Learn how to handle data subject access requests
Data subject access requests (DSARs) definition
Data subject access requests (DSARs) are requests a person (data subject) can make to an organization (data controller) regarding their personal data.
We will also use the terms “data request” and “privacy request” when talking about the variety of requests people may make to exercise their rights under the GDPR and other global data privacy laws.
Types of data subject access requests
Data access requests could potentially come from customers, leads, partners, vendors, employees — anyone you have dealt with in the course of your business. Privacy regulations make it very easy for people to make such requests, putting the burden of tracking and responding to them on your company.
Someone can simply ask about their data in an email or even in a chat box, saying something like:
“Please delete my data.”
“I’d like to know what personal data of mine you have.”
“I’m changing [insurance providers/suppliers/etc.], please forward all my personal data to _____.”
The requests above may appear casual, but they are all official and valid DSARs, and your company is required to respond to them formally within a set period of time (usually 30 days).
How can you make sure you never miss a request?
- Put a request portal on your website to organize and track incoming requests automatically.
- Learn to recognize different types of data requests that are considered legally binding.
The requests your company must respond to include:
A person can ask you how their data is being collected, used, stored, and whether it is being shared.
A person can ask you for a complete copy of all data you store about them.
A person can ask you to make changes or correct errors in their data.
Transfers (data portability)
A person can ask you to transfer their data to another company or another third party.
A person can request “to be forgotten”, in which case you must delete all their data.
Requests to limit processing
A person can ask you to limit what you do with their data in a specific way.
The CCPA allows people to “opt-out”, restricting you from selling their data. Most laws let people object to other uses of their data.
How to handle DSARs
Each time someone submits a DSAR, you must respond to it promptly, usually within 30 days. This can put quite a strain on your company’s resources, taking time, money, and attention away from other projects.
Let’s consider what you can do to make the whole data request process smoother, from start to finish. Here is a step-by-step guide with best practices for handling DSARs:
Collect all requests in one place
Log each request you receive
Keep track of each request you receive, noting when it is due, and who should respond to it. This will help you respond on time, and then demonstrate your compliance to the authorities.
Verify the requestor’s identity
You must make sure you only send personal data to its true owner. Stop fraud and identity theft by verifying each requester’s identity first thing, before proceeding with fulfillment.
Notify the person that you have received their request
Acknowledge the request with a brief response that explains how you will respond and when. This initial response is a good practice to build trust and is required under some regulations. For example, the CCPA requires you to confirm receipt of requests within 10 business days.
Set up reminders for your team to respond on time
Failing to respond on time to data requests brings expensive fines and brand damage that is difficult to recover from. The assumption is, if your response isn’t forthcoming, you may have something to hide. Make sure the assigned person(s) knows when the request is due.
Find and sort the person’s data to prepare your response
Find and organize all the personal data you store about the requestor. This is a time-consuming and risky process if done manually; spreading the data around to too many systems and team members could put it at risk of breach.
Export the data in the right format
If data needs to be sent back to the requestor or forwarded to a third party, you should send it in a commonly used, machine-readable format.
Delete data thoroughly
When you get a request “to be forgotten” or to delete a person’s data, you must identify and delete that person’s data across all systems and employees AND all third-party vendors and partners with whom the personal information has been shared.
Pitfalls to avoid
If you are making the DSAR mistakes below, you could be subject to fines:
- You miss or overlook DSARs
- You do not verify people’s identities
- You do not respond on time
- You spread data to too many employees and systems while processing the request
- You do not encrypt your response
- You do not log your DSAR response to demonstrate compliance
- You deliver the data requested to the wrong person
- You include someone else’s personal data in your response
- You have no plan or process in place to handle future DSARs
Neglecting DSARs or handling them improperly are both equally devastating to your business.
With so much information for each customer spread across multiple systems and employees, it is easy to make mistakes when processing requests manually.
Even if you do everything right, manual request fulfillment is tedious and expensive.
A UK Analysis from the Data Privacy Group shows companies now get an average of six DSARs each month, with some companies getting up to 28 requests a month. With each request worth around £1,000, that quickly adds up, from £72,000 to £336,000 per company per year.
Using an automated solution to receive and respond to requests is the best way to comply with privacy regulations, save time and money; and avoid exposing data to leaks while processing data subject access requests.
Our RequestManager automates the best practices we’ve listed above and makes it easy for you to handle data subject access requests properly. Coupled with DataMapper for data discovery, you will have the fastest, easiest way to handle data requests.
- Collect all requests in a one place
- Log each request you receive
- Verify all requestors’ identity
- Notify each person that you have received their request
- Remind assigned employees to start work on the request
- Find and sort data, getting it ready to export, share, or delete
- Export data in a commonly used, machine-readable format
- 4-eye approval option to review responses for accuracy
- Send requested data securely with state-of-the-art encryption