into effect in 2020. It's similar in scope to the GDPR but it protects the data of California residents instead of people in the EU. In a nutshell, the CCPA is far less strict than the GDPR.
Key Differences Between GDPR and CCPA
When comparing the GDPR and CCPA, there are three differences that you should be aware of:The penalties:
- The GDPR is strict with its non-compliance financial penalties, which can be as steep as 4% of your company's annual global turnover.
- The CCPA allows consumers to seek action against your company if their data is involved in a breach. Otherwise, the California Attorney General can penalize your company if it's found to violate the act. The penalties are $2,500 for each violation and $7,500 for each intentional violation.
- The GDPR applies to businesses of any kind and includes their websites. Whether you run an eCommerce business or a non-profit organization, the GDPR rules will apply to you if you have customers or clients in the EU.
- The CCPA only applies to your company if it's for-profit, has a gross annual revenue under $25 million, and collects, buys, and/or sells the data of under 50,000 customers in California. Also, at least 50% of your revenue must come from selling data.
- The GDPR covers all data that your company processes but doesn't look at the purpose that the data will be used for.
- The CCPA doesn't protect a wide range of data. It largely focuses on for-profit businesses of a certain size, which is determined according to the company's revenue and scale of operations.
How Can Enzuzo Help Me With a DSAR?
Understanding and managing DSARs should always be on your radar as an eCommerce business owner. Luckily, an all-in-one privacy compliance software like Enzuzo make this process easy to fit into your business's flow.
Enzuzo focuses on automating data subject access requests, making them less of a burden for small and medium businesses.
No matter what your business size is you can respond to DSARs quickly and efficiently. This minimizes your risk of expensive fines while helping you maintain your customers' trust.