More and more consumers are taking control of their data. There has been a rapid growth in the last decade of individuals who wish to obtain information about how their personal data is being used by companies. This has been accelerated by the new General Data Protection Regulation (GDPR) which was implemented on May 25th, 2018.

The GDPR protects the privacy of EU residents by providing them with rights regarding how companies collect, store, and use their personal information. 

One of these rights enables individuals to request organizations to disclose how they plan to use the collected data. This is called a subject access request. The California Consumer Privacy Act (CCPA) offers similar rights to Californians. 

How do consumers in California access information collected by organizations? By submitting a Data Subject Access Request (DSAR).

What is a Data Subject Access Request?

Data subject access request (DSAR) allows individuals to obtain from controllers confirmation as to whether or not personal data concerning them is being processed, and if so, access to their personal data and supplementary information. As per DSAR data protection guidelines, consumers have the right to ask how their personal data is used.

DSAR Request

An individual who wishes to make a request should make contact with the controller using the contact details provided on any website to disclose the information it has on them and how it plans to use the information. Consumers can request an organization disclose how it holds, stores, saves, and uses the information.

If the individual believes that the controller has not complied with its obligations, he or she may submit a complaint to an independent supervisory authority established in his or her country. It is important that you have evidence of your requests in case you need to contact a super. In regards to the CCPA, organizations must act upon and provide consumers with the information they are looking for. 

The most common reason for a DSAR request is if an individual wants a copy of the personal data they have provided. For example, if an individual has filled out a survey online, they can request a copy of that information from the company that collected it.

The Data Protection Act 1998 lays out what information businesses should supply when contacted by a DSAR request and how quickly this information should be supplied.

How Does the CCPA Address a DSAR?

Companies looking for DSAR guidance need to know that they have to comply with different sections – including 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125. In addition, they must provide consumers with:

  • At least two methods to submit DSARs – for example, a telephone number and an email address. If it’s an online store or business that connects with its consumers online and collects information virtually, then it must provide an email address that consumers can use online to submit requests. 
  • The necessary information to understand the process of requesting DSARs. In addition, the business must have a designated process to determine whether or not the submitted request is from a genuine consumer. 

Apart from abiding by these guidelines, businesses must provide a free guide to help consumers understand where and how to request information they need. 

What Does a DSAR Response Include?

A data subject access request is a written request from a data subject asking for confirmation that certain personal data concerning them is being processed, and their communication has been collected. It involves a list of information an organization has on its consumers. And, a consumer can request specific details. 

For example, a consumer can request for:

  • Confirmation that the organization use and process their personal data
  • Access to information on them
  • Information that the organization stores and sells
  • The period for which the organization will save consumer data
  • Companies with which an organization plans to share consumer data

Who Can Submit a DSAR?

As per the CCPA, anyone whose personal information is stored and used by an organization can submit a request. The applicant can be a customer, user, employee, job candidate, donor, or sales prospect.

Also, you can submit a DSAR request on behalf of another consumer. It is possible in case you are:

  • The parent/guardian of a child who is not capable of sending a request
  • Appointed by the court to make a decision on behalf of an individual
  • An employer who can make a request on behalf of a client

Can Your Company Refuse to Respond to a DSAR?

Subject access rights allow individuals to exercise their right to free information and to see what information the company has on them.

It is a legal requirement that companies provide an easy way for individuals to request their data from the company. However, there are no rules on how quickly these requests should be processed or how much money a company can charge for providing this information.

Some companies are able to charge up to $75/£50 per request. 

What happens when your company is asked to produce documents or data in response to a government request and you don’t want to? This is an interesting question that companies should ask themselves. The decision to respond or not may be based on legal considerations, privacy, confidentiality, and other factors.

Although laws around the DSAR makes it essential for organizations to respond to all requests, they can opt not to answer in certain situations, especially when:

  • A request has no foundation. It happens in cases where the requester makes unsubstantiated claims.
  • The request is excessive. It is possible in case one request overlaps another request. 

However, organizations must note that they cannot use these two scenarios to avoid all DSAR requests. It is difficult to prove that a request has no foundation, or the request is excessive. Also, there aren’t specific examples that organizations can use to reject a request. 

How Long Do You Have to Respond to a DSAR?

It is important to reply to a subject access request as quickly as possible. If you don’t respond within the time limit set by the Data Protection Act 1998, then you could be fined up to £500

The GDPR requires that the controller responds to a data subject access request within one month of receipt. The right of the data subject to obtain confirmation of whether or not personal data concerning him or her is being processed is also enshrined in the Data Protection Directive 95/46/EC. However, as per the CCPA regulation, the request should be addressed within 45 days of the request. 

In addition:

  • If it is a complex request, then a company can extend the request processing time. However, it needs to respond within an additional two months. In such a scenario, the company must inform the individual about the request extension. 
  • The company should provide a copy of the personal data. 
  • The entire process is free of cost, and a company cannot ask for any kind of additional charges. 

When the process is heading in the right direction, a company keeps an applicant informed and provides a copy of the requested information. Apart from that, an individual can ask for explicit information, like:

  • How does the organization store, use, and distribute consumer information?
  • To whom does the company share consumer information?
  • How long will it store the information? 
  • How did the company obtain the information?
  • What kinds of measures will the company take if the information is used internationally?

What’s the Process for Handling a DSAR Request?

It is an individual’s right to ask companies for this information, and it is the company’s responsibility to respond within a month.

If you are a business owner, it’s likely that you will have to handle at least one of these requests in your lifetime. In order to do so correctly, you must understand the basics of responding to a data subject access report request.

While there are many aspects of handling these requests, there are certain steps you can follow to ensure that the process is handled the right way.

A Requester can use different methods – including sending an email, making a call, or even asking in person. 

Key steps to handle a DSAR request are:

  • Identify and cross-check the address of an organization where a consumer wants to send the request
  • Find out the format in which a request will be submitted 
  • Officially submit the request, and include information – such as name, contact number, address 
  • Details a company needs to verify the authenticity of the user 
  •  Track the status of the request

Automate Data Subject Access Requests with Secuvy

Secuvy can help you with your data subject access request needs. Our team consists of expert privacy consultants who have extensive experience in information security & privacy . We have helped hundreds of companies with their DSAR requests in the past and would love to help you.Remember, it is necessary even for small businesses to comply with the DSAR guidelines. Secuvy DSAR Module can help you handle your DSARs in minutes and take appropriate actions. Reduce Efforts and gain trust with your customers along with getting privacy compliant. Schedule a Demo to learn more!