Common Problems in Handling Data Subject Access Request (DSAR)

Understanding Data Subject Access Request (DSAR)

A Data Subject Access Request (DSAR) refers to an individual (data subject) submitting a request to a business, seeking information about the personal data collected and stored concerning them, as well as its usage. Through a DSAR, data subjects can also make specific requests regarding their data, such as deletion of their information, correction of any inaccuracies, or opting out of future data collection.  

DSAR under CCPA vs. GDPR  

DSAR (Data Subject Access Request) under CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) are similar in their fundamental concept, aiming to empower individuals to have more control over their personal data. However, there are some key differences in their scope, requirements, and application.

Scope:

• GDPR: The GDPR is a comprehensive data protection regulation applicable to all European Union (EU) member states and also to organizations outside the EU that handle the personal data of EU residents.
• CCPA: The CCPA is a state-level privacy law that applies specifically to businesses operating in California or handling personal information of California residents.

Applicability:

• GDPR: The GDPR applies to both data controllers (organizations that determine the purpose and means of data processing) and data processors (entities processing data on behalf of data controllers).
• CCPA: The CCPA applies to businesses that meet specific criteria, such as having an annual gross revenue above a certain threshold or handling the personal data of a certain number of California residents.

Rights Granted:

• GDPR: The GDPR grants several rights to data subjects, including the right to access their personal data, the right to rectify inaccurate data, the right to erasure (also known as the "right to be forgotten"), and the right to data portability, among others.
• CCPA: The CCPA grants consumers the right to know what personal information is being collected about them, the right to delete their personal information, the right to opt-out of the sale of their information, and the right to non-discrimination for exercising their privacy rights.

Notice and Consent:

• GDPR: The GDPR emphasizes obtaining explicit and informed consent from data subjects for processing their personal data and requires organizations to provide clear and transparent privacy notices.
• CCPA: The CCPA requires businesses to inform consumers about the categories of personal information collected, the purposes for which it is used, and the categories of third parties with whom it is shared.

Penalties and Fines:

• GDPR: Non-compliance with the GDPR can result in significant fines, up to €20 million or 4% of the global annual turnover, whichever is higher.
• CCPA: The CCPA provides for civil penalties of up to $7,500 per violation for intentional violations and $2,500 per violation for non-intentional violations.

In summary, while both the GDPR and CCPA grant data subjects certain rights and focus on privacy protection, they have distinct scopes and requirements. Organizations operating in either the EU or California (or both) must ensure compliance with the respective regulations and be prepared to handle DSARs in accordance with the applicable law.

Interesting read: Data Subject Access Requests (DSARs) - How To Review Them
‍

Common Problems in Handling Data Subject Request

• DSAR Legitimacy Verification:  
  One of the common challenges in handling Data Subject Access Requests (DSARs) is verifying the legitimacy of the requests. Organizations must ensure that the request is genuinely coming from the data subject or their authorized representative. Failure to properly verify DSARs can lead to unauthorized access to personal data or potential privacy breaches.  
  ‍
• Third-Party Communication on Data Deletions:  
  In some cases, DSARs may involve the deletion of personal data held by third-party vendors or partners. Communicating with these external entities to fulfill the data deletion requests can be complex and time-consuming. Ensuring that all relevant third parties comply with the DSAR requirements and complete data deletions in a timely and accurate manner can pose a challenge.  
  
• Audit Documentation and Exception Management:  
  Keeping comprehensive audit documentation of DSAR processes is essential for regulatory compliance and accountability. Organizations need to track the progress of DSAR requests, document actions taken, and address any exceptions or special cases that arise. Failure to maintain proper records and effectively manage exceptions can create compliance gaps and increase the risk of legal repercussions.  
  
• Performance Measurement and Deadline Adherence:  
  Efficiently handling DSARs requires adherence to specific timelines set by privacy regulations. Organizations must respond to DSARs within the specified time frames, which may vary depending on the applicable laws. Measuring the performance of DSAR processes and ensuring timely responses can be challenging, especially for organizations dealing with a high volume of requests.

Risks To Be Considered When Responding To DSAR

• Unauthenticated or Missed Requests:
  Organizations can miss out on essential requests unless they have the right automation setup. Also, it is impossible to verify the identity of the requestor and trust him/her without proper authentication.
  
• Security in Data Tracking:
  All data subject access requests need to be efficiently managed by the company to meet the given deadlines. Systems responsible for managing the DSARs need to keep personal data encrypted and centralized.
  
• Security in Data Audits:
  Approvals need to be tracked and audited by the businesses.
  
• Security During Authentication:
  If data is delivered to the wrong person, it could have dire consequences for the business as well as the original requestor.

To overcome these challenges, organizations need well-defined DSAR workflows, robust data management systems, and clear communication channels with third parties. Investing in automated DSAR solutions and ensuring that employees are trained in data protection and compliance can also significantly improve DSAR handling efficiency and accuracy. Properly addressing these common problems will help organizations fulfill their data subject obligations, protect data privacy, and maintain compliance with relevant data protection regulations.  

Also read: Steps Involved In A Data Subject Access Request (DSAR)

The Protecto Advantage

Trying to manually handle DSAR and address the above problems will cost your company both time and resources and will not be scalable. We offer tools and services to handle a Data Subject Access Request and automate steps.  

At Protecto, we can help you address all of the problems that arise in handling a DSAR and save you significant capital.  Unlike many software solution providers, our tools come with technical services that will help you customize and automate workflows to address your individual needs. Schedule a demo or start a free trial today to know more.

Frequently asked questions on Data Subject Access Request (DSAR)

What is a Data Subject Access Request (DSAR)?

A Data Subject Access Request (DSAR) is a request made by an individual (data subject) to an organization, asking for access to the personal data the organization holds about them.

Under what data protection regulations do individuals have the right to make DSARs?  

Individuals have the right to make DSARs under data protection regulations like the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and similar data protection laws in other jurisdictions.

Who can submit a DSAR?

Any individual whose personal data is collected can submit a DSAR, including employees, contractors, suppliers, partners, and customers. The request can be made by the individual themselves or on their behalf by someone else.

A DSAR can be submitted through various means, either in written form or verbally, such as over the phone or by completing a web form. It can be communicated through any channel, including social media, and directed to any person within the organization, like the marketing department.

What information can be requested through a DSAR?  

With a DSAR, individuals can request to know what personal data is being processed about them, the purpose of processing, categories of data, recipients of data, and the right to obtain a copy of the data.

What are the benefits of DSAR?

DSAR empowers consumers with unparalleled control over their personal information held by organizations. Through DSARs, consumers can access their data, inquire about the stored information, and even request details regarding the data protection measures implemented by the organization.

Who is responsible for DSAR?

The fulfillment of a DSAR is typically the responsibility of an organization's data protection officer (DPO), assuming the organization has appointed one. In the absence of a DPO, this duty should be assigned to someone within the workforce who possesses knowledge and understanding of data protection.

How can organizations prepare for handling DSARs effectively?  

Organizations should establish clear DSAR procedures, educate employees about handling DSARs, implement data access request workflows, and ensure proper data governance practices to facilitate timely and compliant responses.