A Data Subject Access Request (DSAR) is the means by which individuals request that your enterprise discloses what personal data it holds on them and how you use or intend to use it. Submitting DSARs is one of the Data Subject Rights granted to consumers under data privacy laws such as the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR). These laws not only give consumers awareness about their rights over their personal data but also provide the tools necessary to exercise them.
Article 15 GDPR Cookie consent
The Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
The purposes of the processing;
The categories of personal data concerned;
The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or Data protection impact assessment to such processing;
The right to lodge a complaint with a supervisory authority;
Where the personal data are not collected from the data subject, any available information as to their source;
The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
DSARs give consumers unprecedented control over their personal information stored by organizations, from access to data and requesting information on stored data to requesting information security policy for small business on the data safeguards the organization provides. With CCPA, consumers can request DSARs twice a year at no cost whatsoever.
Many expect that the number of receiving DSARs have increased significantly after CCPA. So let’s explore what is required and how to prepare:
Responding to a Data Subject Request
Organizations have 45 days to respond and fulfill a customer’s data subject request, in a transferable electronic format. These obligations may vary depending on the customer’s request and how their information is handled.
Manage Deletion Requests
Deletion requests involve not only team members from within the organization, but also all third-party vendors and partners with whom the personal information has been shared.
Communicating with the Consumer
CCPA requires the disclosure of rights and communication about DSARs, as does the GDPR Policy Template. The rights given to consumers under CCPA and GDPR are similar but not identical. This means that organizations will need to change their communication accordingly.