The General Data Protection Regulation (GDPR) is an European Union law that governs how companies may collect and use the personal data of EU residents and how they must respond to data breaches.
The GDPR codifies a set of specific data subject rights and empowers them to submit data subject access requests (DSARs) to organizations. This article explains what those rights are and the process for GDPR subject access requests, and how organizations can get started creating a process to ensure efficient response to these requests.
What rights can individuals exercise under the GDPR?
The GDPR provides 8 rights for individuals, which can be grouped into the following 6 categories:
1. What information do you hold on me, and why?
This category covers two rights:
- The right to be informed (Articles 13 and 14). EU residents have the right to clear and accurate details about what personal information an organization has collected about them, even if that means knowing that the company has collected no data about them.
- The right of access (Article 15). People are entitled to know whether and how their personal data is being processed, including the categories of data collected, the purpose of the processing, to whom the data is disclosed, how long it will be stored and where the information was obtained.
2. You have incorrect information about me; I want it corrected.
The right to rectification (Article 16). The GDPR requires companies to ensure that personal data is accurate and up to date. Individuals have the right to request that inaccurate personal data be corrected or incomplete data be completed. To ensure compliance, you need tight integration across your all data systems and processes so that data updated in one system is automatically and correctly updated across all other locations.
3. I don’t want you to hold data on me anymore. Please delete it!
This category covers two rights:
- The right to erasure (right to be forgotten) (Article 17). A person can request that an organization remove their personal information from its records and resources and immediately cease further dissemination of the data.
The company must delete data that meets any of the following criteria:
- Was collected unlawfully
- Is no longer needed
- Was collected during the person’s childhood
- Appears online
However, the organization can deny the data erasure request if it violates any of the following:
- The right of freedom and expression
- Reasons of public interest in the area of public health or scientific or historical research
- The establishment, exercise, or defense of legal claims
Note that even if your company is allowed to retain a person’s data, you need to get the data subject’s consent for further processing.
- The right to restriction of processing (Article 18). If it is unclear whether an individual’s data must be deleted, the person can still request a temporary restriction on its processing until the company fixes the issue, informs the individual and gets consent. Complying with this GDPR right requires case-by-case examination.
4. I want to transfer the information you hold on me to another service provider.
The right to data portability (Article 20). A person has the right to require a company to move their personal data to another service provider. This right promotes interoperability by facilitating the transfer of user data between data controllers. It also encourages competition between digital services because users can switch between providers without losing their personal data.
To comply with this provision, you should provide data in a structured machine-readable format that you can transmit directly to the other provider.
5. Stop calling me!
The right to object to data processing activities (Article 21). Individuals can require companies to stop using their data for marketing or other purposes unless the company can provide a legitimate need for that processing. Valid reasons for refusing this DSAR could include that the request was excessive or unfounded or that the requested data is used for public, historical or statistical purposes or for the exercise of legal claims.
DSAR compliance usually involves moving the data to another internal IT system.
6. Your automated system makes decisions that affect my legal interests.
Rights in relation to automated decision-making and profiling (Article 22). A person can object to automated processing of their data. Whenever personal data is subjected to automated decision-making and profiling, you have to provide “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”
The three valid reasons for performing automatic processing and profiling are:
- The person gave their consent.
- The processing is necessary for the entry into or performance of a contract.
- The processing is authorized by a union or member state law applicable to the controller.
How do organizations need to respond to data subject access request (DSARs)?
What actions do we need to take when we receive a DSAR?
When an individual exercises their GDPR rights through a data subject access request, you need to inform them whether you are processing their personal data and if so, provide them with a copy of that data, supplementary information about its collection and processing, and your privacy notice. You must respond even if you didn’t collect any personal data from the individual making the request.
GDPR rights are not absolute; an individual’s fundamental rights have to be balanced against factors such as legitimate public interest. If you have solid grounds, you can refuse to comply with a DSAR, but you must clearly explain your reasons. You can charge a reasonable fee for the administrative costs and efforts required to reply.
You should have a process in place to address DSARs promptly — whether you choose to comply with a DSAR or refuse it, you have one month to respond.
What data needs to be provided?
The GDPR applies to personal data — any data that relates to or can be used to identify a person in any way. Examples include emails sent between certain people during a certain period, all workplace data and HR records related to the individual, and the person’s medical history.
What supplementary data must be provided?
In addition to a copy of the individual’s personal data, organizations also have to provide the following information:
- The purposes of the processing
- The categories of personal data collected
- The recipients that personal data is disclosed to or shared with
- How long the personal data is held
- Advice on additional rights, such as the right to object to processing, the right to request rectification or restrict processing, and the right to lodge a complaint with the ICO or another supervisory authority
- Where you got the data if not directly from the data subject
- The existence of any use of automation in data collection or decision-making
- The security measures you provide if you transfer personal data to a third country or an international organization
You should also inform each person who makes a DSAR that they can lodge a complaint with the Data Protection Commission (DPC) or seek a judicial remedy. You should give contact information for your company or your Data Protection Officer (DPO) so the data subject can easily communicate with the right individual about any issues or further desires regarding the future of their personal data.
