What is DSAR?
With the advent of GDPR, a term DSAR was introduced. A Data Subject Access Request (DSAR) refers to a petition by a customer to an organization regarding personal data. DSARs give individuals the right to discover what kind of data an organization is holding about them, why the organization is holding that data, and allow them to request the organization to delete that data. The organization receiving this request is expected to complete it within the stipulated time. The steps involved in a Data Subject Access Request (DSAR) are listed below.
A data subject can make his/her request via email or an online form. The company then needs to verify the requestor’s identity and existence within their data ecosystem and track the application through to resolution within the required time.
Interesting Read:”Unlocking AI’s Full Potential: An Independent Trust Layer is Key“
Types of Requests Received via DSAR
The Data Subject Access Request (DSARs) typically includes:
- Contactinformation of the data subject (name, email, and phone number).
- Delete theinformation of the data subject.
- Information on where the individual’s data is shared.
- Data Subjects can add any context to their request.
Steps Involved in a Data Subject Access Request (DSAR)
1. Accepting the Request
Seamless access to all data sources is a prerequisite for building an inventory of personal data to evaluate your privacy risk exposure and enforce privacy rules. The companies accept requests from the data subjects via online forms or emails.
2. Verifying the Identity
Checking the requestor’s identity could be done by asking to see a photo ID, such as a passport or driving license or a utility bill, or request a face-to-face meeting with the data subject.
3. Identifying the Type of Request
Once the validation is completed, the data protection officer identifies the type of request.
4. Assigning the Request
Based on the type of requests received by the DPO, the request is forwarded to an analyst. The analyst is chosen based on the nature of the personal data requested by the data subject, the rights associated with user groups.
5. Collection of Data
The personal data is collected and reviewed across all records holding information based on the type of data subject request.
6. Packaging the Data
Depending on the type of data subject request, the format of the data is decided. The data obtained from various third-party Data Processors need to be organized in the requested format and reviewed by the DPO.
Suggested Read: Shadow AI: The Emerging, Invisible Problem Putting Your Company’s Data at Risk
7. Add Additional Information
DPOs must make sure the information is complete and comprehensive. For complex requests, the deadlines under GDPR and CCPA can be extended, provided that you advise the requestor of the reasons for extending the time scale before the expiry of the initial 30 days.
8. Deliver the Data
The last step is to share the response with the data subject ensuring you reference the original request in your response. Always ensure you keep an exact copy of all the information sent and keep a record of your response in your Data Subject Access Request log.
9. Document the DSARs
The final step in your journey to GDPR compliance involves auditing. All communications and activities should roll into a reporting dashboard and audit trail to demonstrate accountability, compliance, and progress towards resolving requests.