Data subject access requests (DSARs) are crucial for individuals to discover what personal data an organization holds about them. The DSAR helps people hold companies to account.
Dealing with DSARs can be time-consuming and resource-intensive, depending on the context of the organization and the efficiency of the response process.
However, failing to fulfil a valid DSAR is a legal violation and can lead to regulatory action. And beyond legal compliance, getting DSARs right can help build customer trust and encourage good data protection practices.
What is a DSAR?
A DSAR is a way for an individual to request a copy of the information an organization holds about them. DSARs also enable a person to request additional information about how the organization processes their personal data.
There are data protection rights alongside the right of access, such as the “right to erasure” and the “right to correction”. This article will focus on DSARs, but many of the same principles apply to other data protection rights.
The term ‘DSAR’ derives from the EU General Data Protection Regulation (GDPR), which refers to individuals as “data subjects”. The DSAR is part of the GDPR’s “right of access”. However, as we’ll see below, DSARs are part of practically every data protection and privacy law worldwide.
Data protection law requires organizations to facilitate DSARs on behalf of individuals. Under the GDPR and many other laws, the organization must provide access to a person’s data free of charge and within a specified timeframe.
Which laws include a ‘right of access’?
The “right of access” is a worldwide staple of data protection and privacy laws. Here are just some of the jurisdictions and laws that recognize a right of access:
In the US, new state privacy laws in Colorado, Connecticut, and Utah will include a right of access.
Various US sectoral laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA), also recognize the right of access.
What data do we have to provide under a DSAR?
Most people use a DSAR to request a copy of the personal data an organization holds about them. Many data protection laws, including the GDPR, also require organizations to provide other information, such as:
- Where you obtained the personal data.
- Who you will share the personal data with.
- How long you will store the personal data.
By default, you should provide any requested personal data about the individual. But there are some important exceptions:
- You shouldn’t normally reveal personal data relating to anyone other than the individual unless the other people have consented. The UK’s Information Commissioner’s Office (ICO) provides some guidance on this issue.
- If the individual has asked for a lot of personal data, you can ask them to narrow the request down.
You might also have grounds to refuse the request (see below).
Responding to a DSAR
Under the GDPR, you must respond to a DSAR “without undue delay” and within a maximum of one month. You can extend this period by a further two months where necessary, as long as you notify the individual.
Other laws have different time limits. Under US state privacy laws, including California’s CCPA and Virginia’s VCDPA, you have 45 days. In Canada, the deadline is 30 days, and in Australia, you must respond as soon as “reasonably possible”.
You must verify a person’s identity before responding to a request. The rules on verification vary between countries. Under the GDPR, you should not request any more information than is necessary to verify the person’s identity. Don’t ask for ID unless you need it.
Some companies set up “self-service” portals where individuals can download their data. This method can help improve transparency and convenience. But you must still respond if you receive a DSAR via another medium (e.g. email or phone).
Can we refuse a DSAR?
Under the GDPR, you can refuse to facilitate a DSAR or charge a reasonable fee if the request is “manifestly unfounded or excessive”. Under other laws, such as California’s CCPA, you only need to respond to a request twice per year. You must explain why you have refused the request.
Think carefully before refusing a DSAR. Even if you are legally entitled to refuse a request, doing so might harm your relationship with a customer or damage your company’s reputation.
Ultimately, it’s better to create a simple and easy DSAR response process so that you will be less likely to refuse a request.
How DSARs can be a business advantage
Many people lodge DSARs because they suspect an organisation is mishandling their personal data. Failing to respond properly (or worse, at all) to a DSAR can damage your reputation.
DSARs are the most common cause of complaints to European data protection authorities (DPAs). For example, the Irish Data Protection Commission (DPC)’s latest annual report reveals that 42% of complaints received in 2022 were related to DSARs (1,142 DSAR complaints).
Transparency requirements can lead to better data protection and privacy practices. Being ready to respond to DSARs might encourage you to better care for your customers personal data.