In this article, you will learn answers to the most frequently asked questions about DSARs and get valuable tips for how to handle these requests efficiently.
What is DSAR?
A data subject access request is a request an individual makes to learn what personal data an organization (called a data controller) has collected about them.
For example, the EU’s General Data Protection Regulation (GDPR) grants individuals the right to find out what holds about them by submitting a data subject access request (DSAR). Specifically, Recital 63 of the GDPR states: “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
Legal frameworks that address data subject access rights
The GDPR is not the only regulation that has provisions concerning data subject access rights. Others include:
- UK Data Protection Act 2018 — Mirrors GDPR provisions, including the right of individuals to submit DSARs, but provides additional details and exemptions specific to the UK context.
- California Consumer Privacy Act (CCPA) — Modeled on the GDRP, grants California residents the right to request information about the personal data collected by businesses.
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) — Governs the collection and use of personal information in Canada’s private sector. Individuals have the right to access their personal information and request corrections through a DSAR.
- Health Insurance Portability and Accountability Act (HIPAA) — Contains specific provisions for the handling protected health information by US healthcare providers and related entities, and permits individuals to request access to their health records.
- Australian Privacy Act 1988 — Details principles for the handling of personal information by organizations and grants individuals the right to access their personal information and request corrections.
Who can submit a DSAR?
The exact eligibility to submit a data subject access request depends on the specific data protection regulation in force, but in general, the following principles apply:
- Any individual (sometimes called a “natural person”) has the right to submit a DSAR. This includes customers, employees, clients or any other individual whose personal data is processed by an organization.
- In some cases, individuals may authorize a representative, such as a legal guardian, attorney or family member, to submit a DSAR on their behalf.
- There may be specific circumstances where the right to access personal data is limited or excluded, such as when providing access would disclose information about another individual, would violate legal privilege or is otherwise restricted by law.
Individuals are encouraged to familiarize themselves with the relevant laws in their jurisdiction to understand their rights and how to exercise them.
Note that data protection laws typically prohibit organizations from discriminating against individuals who exercise their rights, including the right to submit a DSAR. This means that individuals should be able to submit a request without facing negative consequences.
Who should respond to a submitted DSAR?
In the context of data protection laws, there are often two types of entities:
- Data controllers — Entities that determine the purposes and means of processing personal data
- Data processors — Entities that process data on behalf of data controllers
The responsibility for responding to a DSAR typically falls on the data controller.
Can you refuse to respond to a DSAR?
Data protection laws often provide specific exemptions or limitations that allow a data controller to decline a request. Examples include cases in which the request is manifestly unfounded or excessive, or disclosing certain information would infringe on the rights of others.
However, any refusal must be well-founded and comply with legal requirements, and the data subject should be informed of the reasons for the refusal.
How much time should it take to respond to the submitted DSAR?
The timeframe within which organizations must respond to a DSAR varies for different data protection laws, but is often set at 30 days from the date of receipt of the request. It is crucial for organizations to act promptly to provide the requested information or, if necessary, inform the data subject of any delays and the reasons behind them. Timely and transparent communication is key to ensuring compliance with legal requirements and maintaining trust with data subjects.
Are companies allowed to charge a fee for responding to a DSAR?
In many jurisdictions, individuals have the right to request access to their personal data without being charged a fee. However, there are exceptions, and data protection laws may allow for reasonable fees in certain circumstances. For instance, if a DSAR is manifestly unfounded or excessive, organizations may charge a reasonable fee to cover administrative costs.
It’s essential for organizations to be transparent about any fees, and in most cases, providing access to basic information should be free of charge. Fees should always be in accordance with applicable data protection regulations, and organizations should consider the potential impact on the individual’s ability to exercise their rights.
What is the difference between DSR, DSARs and SARs?
DSR, DSAR, and SAR are all acronyms related to data protection and privacy regulations. Here’s an overview of the differences:
- DSR (Data Subject Request) — This is a broad term that covers requests related to a range of rights that data protection laws grant to individuals regarding their personal data. For example, a DSR can request access to personal data, request correction of inaccuracies, request deletion of data or raise objections to processing.
- DSAR (Data Subject Access Request) — A DSAR is a request made by an individual specifically to learn what personal data that an organization holds about them, perhaps to verify the lawfulness of its collection and processing. DSARs are often associated with the right of access.
- SAR (Subject Access Request) — A SAR is essentially the same as DSAR; it allows individuals to access their personal data and ensure that the processing is lawful. In particular, the term SAR is used in the UK Data Protection Act.
Keep in mind that the specific requirements of each type of request may vary based on the data protection law.
What is the step-by-step process of making and responding to DSARs?
At a high level, the DSAR process involves the following steps:
- Submit a request — A data subject initiates a DSAR by submitting a request to the data controller. This can often be done in writing, electronically or through designated channels provided by the organization.
