As more and more organizations collect and process personal data, the right to access this data has become increasingly important. A Data Subject Access Request (DSAR) is a legal right that allows individuals to request access to the personal data that an organization holds. It is a fundamental right under data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
This guide will provide an overview of DSARs and how they work, as well as tips for organizations on how to handle them. If this information is insufficient, read Ethyca’s article on DSARs.
What Is a Data Subject Access Request (DSAR)?
A Data Subject Access Request (DSAR) is a request made by an individual to an organization for access to their personal data. The DSAR can be submitted either verbally or in written form, and it is mandatory for the organization to provide a response within a specified time limit. As per GDPR regulations, the organization must respond within 30 days of receiving the request, whereas, according to CCPA, a response must be provided within 45 days. However, some other laws, such as the UK Data Protection Act 2018, may provide different time limits. It is important to check the relevant law for your organization.
What Information Should Be Included in a DSAR?
A DSAR should include enough information to allow the organization to identify the individual and locate their personal data. This may include:
- The individual’s full name and contact details
- Any previous names or addresses
- Any reference numbers or identifiers that the organization may have assigned to the individual
- A clear description of the data being requested
It is important for organizations to verify the identity of the requester before responding to the request. This is to ensure that the personal data is only provided to the correct individual and not to someone else who may be trying to access it fraudulently.
How Should Organizations Respond to a DSAR?
When an organization receives a DSAR, it must respond within the specified time frame. The response should include all of the personal data that the organization holds about the individual unless there are legal exemptions that apply.
It is important for organizations to consider the format in which they provide the data. For example, if the individual requests electronic copies of their data, the organization should provide it in a commonly used electronic format, such as PDF or Excel. If the individual requests access to their data in a particular format, the organization should try to accommodate this request where possible.
What Are the Legal Exemptions to a DSAR?
There are some legal exemptions that may apply to a DSAR. These include:
- National security: providing access to personal data would compromise national security or defense.
- Crime prevention or detection: providing access to personal data would prejudice the prevention or detection of crime.
- Legal proceedings: providing access to personal data would prejudice ongoing legal proceedings or legal advice privilege.
- Regulatory functions: providing access to personal data would prejudice the performance of a regulatory function.
It is important for organizations to be aware of these exemptions and to seek legal advice if they are unsure about whether they apply.
Tips for Organizations on How to Handle DSARs
Here are some tips for organizations on how to handle DSARs:
- Establish a DSAR policy: Develop a DSAR policy that outlines the process for handling DSARs and ensure that all staff is aware of it.
- Train staff: Train staff on how to handle DSARs and ensure that they understand the importance of protecting personal data.
- Keep accurate records: Keep accurate records of all DSARs and the responses that were provided.
- Verify identities: Verify the identity of the requester before responding to the request.
- Work with IT: Work with IT to ensure that personal data can be easily located and retrieved in response to a DSAR.
- Seek legal advice: Seek legal advice if you are unsure about how to handle it.