The Data Subject Access Request (DSAR) is a key GDPR requirement for many organizations these days.
Organisations are faced with a lot of challenges when it comes to addressing and answering DSARs. Without a data governance connection, it is a very time-consuming task. Following questions will definitely rise up during the process: Have we covered all data? What do we have to provide? Which data do we have of a specific resource and where is it located? How do I obtain that data? Who do I have to contact to obtain this data (who’s the owner of the data and the impacted application, system, processing activity,…)?
We are giving an answer to these questions with the DSAR integration package. This solution is part of our overall Smart Compliance layer and maximizes the capacities of both platforms, Collibra and OneTrust. The Data Subject Access Request will be completed by the data subject in OneTrust and linked to the Collibra Data Governance solution using an API gateway.
Based upon data classification and data lineage, available within your Collibra environment; data will be located and owners of systems, applications and processing activities will be automatically identified. Tasks will be assigned to those responsible for the DSAR and the requested data will be uploaded on a secured location, which will be accessible through the OneTrust Privacy Portal.
More details on this integration can be found in the video below, or you can download the datasheet for an overview of the dataflow.
Main Business Benefits:
Increase efficiency; free up time from your data protection office resources/DPO’s
Increase your level of GDPR cookie consent compliance
Increase your level accountability – allowing you to better respond to internal and external (regulator) questions
Maximize data governance capabilities
A Data Subject Access Request (DSAR) is a written request made by or on behalf of an individual for the Personally Identifiable Information which is held by the Company. GDPR entitles all individuals to make requests for their own personal data to enable them to verify the lawfulness of how their information is being processed.
How to make a request?
The request does not have to be in any particular form other than in writing and it may not include the words ‘subject access’ or reference data protection policy template / GDPR.
What is our process?
Upon receipt of a DSAR, we will contact you with a Data Subject Access Request form for you to complete. Please complete this and return at your earliest convenience.
We must confirm your identity. Two forms of valid ID must be presented at one of our office locations. The ID must include 1 form of photographic ID and 1 form of ID that details a current address. Documents that are invalid will not be accepted. Examples of invalid documents include expired passports / driving licences or documents that do not detail a current address. Copies of the identification will be taken and stored with the Subject Access Request form.
Retention Periods
The data provided on a Subject Access Request form will be transferred onto the Subject Access Request register, where it will be held indefinitely. AA Projects will also take copies of identification documents which will be stored on our secure network along with the request form for a period of 12 months. This data is held as evidence of compliance should an enquiry be raised with the Information Commissioner’s Office.
Exceptions
Not all DSAR’s can be actioned. Personal Data may be exempt because of its nature or because the effect its disclosure is likely to have (e.g. legal proceedings). There are also other restrictions on disclosing information security policy template in response to a DSAR, for example where this would involve disclosing information about another individual. (e.g. CCTV footage that clearly reveals another person’s identity).
How long do I have to respond to a data subject access request?
After a data subject files a DSAR with a data controller, the controller has a maximum of one month to fulfill a DSAR. If the data controller needs more time to fulfill the request, he/she must let the data protection impact assessment know within the one month period. The controller may extend the DSAR processing period to two months, taking into account the complexity or quantity of requests a data subject has filed. However, the following reasons are unlikely to earn an organization an extension:
If the request is manifestly unfounded or excessive
An exemption applies
The organization requests proof of identity before considering the request
The organization has a lack of resources to fulfill DSARs
Misplacing, losing, or forgetting about a DSAR