DSARs: What you need to know
A Data Subject Access Request (DSAR) is the means by which individuals request that your enterprise discloses what personal data it holds on them and how you use or intend to use it. Submitting DSARs is one of the Data Subject Rights granted to consumers under data privacy laws such as the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation Policy Template (GDPR). These laws not only give consumers awareness about their rights over their personal data but also provide the tools necessary to exercise them.
Legal sections within the CCPA and GDPR outlining businesses’/data controllers’ responsibility to adhere to DSARs:
Cal. Civ. Code § 1798.130(a)
In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall in a form that is reasonably accessible to consumers:
Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115.
Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’ duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request. If the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.
Article 15 GDPR
The Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
The purposes of the processing;
The categories of personal data concerned;
The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
The right to lodge a complaint with a supervisory authority.
While both CCPA and GDPR Training provide consumers with mechanisms to exercise greater control over their data, there are some fundamental differences between how much power a consumer has under each law.
Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Your DPIA must:
describe the nature, scope, context and purposes of the processing;
assess necessity, proportionality and compliance measures;
identify and assess risks to individuals; and
identify any additional measures to mitigate those risks.
To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.
☐ We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.
☐ Our existing policies, processes and procedures include references to DPIA requirements.
☐ We understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary.
☐ We have created and documented a DPIA process.
☐ We provide training for relevant staff on how to carry out a DPIA.
☐ We consider carrying out a DPIA in any major project involving the use of personal data.
☐ We consider whether to do a DPIA if we plan to carry out any other:
☐ evaluation or scoring;
☐ automated decision-making with significant effects;
☐ systematic monitoring;
☐ processing of sensitive data or data of a highly personal nature;
☐ processing on a large scale;
☐ processing of data concerning vulnerable data subjects;
☐ innovative technological or organisational solutions;
☐ processing that involves preventing data subjects from exercising a right or using a service or contract.
☐ We always carry out a DPIA if we plan to:
☐ use systematic and extensive profiling or automated decision-making to make significant decisions about people;
☐ process special-category data or criminal-offence data on a large scale;
☐ systematically monitor a publicly accessible place on a large scale;
☐ use innovative technology in combination with any of the criteria in the European guidelines;
☐ use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
☐ carry out profiling on a large scale;
☐ process biometric or genetic data in combination with any of the criteria in the European guidelines;
☐ combine, compare or match data from multiple sources;
☐ process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines;
☐ process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines;
☐ process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
☐ process personal data that could result in a risk of physical harm in the event of a security breach.
☐ We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.
☐ If we decide not to carry out a DPIA, we document our reasons.