- Verify identity — The data controller verifies the identity of the requester to ensure that the personal data is disclosed only to the legitimate data subject or their authorized representative. This step is crucial for safeguarding privacy and preventing unauthorized access.
- Process the request — Once identity is verified, the organization processes the DSAR. This involves determining whether there is a valid reason to deny the request. If not, then the organization must locate and retrieve the requested personal data, review it for relevance and legal compliance, and prepare the response.
- Provide access — If the request is being denied, the organization must inform the data subject of the decision and the reasoning behind it. Otherwise, the organization provides access to the requested personal data and any other required information, as explained below. Options can include providing a secure portal for the data subject to access their information or providing copies of relevant documents.
- Appeal — In the event of a dispute or dissatisfaction with the response, data subjects may have the right to appeal or seek resolution through relevant data protection authorities.
What should be included in a DSAR request?
When submitting a DSAR, individuals should be sure to include the following information:
- Clear identification — The DSAR should clearly identify the data subject making the request. This includes providing sufficient information to verify the requester’s identity.
- Details about the request — Data subjects should specify the personal data they are requesting and the context of their request. Being specific helps ensure a focused and efficient response.
- Preferred format — Data subjects may specify their preferred format for receiving the data (e.g., electronic copy, paper copy). This caters to individual preferences and accessibility needs.
- Contact information — Providing up-to-date contact information ensures that the organization can communicate effectively with the data subject throughout the DSAR process.
What types of personal data should be included in a DSAR response?
Here are some of the types of personal data that might need to be provided in response to a DSAR, along with examples for each category:
- Identity information — Name, address, date of birth and identification numbers
- Contact information — Email addresses, phone numbers and other means of communication
- Financial data — Details about financial transactions, bank accounts and payment history
- Health and medical data — Health records, medical history and insurance information
- Employment data — Work history, salary details and performance evaluations
- Online identifiers — Usernames and IP addresses
- Other data — Details about race, ethnicity or religious beliefs, as well as biometric data
DSAR compliance: challenges and considerations
Grappling with the influx of DSAR requests can be difficult. Here are some common challenges and tips to improve the DSAR handling process:
Data volume and complexity
Managing the sheer volume and complexity of data involved in DSARs can be overwhelming. Organizations often struggle to locate, gather and present the requested information in a timely manner.
Tip: Implement robust data management systems that streamline the retrieval process. In particular, categorize and index the data you store to expedite searches.
Tight timelines
DSARs come with strict timelines, and meeting these deadlines is imperative to avoiding penalties. Time-sensitive requests can strain resources, especially when dealing with a large number of simultaneous requests.
Tip: Establish a well-defined process for handling DSARs, complete with clear timelines and responsibilities, and regularly train staff on that process. In addition, ensure they understand the importance of meeting deadlines.
Verification and security
Validating the identity of the data subject making the request is a critical step in the DSAR process. However, this can be challenging, particularly when dealing with online requests.
Tip: Implement multifactor authentication (MFA) and other verification processes to ensure the legitimacy of requests. Utilize secure communication channels to exchange sensitive information.
Third-party involvement
DSARs may involve third parties or sensitive information related to others. Balancing transparency with privacy concerns is a delicate task, but getting it right is vital to compliance with data protection regulations.
Tip: Clearly detail procedures for handling third-party information in your DSAR policy. Educate staff on the importance of redacting or anonymizing sensitive data when responding to requests, and give them tools that make it easy to do so.
Resource allocation
Allocating the necessary resources to handle DSARs effectively is a common challenge. This includes both human resources for processing requests and financial resources for implementing compliant systems.
Tip: Conduct a cost-benefit analysis to justify investments in technology and personnel. Automate repetitive tasks where possible to optimize resource allocation and improve efficiency.
DSAR compliance checklist
Data subject access requests are becoming increasingly common, so it is critical to ensure you can respond promptly. Your compliance project management team should implement the following best practices:
- Appoint a responsible person. No matter which regulations organization is subject to, appointing an individual to be in charge of compliance. In the case of the GDPR, it your organization processes the personal data of EU residents regularly, systematically and on a large scale, you are required to designate a data protection officer (DPO), either internal or outsourced. This person serves as a point of contact for data subjects and is responsible for overseeing company’s data protection strategies for GDPR compliance.
- Develop data handling guidelines. Specify who can access which types of data, where each type of data should be stored and for how long, which documents have to be printed and where those printouts must be kept, which documents can have a digital version, how data must be purged once you no longer need it, and so on.
- Identify the legal basis for processing of personal data. Once you know what regulated data you have, you need to determine and document the legal basis for processing it. This is not just an exercise to justify storing all the data you want; you must ensure you have a legitimate reason to keep the data. Note that simply having a data subject’s consent is not sufficient justification for storing and processing their data.
