Skip to main content

Learn how to handle data subject access requests

Data subject access requests (DSARs) definition

Data subject access requests (DSARs) are requests a person (data subject) can make to an organization (data controller) regarding their personal data.

We will also use the terms “data request” and “privacy request” when talking about the variety of requests people may make to exercise their rights under the GDPR and other global data privacy laws.

Types of data subject access requests

Data access requests could potentially come from customers, leads, partners, vendors, employees — anyone you have dealt with in the course of your business. Privacy regulations make it very easy for people to make such requests, putting the burden of tracking and responding to them on your company.

Someone can simply ask about their data in an email or even in a chat box,  saying something like:

“Please delete my data.”

“I’d like to know what personal data of mine you have.”

“I’m changing [insurance providers/suppliers/etc.], please forward all my personal data to _____.”

The requests above may appear casual, but they are all official and valid DSARs, and your company is required to respond to them formally within a set period of time (usually 30 days).

How can you make sure you never miss a request?

  1. Put a request portal on your website to organize and track incoming requests automatically.
  2. Learn to recognize different types of data requests that are considered legally binding.

The requests your company must respond to include:

Insight requests

A person can ask you how their data is being collected, used, stored, and whether it is being shared.

Access requests

A person can ask you for a complete copy of all data you store about them.

Rectification requests

A person can ask you to make changes or correct errors in their data.

transfer

Transfers (data portability)

A person can ask you to transfer their data to another company or another third party.

Deletion requests

A person can request “to be forgotten”, in which case you must delete all their data.

Limit processing

Requests to limit processing

A person can ask you to limit what you do with their data in a specific way.

Opt-out/objection requests 

The CCPA allows people to “opt-out”, restricting you from selling their data. Most laws let people object to other uses of their data.

How to handle DSARs

Each time someone submits a DSAR, you must respond to it promptly, usually within 30 days. This can put quite a strain on your company’s resources, taking time, money, and attention away from other projects.

Let’s consider what you can do to make the whole data request process smoother, from start to finish. Here is a step-by-step guide with best practices for handling DSARs:

Collect all requests in one place

Privacy rules don’t specify how requests should be made. To avoid fielding requests by phone, email, DM, etc., set up a standard place on your website for people to make requests. We suggest adding a request link to your privacy policy. 

Log each request you receive

Keep track of each request you receive, noting when it is due, and who should respond to it. This will help you respond on time, and then demonstrate your compliance to the authorities. 

Verify the requestor’s identity

You must make sure you only send personal data to its true owner. Stop fraud and identity theft by verifying each requester’s identity first thing, before proceeding with fulfillment.  

Notify the person that you have received their request

Acknowledge the request with a brief response that explains how you will respond and when. This initial response is a good practice to build trust and is required under some regulations. For example, the CCPA requires you to confirm receipt of requests within 10 business days.  

Set up reminders for your team to respond on time

Failing to respond on time to data requests brings expensive fines and brand damage that is difficult to recover from. The assumption is, if your response isn’t forthcoming, you may have something to hide. Make sure the assigned person(s) knows when the request is due. 

Find and sort the person’s data to prepare your response

Find and organize all the personal data you store about the requestor. This is a time-consuming and risky process if done manually; spreading the data around to too many systems and team members could put it at risk of breach. 

Export the data in the right format

If data needs to be sent back to the requestor or forwarded to a third party, you should send it in a commonly used, machine-readable format. 

Delete data thoroughly

When you get a request “to be forgotten” or to delete a person’s data, you must identify and delete that person’s data across all systems and employees AND all third-party vendors and partners with whom the personal information has been shared. 

Pitfalls to avoid

If you are making the DSAR mistakes below, you could be subject to fines: 

  • You miss or overlook DSARs 
  • You do not verify people’s identities 
  • You do not respond on time 
  • You spread data to too many employees and systems while processing the request 
  • You do not encrypt your response 
  • You do not log your DSAR response to demonstrate compliance 
  • You deliver the data requested to the wrong person 
  • You include someone else’s personal data in your response 
  • You have no plan or process in place to handle future DSARs 

Take action

Neglecting DSARs or handling them improperly are both equally devastating to your business.   

With so much information for each customer spread across multiple systems and employees, it is easy to make mistakes when processing requests manually. 

Even if you do everything right, manual request fulfillment is tedious and expensive. 

A UK Analysis from the Data Privacy Group shows companies now get an average of six DSARs each month, with some companies getting up to 28 requests a month. With each request worth around £1,000, that quickly adds up, from £72,000 to £336,000 per company per year. 

Using an automated solution to receive and respond to requests is the best way to comply with privacy regulations, save time and money; and avoid exposing data to leaks while processing data subject access requests. 

Our RequestManager automates the best practices we’ve listed above and makes it easy for you to handle data subject access requests properly. Coupled with DataMapper for data discovery, you will have the fastest, easiest way to handle data requests.

Our Request Manager helps you track and respond to data privacy requests (DSARs) on time to ensure compliance with privacy regulations.
  • Collect all requests in a one place 
  • Log each request you receive 
  • Verify all requestors’ identity 
  • Notify each person that you have received their request 
  • Remind assigned employees to start work on the request 
  • Find and sort data, getting it ready to export, share, or delete 
  • Export data in a commonly used, machine-readable format  
  • 4-eye approval option to review responses for accuracy 
  • Send requested data securely with state-of-the-art encryption 

Find data faster

Add DataMapper for faster data discovery:

  • DataMapper finds personal data across your systems
  • Data is protected with zero-knowledge encryption
  • Pull up a specific person’s data instantly
  • Export data in a machine-readable format

Sebastian Allerelli

Governance, risk, and compliance specialist

Phone | Email | LinkedIn