Protecto

Steps Involved in a Data Subject Access Request (DSAR)

What is DSAR?

With the advent of GDPR, a term DSAR was introduced. A Data Subject Access Request (DSAR) refers to a petition by a customer to an organization regarding personal data. DSARs give individuals the right to discover what kind of data an organization is holding about them, why the organization is holding that data, and allow them to request the organization to delete that data. The organization receiving this request is expected to complete it within the stipulated time. The steps involved in a Data Subject Access Request (DSAR) are listed below.

Source: Wirewheel

A data subject can make his/her request via email or an online form. The company then needs to verify the requestor’s identity and existence within their data ecosystem and track the application through to resolution within the required time.

Types of Requests Received via DSAR

The Data Subject Access Request (DSARs) typically includes:

  • Contact information of the data subject (name, email, and phone number).
  • Delete the information of the data subject.
  • Information on where the individual’s data is shared.
  • Data Subjects can add any context to their request.

Steps Involved in a Data Subject Access Request (DSAR)

Source: Wirewheel

1. Accepting the Request

Seamless access to all data sources is a prerequisite for building an inventory of personal data to evaluate your privacy risk exposure and enforce privacy rules. The companies accept requests from the data subjects via online forms or emails.

2. Verifying the Identity

Checking the requestor’s identity could be done by asking to see a photo ID, such as a passport or driving license or a utility bill, or request a face-to-face meeting with the data subject.

3. Identifying the Type of Request

Once the validation is completed, the data protection officer identifies the type of request.

4. Assigning the Request

Based on the type of requests received by the DPO, the request is forwarded to an analyst. The analyst is chosen based on the nature of the personal data requested by the data subject, the rights associated with user groups.

5. Collection of Data

The personal data is collected and reviewed across all records holding information based on the type of data subject request.

6. Packaging the Data

Depending on the type of data subject request, the format of the data is decided. The data obtained from various third-party Data Processors need to be organized in the requested format and reviewed by the DPO.

7. Add Additional Information

DPOs must make sure the information is complete and comprehensive. For complex requests, the deadlines under GDPR and CCPA can be extended, provided that you advise the requestor of the reasons for extending the time scale before the expiry of the initial 30 days.

8. Deliver the Data

The last step is to share the response with the data subject ensuring you reference the original request in your response. Always ensure you keep an exact copy of all the information sent and keep a record of your response in your Data Subject Access Request log.

9. Document the DSARs

The final step in your journey to GDPR compliance involves auditing. All communications and activities should roll into a reporting dashboard and audit trail to demonstrate accountability, compliance, and progress towards resolving requests.