Recital 63 of the GDPR states:
“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
Section 2 of the CCPA also establishes a similar right:
“[...] It is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: [...] (4) The right of Californians to access their personal information.”
A DSAR is a request from someone you store data on (called a data subject) to your organization. They can submit this request at any time. You are obligated to respond with a copy of any relevant information you have on the subject.
DSARs aren’t new. Organizations and governments have used them for years. But recent consumer data privacy regulations introduced several changes like cctv policy template that made it easier for individuals to make requests. The changes go a long way toward transparency in data processing, but they create some challenges for organizations like yours.
A DSAR typically requests a complete list of all personal information you have on a subject. But in some cases, the subject may request only specific details. You are obligated to provide whatever information the subject requests.
Subjects can request to know the following:
Confirmation that you process their personal data.
Access to their personal information.
Your lawful basis for processing their data.
The period for which you’ll store their data (or the criteria you’ll use to determine that period, e.g. “as long as you’re a customer”).
Any relevant information about how the data was obtained for subject request management.
Any relevant information about automated decision-making and profiling.
The names of any third parties you share their information with.
Individuals do not need a reason to submit a DSAR. Subjects can request to see their data at any time. Organizations may only ask questions that verify the subject’s identity and help them locate the requested information.
Admittedly, this is a burden, especially if you don’t keep all of a subject’s personal information in one convenient place. You may have to implement a data mapping process to keep track of data and where it’s kept, as well as a reporting tool to pull information from multiple sources and generate a DSAR response.
While it’s important to respond to most DSARs, you don’t have to respond to everyone. Your organization can refuse to comply for two reasons:
The request is manifestly unfounded, meaning the requester doesn’t intend to exercise their right of access appropriate. For instance, they might plan to use the request to make unsubstantiated claims against the organization.
The request is excessive. For instance, an excessive request is one that overlaps with another recently submitted request.
That said, be careful about refusing to respond to a DSAR. It’s difficult to prove whether a GDPR Policy template is unfounded or excessive, and there aren’t any specific definitions or examples of what qualifies for those exceptions, and the exceptions apply differently to each organization.
For example, submitting a DSAR every month to a global business intelligence company that tracks hundreds of data points may not be excessive, but submitting at that frequency to a local gym that only has names and email addresses would be excessive.
Additionally, you aren’t allowed to create a blanket policy that sets criteria for “acceptable” DSARs. You must instead consider each request on a case-by-case basis. If you decide to refuse a DSAR, you should be absolutely confident in your ability to explain the reason for the refusal to authorities.
At face value, responding to a DSAR sounds straightforward. The challenge, however, is finding the personal information you’re supposed to turn over. There’s been a massive growth in data collection and proliferation over the last decade, but organizations tend to pay little attention to data governance and management. Basically, data is everywhere, but most organizations don’t have it inventoried.
For instance, a single payment transaction may trigger a dozen systems, each with their own unique data points. Someone has to be aware of all of those systems so they can dig through each in order to respond properly to a DSAR. And like most companies, you probably rarely get rid of any of your data protection policy template , so there’s a lot to sort through.
Responding to DSARs, therefore, requires a careful understanding of what personal information you store, where it’s located, and its purpose. You may have to implement data governance policies to ensure you respond to DSARs appropriate and can defend yourself if you’re ever brought before regulators.