A DSAR is a request from someone you store data on (called a data subject) to your organization. They can submit this request at any time. You are obligated to respond with a copy of any relevant information you have on the subject. Data subject request management aren’t new. Organizations and governments have used them for years.
Under the General Data Protection Regulation (GDPR) established by the EU, individuals or “data subjects” can request to access a copy of their personal data that a company stores and processes. It allows consumers the right to understand how their information is being used by the company that holds the data. This request to access an individual’s personal data from a data controller is called the Data Subject Access Request (DSAR).
This right of consumers to access their information is not new, but the GDPR Policy Template makes the rules a lot more stringent for companies.
How does the DSAR impact companies?
Though the right to access existed under the old regulations as well, there were fewer chances of receiving an access request. But under the GDPR, a company or data controller can no longer charge a fee for giving access to an individual’s data. This increases the chances of receiving more DSARs now.
The GDPR has also received tremendous media coverage and publicity, making consumers more aware of the rights that it provides. The more the consumers are aware of their rights and the protection that GDPR provides them, the more likely they would want to exercise those rights.
Organizations that receive a DSAR have to respond. If a company fails or refuses to respond to a valid access request, it is liable to be subjected to very strict action. A company has to respond within one month of receiving a data access request. Failing to respond could mean having to pay huge administrative fines under the GDPR Training. You may have to pay up to 20 million Euros or 4% of your annual global turnover.
How to respond to a DSAR?
Responding to a DSAR in merely one month may be a challenge for most companies. You need to be aware of the correct process of responding to a DSAR so that you don’t make any mistakes and can respond in time to avoid any fines.
The first thing that you need to do on receiving a DSAR is to verify the applicant’s identity. Disclosing anyone’s personal information without verifying may result in sensitive data protection impact assessment falling into the wrong hands and will be treated as a breach of GDPR. If you are not able to verify the identity of an applicant, you may refuse to entertain the request. But in such a case, you have to be able to demonstrate why the identity was not verifiable.
Any decision that you take at any point on receiving a DSAR must be documented. The documented proof will be necessary if you have to justify your actions in front of the Information Commissioner’s Office.
The next big challenge is finding out where the requested data is located and gathering it within the stipulated time. This can be a very tedious and time-consuming process. The best way to ensure that you can respond to any possible DSARs on time is to maintain a data inventory efficiently. Having a system of sorting and filtering the information that you store, or a data mapping process, is very crucial in such situations.
What to include in your response to a DSAR?
What you need to produce against a DSAR depends on what the applicant has asked for. Usually, applicants would ask for a complete list of personal information that the data controller has on the subject. But sometimes, they may ask for specific information security policy template uk such as –
Confirmation that you do process their data.
How long you store their data
Conclusion
Now that consumers have total liberty to access their personal data and know how it is processed, companies too have to learn to be more transparent and systematic in their approach to storing data. It is important to know what you must and what you need not share under a DSAR. So, make sure to do some research beforehand.