- Automate data discovery and classification. You must know precisely what regulated information you have, and that information has to be easily discoverable and accessible. The best way to achieve this is through data discovery and classification. Having a clear understanding of what sensitive data you store is valuable for more than just compliance — it will also help you refine your data collection policies, optimize your storage, improve your data management processes, and drive better user productivity and decision-making.
- Perform regular risk assessment. Risk assessment is a security best practice that will strengthen your defenses and help keep your business out of trouble. Performing the risk management will enable you to quickly adapt to the changing regulatory and cyber-threat landscapes and harden the security of your critical information.
Should you automate DSARs?
Automating DSARs can significantly alleviate the burden associated with manual tasks, helping to ensure not only compliance but also precision in responses. Here are key steps to automate DSARs effectively:
- Perform data mapping and inventory. Begin by conducting a comprehensive data mapping exercise. Identify and catalog all data repositories within your organization.
- Implement robust data management systems. Invest in advanced data management systems that support automation. These systems should allow for efficient data retrieval, categorization and indexing of your data. The best way to achieve this is through data discovery and classification.
- Utilize AI and machine learning. These technologies can learn patterns over time, improving the precision of data retrieval and reducing the likelihood of errors in the DSAR response process.
- Automate workflows. Design and implement automated workflows for DSAR processing. Define a step-by-step process, including data subject verification, data redaction and access approval.
- Establish secure communication channels. Automation can facilitate the secure exchange of information between the organization and the data subject, safeguarding sensitive data throughout the process.
- Automate identity verification. Automated verification processes help ensure that responses are provided only to legitimate data subjects or their authorized representatives.
- Require regular audits and updates. As technology evolves and regulations change, use automated systems to keep your processes aligned with the latest requirements and best practices.
- Create user-friendly portals. User-friendly online portals for DSAR submission and tracking allow data subjects to submit requests easily and track the progress of their requests in real time.
- Provide training and documentation. Regular training sessions and thorough documentation helps ensure that the team is proficient in utilizing automated tools and following compliant procedures.
- Establish data retention policies. Automatically identify and delete or anonymize data that is no longer necessary. This helps you avoid penalties for improper data retention while reducing the volume of data that needs to be processed when responding to DSARs.
How can Netwrix help?
Netwrix’s compliance audit solutions helps you easily comply with the DSAR provisions of data protection regulations by providing complete visibility into the data you store, both on premises in the cloud. More broadly, however, it helps you achieve and maintain compliance with a variety of mandates and industry regulations. With its ready-to-use templates, robust build standards and password policies, you can quickly improve your security and compliance posture to block threats to regulated data. Moreover, it helps you swiftly identify threats in progress, respond effectively and meet incident reporting deadlines.
DSAR: frequently asked questions
What is a data subject access request? A DSAR is a request an individual makes to know what data you have collected about them. Recital 63 of the GDPR states: “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
How must organizations respond to DSARs? An individual who makes a DSAR is entitled to receive a confirmation that you are processing their personal data, a copy of that data, your privacy notice, and supplementary information.
What is a privacy notice? A privacy notice is a legal document that clearly explains how personal data is processed. By requiring privacy notices, the GDPR aims to add transparency to personal data processing and ensure that organizations don’t process data without a person’s knowledge or against their will. A privacy notice is not the same as a privacy policy. A privacy notice is a publicly available document, while a privacy policy is an internal document that details the organization’s privacy obligations, rules for data processing and security practices.
What supplementary data should be provided? In addition to a copy of their personal data, organizations also have to provide individuals with the following information:
- The purposes of the processing
- The categories of personal data collected
- The recipients or categories of recipient that personal data is disclosed to or shared with
- How long the personal data is held
- Advice on additional rights, such as the right to object to processing; the right to request rectification, erasure or restriction; and the right to lodge a complaint with the ICO or another supervisory authority
- Where you got their data if you did not get it directly from the data subject
- The existence of any automated decision-making
- The security measures you provide if you transfer personal data to a third country or international organization
Can an employee send their own company a DSAR? Yes. DSARs are not limited to customers; anyone whose personal data a company collects — including employees and contractors — has the right to submit one.
However, organizations can refuse to comply with a manifestly unfounded or excessive request. That requires careful case-by-case consideration and confidence in being able to explain the reasoning to authorities.
Can companies charge a fee for a DSAR? Not in most cases. However, if a request is unfounded or excessive, an organization can charge a “reasonable fee” to cover administrative costs.
How much time do you have to respond? Normally, you must respond to a DSAR within 30 days of receipt. However, if the request is large or complex, you can request an extension of two months, though you must explain the reason for the delay within the original 30-day period.
What happens if you fail to meet the deadlines? Failure to comply with a data access request within 40 days can lead to significant fines and other regulatory penalties, as well as damage to your reputation.