With the advent of GDPR, a term DSAR was introduced. A Data Subject Access Request (DSAR) refers to a petition by a customer to an organization regarding personal data. DSARs give individuals the right to discover what kind of data an organization is holding about them, why the organization is holding that data, and allow them to request the organization to delete that data. The organization receiving this request is expected to complete it within the stipulated time. The steps involved in a Data Subject Access Request (DSAR) are listed below.
A data subject can make his/her request via email or an online form. The company then needs to verify the requestor's identity and existence within their data ecosystem and track the application through to resolution within the required time.
Interesting Read:"Unlocking AI's Full Potential: An Independent Trust Layer is Key"
The Data Subject Access Request (DSARs) typically includes:
Seamless access to all data sources is a prerequisite for building an inventory of personal data to evaluate your privacy risk exposure and enforce privacy rules. The companies accept requests from the data subjects via online forms or emails.
Checking the requestor's identity could be done by asking to see a photo ID, such as a passport or driving license or a utility bill, or request a face-to-face meeting with the data subject.
Once the validation is completed, the data protection officer identifies the type of request.
Based on the type of requests received by the DPO, the request is forwarded to an analyst. The analyst is chosen based on the nature of the personal data requested by the data subject, the rights associated with user groups.
The personal data is collected and reviewed across all records holding information based on the type of data subject request.
Depending on the type of data subject request, the format of the data is decided. The data obtained from various third-party Data Processors need to be organized in the requested format and reviewed by the DPO.
DPOs must make sure the information is complete and comprehensive. For complex requests, the deadlines under GDPR and CCPA can be extended, provided that you advise the requestor of the reasons for extending the time scale before the expiry of the initial 30 days.
The last step is to share the response with the data subject ensuring you reference the original request in your response. Always ensure you keep an exact copy of all the information sent and keep a record of your response in your Data Subject Access Request log.
The final step in your journey to GDPR compliance involves auditing. All communications and activities should roll into a reporting dashboard and audit trail to demonstrate accountability, compliance, and progress towards resolving requests.