Handpicked related content: Data Subject Access Request (DSAR): The Essentials
How can we ensure we can handle DSARs?
The best way to ensure compliance with the data subject rights detailed above is to implement the following best practices:
Know your data.
It’s essential to know precisely what regulated information you have, where it resides, where it came from, whom you share it with and your purposes in processing it. Personal data can be stored in a wide range of repositories, including email, personal computers, file stores, databases and cloud-based platforms. If you have to perform a manual search across all these silos for each DSAR, there’s a high risk that you will miss relevant information or fail to meet the 30-day deadline.
Therefore, an automated data discovery and classification solution is a wise investment. These solutions scan your data repositories for regulated data and other sensitive content, and tag it with clear labels. You can use the labels to tailor your data protection strategy and quickly find the data you need to comply with a DSAR.
Handpicked related content: How to Locate Files Containing Sensitive Data
Ensure you have a documented purpose and consent for all regulated data.
Once you know what data you have, figure out why you stored it in the first place. Having clear documentation of each subject’s consent is critical for justifying storing and processing their data. If you do not have a clear reason for storing a given piece of data, delete it.
Create rules for handling each type of sensitive data.
Establishing data-centric security workflows will help you avoid costly data breaches and compliance violations. These workflows should be based on careful consideration of questions such as:
- Where should each type of data be stored and for how long?
- Who should have access to which data?
- How may specific types of data be used?
Regularly assess and mitigate your IT risks.
Establish a reliable risk assessment and mitigation process to identify and prioritize the risks threatening data security, and exercise it on a regular schedule. Ideally, you want to cover all risks, but in practice, you have to protect your most important or sensitive data first. Update access rights to make sure that protected information is available only to authorized personnel and only on a need-to-know basis.
In 2022, the GDPR instituted a new requirement for data controllers to report security breaches. Under the new rule, data controllers must report any data breach to the authorities within 72 hours.
The GDPR has also increased the fines on businesses that incur data breaches.
Document your security policies and update them regularly.
These policies are your evidence that your company is doing everything it can to properly store and process the personal data of customers. Whenever you modify your policies, document each change you make.
Consider Engaging a Data Protection Officer (DPO).
If you are uncertain about personal data management, consult with or hire a DPO — an internal or external advisor who has responsibility for GDPR compliance. Some companies are required to appoint a DPO, including public authorities, companies that conduct systematic and large-scale monitoring of individuals, and companies doing large-scale processing of certain categories of data.
Provide an easy way for people to submit DSARs.
Many companies offer online DSAR forms to ensure requests go to the correct person or department and contain the necessary information. Without such a form, customers are likely to submit their request using the first email address they find — starting the 30-day timer even though the recipient might not be responsible for anything related to GDPR compliance.
Authenticate each request.
You must confirm that each request is made by a legitimate person. However, you should not request GDPR-protected data that you don’t already have, such as identity card numbers, passports or other official documents. Instead, a good option is to verify the request by asking the person to provide some personal information you already have.
How can Netwrix help you respond to DSARs?
Netwrix can help you solve your GDPR compliance challenges. You can know exactly what regulated data you store and where it is located, and discover all information about an individual in just a few clicks, making DSAR response a breeze.
More broadly, Netwrix solutions helps organizations protect all their sensitive data. They can establish strong data governance, remove inappropriate access, enforce security policies and detect advanced threats in a timely manner to avoid security breaches.
Our team of experts has a solid understanding of not just the GDPR but the California Consumer Privacy Act (CCPA) and many other data security regulations. They provide organizations with tailored, focused advice to meet their regulatory and compliance needs.
Frequently Asked Questions
How does a DSAR work?
Individuals submit a DSAR to learn what data a particular business (“data collector”) stores about them. In most cases, the business is required to fulfill the DSAR by promptly providing the requested information.
How long does an organization have to respond to DSAR?
The DSAR process is expected to move quickly. Data collectors have one calendar month to respond to a DSAR.
What is an example of DSAR?
Data subjects can make a DSAR either verbally or in writing. They may use email, social media or paper to make a written request. A DSAR might say, “Please send me a copy of any personal data you have stored on me.” DSARs can specify the format in which the data subject wants to receive the information.
What should be included in a DSAR?
Organizations should make it easy for data subjects to submit DSARs that provide all the information required to respond, including:
- The data subject’s name and address
- The date of the request
- A customer account number or employee number, where relevant
- Contact information
- A precise list of the personal data being requested
What data can a person request?
Data subjects can request all personal data that an organization has collected about them.
What is the difference between a DSAR and a SAR?
There is no difference; subject access request (SAR) is simply another term for a DSAR.
