DSAR (Data Subject Access Request)

Recognize, Handle, and Respond to the DSARs Efficiently

What is a Data Subject Access
Request (DSAR)?

A Data Subject Access Request (DSAR) is a request addressed to the organization that gives individuals a right to access information about personal data the organization is processing about them and to exercise that right easily, at reasonable intervals, to verify the lawfulness of the processing.

Every individual has the right to know and obtain information about the purposes of personal data processing.

How should data controllers fulfill a DSAR?

In many organizations, the Data Protection Officer or DPO (someone whose job ensures that the organization is correctly protecting personal data according to the prevailing local legislation) is responsible for handling DSARs but whatever the case may be, there should be someone designated within the organization to oversee DSAR processes and document all requests to demonstrate accountability and compliance and ensure responses are provided within agreed timeframes.

Since time is of the essence when responding to a DSAR, it’s a good idea to ensure you have an established DSAR process beforehand to deal with access requests promptly. The following steps are recommended when dealing with DSAR:

Verify the subject’s identity: ​

The first step in dealing with a request is to verify the requester’s identity to ensure you are not dealing with an impostor. If you send subject data to the wrong person, you may commit a data breach. Once you have identified the requester’s identity, you can then determine whether you have all the information you need to fulfill the request before securely distributing the information.

1

Understand the nature of the request:

Review the DSAR to determine what the requester wants to know. Is it merely an access request, or are they invoking other rights such as erasure or the correction of inaccurate data? You also need to establish how long it will take you to respond to the request to know if you’ll need more time to respond. If more time is required to respond, explain this to the data subject and ask for an extension.

2

Inspect the data:

Once you have collected the data, check whether the data needs to be amended. Before sending the data to the data subject, you’ll need to scrutinize it to ensure that it doesn’t include any other data subjects; otherwise, you may be committing a data breach.

3

Package the data:

Once you’ve collected all the data, determine the most appropriate format to provide the information. This will depend on the kind of information you’re providing, and the design must be something familiar and easily accessible.

4

Send the data to the subject:

The final step is to send your response to the data subject. Document your communications with requesters, so there’s an audit trail to demonstrate accountability and compliance. Before sending the information, ensure the data subjects know their rights, including the right to complain. Where possible, it is recommended that you give data subjects secure remote access to download their data.

5

Who Can Submit a DSAR?

If for-profit or non-profit organizations collect personal data, anyone whose data is processed and stored can submit a DSAR. That includes employees, contractors, suppliers, partners, customers, etc.  A request can be submitted by an individual or by someone else acting on that person’s behalf.

Responding to a DSAR

Businesses must promptly respond to DSAR submissions. That meansadhering to the window given to process the DSAR (for example 30 days forGDPR and 45 days for CCPA), as well as other important deadlines.

DSAR Response
Process

Businesses must respond to a DSAR in a prescribed amount of time once a submission is received. To do this, a DSAR response process should be put into place. It provides the framework needed to manage responses in an orderly fashion with minimal disruption.

Key considerations for a DSAR response process are:

Benefits of DSAR Outsourcing

Allowing The DPOsphere team to process and respond to your DSARs can save you the hassle and distraction to your internal resources. Our DSAR service is used by organisations that receive only occasionally DSAR requests, those that are struggling to comply with the required response time frames, and those that are at a high risk of scrutiny due to previous infringements. If you expect to see an increase in the number of requests due to employee issues or you are looking for an “overflow” resource for your in-house team, our DSAR service will be of significant benefit to you.

DPOsphere Data Subject Access Requests (DSARs) Services

Your data subjects have the right to know that your organization is processing their personal data, and may request a copy of such personal data in the form of a Data Subject Access Request (DSAR). DPOsphere’s outsourced DSAR services can help you recognize, handle, and respond to the DSARs you receive.