Data subject access requests and your company
Handling data requests access requests involves identifying, evaluating and fulfilling requests for personal data, in accordance with the law. It requires the organisation, storage and security of data, as well as effective communication with the individuals who have requested their information.
This blog describes how you should handle data requests in your company when you receive them. Being able to handle data requests is, according to the GDPR, part of a responsible processing of personal data. If you want to know more about the processing of personal data, click here.
What is a data subject access request (DSAR)?
Data subject access requests (DSARs) are requests a person (data subject) can make to an organisation (data controller) regarding their personal data. We will also use the terms “data request” and “privacy request” when talking about the variety of requests people may make to exercise their rights under the GDPR and other global data privacy laws.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Types of data subject access requests
Data access requests could potentially come from customers, leads, partners, vendors, employees — anyone you have dealt with in the course of your business. Privacy regulations make it very easy for people to make such requests, putting the burden of tracking and responding to them on your company. Someone can simply ask about their data in an email or even in a chat box, saying something like:
- “Please delete my data.”
- “I’d like to know what personal data of mine you have.”
- “I’m changing [insurance providers/suppliers/etc.], please send all my personal data.”
The requests above may appear casual, but they are all official and valid DSARs, and your company is required to respond to them formally within a set period of time (usually 30 days).
How can you make sure you never miss a request?
- Put a request portal on your website to organise and track incoming requests automatically.
- Learn to recognise different types of data requests that are considered legally binding.
The requests your company must respond to include:
- Insight requests: A person can ask you how their data is being collected, used, stored, and whether it is being shared.
- Access requests: A person can ask you for a complete copy of all data you store about them.
- Rectification requests: A person can ask you to make changes or correct errors in their data.
- Transfers (data portability): A person can ask you to transfer their data to another company or another third party.
- Deletion requests: A person can request “to be forgotten”, in which case you must delete all their data.
- Requests to limit processing: A person can ask you to limit what you do with their data in a specific way.
- Opt-out/objection requests: The CCPA allows people to “opt-out”, restricting you from selling their data. Most laws let people object to other uses of their data.
How to handle DSARs
Each time someone submits a DSAR, you must respond to it promptly, usually within 30 days. This can put quite a strain on your company’s resources, taking time, money, and attention away from other projects. Let’s consider what you can do to make the whole data request process smoother, from start to finish. Here is a step-by-step guide with best practices for handling DSARs:
1. Collect all requests in one place
Privacy rules don’t specify how requests should be made. To avoid fielding requests by phone, email, DM, etc., set up a standard place on your website for people to make requests. We suggest adding a request link to your privacy policy.
2. Log each request you receive
Keep track of each request you receive, noting when it is due, and who should respond to it. This will help you respond on time, and then demonstrate your compliance to the authorities.
3. Verify the requestor’s identity
You must make sure you only send personal data to its true owner. Stop fraud and identity theft by verifying each requester’s identity first thing, before proceeding with fulfillment.
4. Notify the person that you have received their request
Acknowledge the request with a brief response that explains how you will respond and when. This initial response is a good practice to build trust and is required under some regulations. For example, the CCPA requires you to confirm receipt of requests within 10 business days.
5. Set up reminders for your team to respond on time
Failing to respond on time to data requests brings expensive fines and brand damage that is difficult to recover from. The assumption is, if your response isn’t forthcoming, you may have something to hide. Make sure the assigned person(s) knows when the request is due.
6. Find and sort the person’s data to prepare your response
Find and organise all the personal data you store about the requestor. This is a time-consuming and risky process if done manually; spreading the data around to too many systems and team members could put it at risk of breach.
7. Export the data in the right format
If data needs to be sent back to the requestor or forwarded to a third party, you should send it in a commonly used, machine-readable format.
8. Delete data thoroughly
When you get a request “to be forgotten” or to delete a person’s data, you must identify and delete that person’s data across all systems and employees AND all third-party vendors and partners with whom the personal information has been shared.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Pitfalls to avoid
If you are making the DSAR mistakes below, you could be subject to fines:
- You miss or overlook DSARs
- You do not verify people’s identities
- You do not respond on time
- You spread data to too many employees and systems while processing the request
- You do not encrypt your response
- You do not log your DSAR response to demonstrate compliance
- You deliver the data requested to the wrong person
- You include someone else’s personal data in your response
- You have no plan or process in place to handle future DSARs
Do this to handle data access requests correctly
Neglecting DSARs or handling them improperly are both equally devastating to your business. With so much information for each customer spread across multiple systems and employees, it is easy to make mistakes when processing requests manually. Even if you do everything right, manual request fulfillment is tedious and expensive.
A UK Analysis from the Data Privacy Group shows companies now get an average of six DSARs each month, with some companies getting up to 28 requests a month. With each request worth around £1,000, that quickly adds up, from £72,000 to £336,000 per company per year.
Using an automated solution to receive and respond to requests is the best way to comply with privacy regulations, save time and money; and avoid exposing data to leaks while processing data subject access requests. One such solution could be a DSR portal, which is a dedicated portal for data requests.
The smart way to handle data access requests
At Safe Online, we have developed a DSR portal, RequestManager, which automates and makes it easy to handle data requests correctly.
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →