What is Data Subject Access Request (DSAR)?

By Alisa Fetic

In 2018, the General Data Protection Regulation (GDPR) was created in an effort to give people control over their own data.

The GDPR grants eight data subject rights and one of those rights is the right of access. The right of access enables individuals to retrieve information about the data an organization holds on them and how it is used.

The right of access isn’t new. However, the GDPR expands the right of access with new obligatory categories of information that the organization must provide. The GDPR also makes it easier for people to submit their requests and access their data.

The data subject access request (DSAR) is one of the most commonly requested pieces of information organizations receive. If your organization hasn’t already received a DSAR, it likely will in the near future. Here is everything you should know about DSAR.

Data Subject Access Request (DSAR) Definition

A Data Subject Access Request (DSAR) is a request made by an individual to an organization that gives the individual a right to obtain information about how the organization is using their personal data. In compliance with the GDPR, individuals must have the ability to submit DSARs easily at reasonable intervals in order to be aware of, and verify, the lawfulness of the organization’s data processing.

What information are you obligated to provide in a DSAR response?

When responding to a DSAR, an organization must provide confirmation that they are processing personal data and retaining a copy of that personal data. The organization is also obligated to provide:

Purpose of personal data processing
Third-parties with whom the organization is sharing personal data, if any
Categories of personal data the organization is processing
Source of data (if the data is not collected from the individual)
Data retention period
Information about automated decision-making (including profiling)
Information about their GDPR rights (right to rectification, right to erasure, restriction of processing)

Who Can Submit a DSAR?

Anyone whose personal data the organization is processing can submit a DSAR. This includes employees, customers, partners, and contractors. A DSAR can be submitted at any time and the requesting individual is not obligated to provide a reason for the request.

A DSAR can also be submitted by an individual authorized by the data subject on their behalf. Examples of this include:

A parent submitting DSAR on behalf of a child
Legal representative submitting DSAR on behalf of a client
Relative or a friend
Individual appointed as a legal guardian

If a DSAR is submitted on someone else’s behalf, the organization has a right and an obligation to ask for a written authorization or other documents that verify the authorization.

Verifying the Identity of the Data Subject

Recital 64 of the GDPR states that the organization must use all reasonable measures to verify the identity of the person submitting a DSAR. Commonly used methods of verifying a data subject’s identity are via email and via photo ID.

Who should respond to a DSAR

The organization’s Data Protection Officer (DPO) should respond to a DSAR. However, not every organization is obligated to appoint a DPO.

If your organization does not have an appointed DPO, there should be one individual within the organization, such as a compliance officer, who is familiar with the GDPR and DSAR processes. The compliance officer must keep track of all DSARs to ensure they are resolved in a timely manner.

However, the DPO or compliance officer does not have to respond to each and every DSAR themselves. Rather, the DPO or compliance officer should oversee and manage the process and assure compliance.

Deadline for Responding to the DSAR

A DSAR must receive a response without undue delay and within one month of receipt of the request.

The response deadline can be extended by two months if the request is complex or if the organization has received several requests from the same individual.

Can You Refuse to Respond to a DSAR?

There are two scenarios when an organization can refuse to respond to a DSAR.

The request is manifestly unfounded. This means the requesting individual has no real intention of exercising the right of access or the request has malicious intent and no other purpose other than to cause a disruption.
The request is manifestly excessive. This means the DSAR is obviously unreasonable and far exceeds the cost or other burdens involved with DSAR.

You Might Also Be Interested In

Streamlining DSAR Responses: How Sensitive Data Discovery Enhances Customer Privacy

The rising need for Data Subject Access Request (DSAR) compliance has made it increasingly difficult for organizations to keep up with the increasing demands of data privacy regulations. To be able to comply with DSARs, businesses must have an understanding of what personal information they are storing and how it is being used. Sensitive data discovery tools help organizations identify and protect sensitive customer data, allowing them to stay ahead of DSAR requirements and safeguard all customer information. This post will explore the benefits of using sensitive data discovery to streamline DSAR responses and how it can enhance customer privacy. DSAR RoadBlocks and Challenges Collecting relevant data for a DSAR response can be time-consuming and often involves disparate data sources. Companies may have to manually search through old documents and files or query the database they use to store customer data. This can create delays in responding to DSARs, potentially resulting in non-compliance and fines from regulatory bodies. It also requires significant resources, as data must be collected from multiple sources and collated into a single response. Moreover, companies may inadvertently overlook important information that should have been included in the DSAR response. Using Sensitive Data Discovery to Overcome These Challenges Sensitive data discovery can help organizations streamline their DSAR response process. It automates customer data collection, enabling companies to quickly and easily identify personal information stored in various databases and files. The technology also eliminates the need for manual searches and queries, saving time and resources that would have otherwise been spent manually gathering the required data. Additionally, it increases the accuracy of the response, as sensitive data discovery tools can identify and analyze customer information from all sources accurately. By employing sensitive data discovery, organizations can improve their DSAR response process and ensure that they are in compliance with privacy regulations. iDox.ai: Streamlining DSAR Responses iDox.ai ’s sensitive data discovery platform helps organizations streamline and automate their DSAR response process. Our advanced data discovery tools make finding and analyzing customer data easy, allowing businesses to identify personal information stored in various databases and files quickly. Thanks to our powerful indexing capabilities, the platform can search through large volumes of data quickly and accurately. It also helps organizations reduce non-compliance risk by ensuring that all relevant customer information is included in the DSAR response. Contact us today to learn more about how iDox.ai can solve your DSAR challenges!

Aug 21, 2023

Navigating DSARs with Confidence How Sensitive Data Discovery Simplifies Compliance

In our digitally advanced world, you likely have much data about you scattered around the Internet. This data might be in your doctor's records, within online shopping accounts, or buried in social media profiles. It's important to know who has access to your personal information; this is where Data Subject Access Requests (DSARs) come into play. Understanding the Importance of DSARs First things first, let's understand what DSARs are. These are requests from people to see their personal data, which is held by companies or organizations. Not only that, but people can also ask how this data is being used. They allow all of us to have control over our own data and decide who can see it and how they can use it. This is why big privacy laws like GDPR include them as crucial to keeping our data safe. More and more people are realizing their rights and asking for their personal data daily, which brings us to our next point. Challenges Posed by DSARs When organizations receive these requests, it can seem like looking for a needle in a haystack of voluminous data archives. Retrieving relevant data for DSARs can seem overwhelming. The challenge doesn't just lie in the sheer volume of data but also in locating sensitive and personal information within vast records fast and accurately. Moreover, failing to fulfill a DSAR effectively, either by furnishing incomplete data or missing the processing timeline, violates privacy laws like GDPR and might also hit an organization's credibility hard. Hence, it becomes ever so crucial to implement processes that streamline DSAR compliance. The Role of Sensitive Data Discovery in Simplifying Compliance This is certainly not an easy challenge, but thanks to advances in data analytics and automation, an efficient solution is at hand: Sensitive Data Discovery. Enter iDox.ai—a revolutionary discovery tool—that harnesses the power of AI and machine learning algorithms to quickly find sensitive information scattered across your systems. It's like having a powerful magnifying glass that can zoom into your sea of data, clearly showing where sensitive information resides. From finding personally identifiable information (PII) and financial transactions to other specific instances relevant to any DSAR—iDox.ai brings efficiency and precision together harmoniously. Moreover, it dramatically reduces the time dedicated to manual sorting, a win-win situation for both privacy officers and individuals requesting access. Application in Real-world Scenarios The application value is tremendous when considering case studies from various organizations that have needed swift action amidst thousands or even millions of files. Thanks to sensitive data discovery tools such as iDox.ai, these organizations could meet DSARs' demand efficiently without compromising accuracy or transparency. The significant time saved here translates into effective resource management, allowing more focus on strategic tasks rather than hunting down files for hours or even days. And all this while providing greater assurance regarding compliance with privacy laws. A Closer Look at iDox.ai – Your Reliable Partner Granted how critical compliance confidence is at this stage, let's delve deeper into what makes iDox.ai stand out. Empowering Intelligent Data Exploration When we say intelligent exploration, we mean it. From discovering sensitive individualistic details hiding unnoticed within vast databases to redaction capabilities before disclosure, iDox.ai is indeed packed with features powered by advanced AI algorithms and machine learning support, simplifying previously nightmarish tasks involving huge chunks of scattered data. Unmatched Security Standards With ISO 27001 Certification and SOC 2 Type II Certification—the system incorporates vigorous security measures against any possible breaches ensuring trustworthiness every step along the way. Moreover, collaborations with globally recognized secured storage spaces such as Amazon AWS Microsoft Azure further add peace of mind for users regarding their safety. Wrapping Up – Let iDox Do The Heavy Lifting For You. In conclusion, with reduced time involvement vastly enhanced navigability through even the most intricate systems, iDox.ai stands tall as your reliable partner when facing complexities thrown up by DSARs. Shielded within a secure framework, adoption becomes naturally encouraging while turning challenges into smooth operations. To explore how we can support you in ensuring "compliance confidence," contact us to get started today!

