Data Subject Access Requests: Everything You Need to Know About DSARs

Recently-enacted privacy laws such as the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR) have opened the door for individuals to learn how companies use and process their personal information. Consumers can obtain this information by making Data Subject Access Requests (DSARs).

Responding to DSARs is a time-consuming undertaking. Finding a consumer’s personal information can be a monumental task, especially if a company has not inventoried its data appropriately. With potentially years of historical data and enormous numbers of data points for actions such as online purchase, companies can easily get overwhelmed. To respond efficiently and cost-effectively to DSAR, many companies need to better organize their data and put in place systems the allow them to quickly and reliably locate and produce responsive information.

But before we dive into how to respond to DSARs, let’s cover some DSAR basics.

What is a DSAR?

A DSAR is a way for a consumer to exercise their legal right to obtain their personal data held by a company and to learn how that company is using it.

With a DSAR, a consumer can ask that a company disclose to them their personal data and how that data is actually used, how it is intended to be used, and why. This right is granted by data privacy laws like the CCPA and the GDPR. (In the specific case of the UK, DSARs are best known as SAR requests and are ruled by the UK-GDPR.)

A DSAR is one of the more common requests companies receive under the CCPA or GDPR — so much so that large companies may become swamped with millions of these requests.

Who Can Submit a DSAR?

Under the CCPA, DSARs can be filed by or on behalf of “consumers” — defined as any California resident.

Under the GDPR, DSARs can be filed by or on behalf of “data subjects” — identifiable individuals with related personal data.

Parents and guardians can submit a DSAR on behalf of a child. Court-appointed individuals holding the power of attorney can submit a DSAR on behalf of the person whose affairs they are handling.

People entitled to submit a DSAR can do so by calling your company, sending an email, submitting a web form, or even asking in person.  

What Should Companies Include in a DSAR Response?

Your company’s response to a DSAR must provide what is considered personal data under applicable law. It need not include everything that refers to the data subject; internal memos, for example, might be exempt. Your company can redact information that is private to the company or relates to another person.

Your company generally should include the following in its DSAR response:

• A confirmation that the company is processing the consumer’s personal data
• A copy of or access to the personal data of the data subject
• The lawful basis for personal data processing
• The length of the data retention period (In other words, how long the data will be stored)
• The names of third-party organizations with whom the company is sharing the consumer's personal data
• Categories of personal data used for processing
• How the data has been obtained (If it wasn’t collected directly from the consumer)
• Relevant information about automated decision-making, such as profiling

The DSAR Process End-to-End

Generally your company should strive to respond to a DSAR within about a month. Under the CCPA, your company has 45 days to respond. You can request extensions for numerous and/or complex requests.

Under the GDPR, if your company responds after 40 days, it may incur fines and penalties.

Your company’s process for responding to a data subject access request should include the following steps:

• Identity verification: Your company must confirm the person requesting personal data is the data subject themselves or has a legal right to receive the data subject’s personal data. Sharing personal data with the wrong person could constitute a data breach.

• Request clarification: Most of the time, consumers simply want to know what kind of personal data your company has on them. Sometimes, however, they will file a DSAR in connection with exercising one of their privacy rights such as the right to erasure. If the request will take longer to respond to and your company will need an extension, you should make that clear in your response.

• Data review: Carefully reviewing the data your company plans to send in response to a DSAR can ensure it doesn’t contain someone else’s personal information.

• Data packaging: Your company should deliver data securely in a way that is directly accessible to the person who submitted the DSAR.

• Explanation of rights: Your company’s response should include an explanation of the consumer’s data privacy rights. Send this alongside the data to the person making the request, and make sure you document this action.

‍DSARs Under the CCPA and GDPR: Key Differences

There are many similarities between the GDPR and the CCPA (sometimes called the “GDPR of the U.S. of A.”). However, in the DSAR context, the differences are important to note.

Applicability

The territorial reaches of both the CCPA and GDPR are extensive, even though the latter has a broader reach and scope. Under the GDPR, which applies to companies and websites of every kind, if a company is located outside the European Union but includes EU consumers or if it is in the EU but doing business outside of it, it may still be within the regulation’s reach.

The CCPA has a narrower scope. It only applies to companies that have a gross revenue of more than $25 million; collect, buy, sell, or share the data of more than 50,000 consumers or households; or receive more than half their revenue from selling personal data. Companies must also collect personal information from consumers in California and they must operate in California.

Because the European and U.S. authorities have a cooperative agreement, your company must know both laws.

The Right to Opt Out

The right to opt out is significantly different under the two laws.

Under the CCPA, consumers can opt out of selling their information to third parties. The GDPR does not provide this option. Other rights, however, are included under the GDPR such as the right to opt out of data processing for marketing purposes and the right to withdraw consent for data processing.

The Right of Rectification

Under the GDPR, companies must comply with data subjects’ requests to correct inaccurate personal information or complete incomplete personal information. Under the CCPA, consumers have no right to make these requests.

In addition, under the GDPR, consumers have the right to restrict personal data processing under certain circumstances and the right to object to processing for specific purposes including profiling, direct marketing, and historical research. The CCPA does not provide these rights.

Penalties

While the GDPR takes a more active position in reprimanding companies that do not comply, the CCPA is more reactionary.

Under the GDPR, companies can be fined for non-compliance and data breaches. The penalties can be as high as €20 million or 4% of their global turnover from the previous fiscal year.

In contrast, the CCPA issues fines for data breaches but not for non-compliance. Its maximum penalties range from $2,500 to $7,500 for intentional violations. It also allows consumers to sue for damages in civil court (limited to $100 to $750 per consumer per incident).

Using DSAR Software to Speed Your Response

Privacy professionals know responding to DSARs is not easy. Responses can take days or weeks and carry hefty costs. A cloud-based, easy-to-use tool like Logikcull can help your company reduce the time and money it spends responding to DSARs.

With Logikcull, you can collect your company’s data directly from the source — sources such as Slack, Google Vault, and Microsoft 365. For previously exported documents, you can just drag and drop them into the platform.

When responding to a DSAR, your company can upload all its information about the consumer into Logikcull, which will then parse and analyze the data using hundreds of filters and advanced searches to automatically bypass duplicate and irrelevant data. On average, only 3% of the data you collect will be relevant; this parsing and analyzing process can lead to significant time and cost savings.

Logikcull also helps your company automate its data processing, allowing you to cull 60% of the documents before you even begin reviewing. The document review is streamlined with features to protect your company’s privacy, sort and tag the collected data, convert audio and video into searchable text, and thread emails — to name just a few of the capabilities available to you.

Responding to multiple DSARs can stall a company’s operations. But failing to respond promptly can cause financial and reputational damage.

Logikcull’s DSAR software provides your company with the technological solution it needs to process incoming DSARs and the peace of mind that comes with knowing your company’s DSAR response procedure complies with applicable privacy laws. ‍

If you’d like to see how Logikcull can fit into your DSAR response process, request a demo with us today.