Aug 21, 2023

Accelerate Data Subject Access Requests (DSARs)

By Greg Sallis In the new digital age, data privacy rights are top of mind for consumers and regulators alike. One fundamental data privacy right allowing individuals to access their personal data (commonly known as a "data subject access request" or "DSAR"). If your company holds personal data about EU citizens, you must respond to DSARs within one month. This is per the EU's General Data Protection Regulation (GDPR), a failure for which you could face a hefty fine. However, responding to DSARs can be time-consuming and resource-intensive, especially if you’re doing it manually. Fortunately, you can accelerate DSARs by automating the process. Here is more insight into how automating DSARs in your organization can save you time, money, and the headache associated with these requests. Fast Verification of the Subject's Identity The first step in responding to a DSAR is verifying the data subject's identity. This process can be laborious when done by hand, [GS1] ">as you have to send physical documents back and forth. But with automation, you can use digital identity verification tools to verify the data subject's identity electronically. You can ask the subjects to verify their identity using technological approaches such as SMS/email and SSO/OIDC. You can also verify the identity by integrating the data with third-party verification tools such as Experian. Faster Retrieval of Data The next step in responding to a DSAR is retrieving the data requested. This process can take time, especially if the data is spread across different systems. Automation can speed up this process by centralizing the data in one location and using intelligent search tools to locate the data quickly. For example, you can use data discovery tools to crawl through all your data sources and automatically index the data. This will make it much easier and faster to find the data when needed. You can also use search tools with natural language processing (NLP) capabilities to help you efficiently locate the data. Faster Data Redaction One crucial step in responding to a DSAR is redacting the data. When responding to data access requests, you must find and redact confidential and sensitive data. Redaction is necessary to protect the privacy of other people whose data may be included in the request. Manually redacting data can be a slow and tedious process. But with automation, you can use optical character recognition (OCR) tools to identify and redact sensitive data. Redaction technology will scan documents and automatically identify and redact confidential information such as credit card and social security numbers. The best thing about this technology is that it can redact faces, audio, and video files. Improved Accuracy When responding to DSARs, it’s essential to be as accurate as possible to avoid penalties. But manual processes are often error-prone, leading to inaccuracies in the data. Automation can improve the accuracy of DSAR responses by using tools such as natural language processing (NLP) to check for errors. NLP can help you identify and correct any mistakes in the data before it’s sent to the subject. Automation will reduce errors such as forgetting to redact sensitive information, sending data to the wrong person, or accidentally deleting data. Streamlining the Data Intake Process When responding to DSARs, you must collect data from multiple sources and put it together. This can be a challenge when done manually, as it requires coordination between different departments. But with automation, you can streamline the data intake process by creating an automated workflow. This will ensure that all the data is collected and stored in one central location. The workflow will also help you track the progress of the DSAR and see where any bottlenecks are. As a result, you will realize enhanced efficiency when responding to DSARs. Reduced Costs Responding to DSARs can be costly, especially if you have to hire staff to do it manually. But the right technology can help you reduce the costs associated with DSARs. The technology will help you save on labor costs, as you won’t need to hire as many staff to respond to data access requests. It will also help you save on storage costs, as you won’t need to keep as much data on hand. In addition, you won’t need to use as much processing power to respond to data access requests, which will reduce your processing costs. Accelerate Data Subject Access Requests (DSARs) With Automation Responding to data subject access requests doesn’t have to be a headache. Automation will make the whole process a breeze, from verifying subjects' identities to redacting data. Not only will this save you time and money, but it will also improve the accuracy of your responses. So if you’re looking to streamline your DSAR process, automation is the way to go. “Quick, well designed, and saved our team over 97% of time. Our team was able to meet subject access requests and meet GDPR mandates using the iDox.ai redaction solution.” Learn more - Carl Bevan - Royal College of Nursing

Feb 17, 2023