What is a data subject access request (DSAR)? How-to guide

A data subject access request (DSAR) is a request from any member of the public to exercise their data privacy rights as granted by regulations, like seeing a copy of their personal data that’s been collected by a company. Here’s everything you need to know.
Resources / Blog / What is a data subject access request (DSAR)? How-to guide
Published by Usercentrics
18 mins to read
May 2, 2024

Today’s consumers are more data-conscious than ever before. As spending power increasingly lies with digital natives who are savvy to the internet’s privacy risks, businesses need to optimize their approach to data privacy and protection.

In addition to ensuring robust data security and consent management practices, this means being ready to respond to customers when they ask about the data you’ve collected on them or when they make requests about it, like for correction or deletion. This is not just a customer service function; they are legal rights granted to consumers under many data privacy laws.

This type of request, known as a data subject access request (DSAR) is increasingly common as more data privacy laws are passed around the world and consumers learn more about their rights. According to the Cisco 2023 Consumer Privacy Survey, nearly 30% of international respondents have exercised their right to request this information, and this number will only increase year on year.

In this article, we’ll explain what DSARs are, how to prepare to receive and respond to them compliantly, and how to proceed whenever your business receives one.

What is a data subject access request (DSAR)?

A DSAR is a request from a member of the public, often a company’s users or customers, but depending on the regulatory jurisdiction, can include business partners or employees, among others — regarding the personal data that a company has collected about them.

This can be a request to see specific categories of information collected, or all of it, within a specified time frame. Data collected in the last 12 months is a common parameter. As this is a consumer privacy right conferred by regulation, companies are required to respond within a set time frame, or to notify the person making the request if they are unable to respond within the prescribed time period.

Consumers can make requests beyond just seeing their data, however. They can request that the company stop collecting and processing their data and delete what they have. They can request information about the company’s use of automated decision-making. They can often ask for a portable copy of their data that they can use elsewhere, possibly with a competitor’s product or service.

Opt-in and opt-out consent models

The right to submit a DSAR is included in modern and comprehensive privacy laws passed to date, including laws that use both opt-in and opt-out models for obtaining consumer consent.

Opt-in consent requires you to obtain explicit consent before collecting consumers’ personal information. It’s the more common consent model and the one used in regulations like the European Union’s General Data Protection Regulation (GDPR), which has been influential around the world.

Opt-out models only require consumer consent in some cases, but require data subjects (mainly consumers) to be able to opt out of data collection and processing at any time. Consent does need to be obtained in advance in some cases, depending on the law, e.g. if personal data is categorized as sensitive or belongs to known children, or in some cases if it is to be sold or shared. Though under the California Consumer Privacy Act (CCPA) consumers only have to be able to opt out of sale, sharing, targeted advertising, or profiling. The Digital Markets Act (DMA) bans targeted advertising without consent.

Learn more: Review our explanation of how U.S. data privacy regulations vary state by state.

DSRs vs DSARs

The terms data subject request (DSR) and data subject access request (DSAR) are commonly used interchangeably, as we have largely done in this article. However, you may see the terms used to refer to slightly different things.

DSRs can be used to describe a broader category that includes any request a person might make to exercise their rights regarding their personal data held by an organization.

DSARs, on the other hand, more often specifically refer to requests to access the personal data an organization holds about someone. As noted, however, there are various ways a consumer can request access to their data, and then request what is done with it. As such, a DSAR can be seen as a kind of DSR.

 

Infographic presenting the rights a person can exercise under CCPA/CPRA when making a DSAR

Who can submit data subject access requests?

Organizations can receive DSARs from a variety of sources. They can be submitted by:

  • any data subject covered by relevant privacy law whose personal information has been collected by a company
  • the parent or legal guardian of a child who is a data subject
  • an employee on behalf of their employer or a representative on behalf of a client
  • a court-appointed representative of an adult who manages someone else’s affairs

As long as the requester can prove their identity and legal right to make the request, a company is required to release whatever personal data is held about the individual subject. Companies must provide a reasonable mechanism to enable people to verify their identities when making a request. However, they can also deny a request if the requester’s identity cannot be reasonably verified.

Each law specifies a time frame for both the data included and the response to such requests. For example, under the CCPA, a data subject can request data collected about them in the preceding 12 months. A person can’t, for example, demand data going back 10 years. Commonly, a person also can’t make more than one DSAR per calendar year. If they do, the company can either charge them a reasonable fee to fulfill it, or deny the request.

Under various regulations, companies typically have a specified amount of time to respond to DSARs. Under the CCPA, it’s 45 days, with the possibility of an extension for special circumstances. If a company cannot fulfill a request within the prescribed 45 days, it has to notify the requester with a reason before that 45-day period ends. Typically the extension is only for another period of the same amount of time, e.g. another 45 days.

How do DSARs take place?

  1. An individual contacts the company via a reasonable mechanism (e.g. email, web form) to make a request
  2. At the time of submitting the request, the individual also provides identity verification (commonly companies can make customers/users login to their accounts as part of the verification process in submitting a request, but they can’t make people create a new account to send a request)
  3. Smaller organizations may need to handle requests manually, but larger ones, which may receive many thousands of requests, typically automate the processes (this is why it’s important to have an up-to-date data audit so responses to requests can be fulfilled in a timely manner and are accurate)
  4. The company receives and reviews the request, typically (auto)responds to the individual confirming receipt and the time frame for response
  5. If verification is not good enough, or someone is making the request for someone they can’t legally represent, they can notify the individual and ask them to re-send or get a viable representative to send the request
  6. If the request(s) is “manifestly unfounded or excessive” the company can deny the request or charge the individual a fee (under some laws) to fulfill it
  7. If the request is verifiable and reasonable, the company has a set period of time to fulfill it, depending on the law (often 45 days)
  8. If the company cannot fulfill the request within the specified time due to reasonable circumstances, e.g. due to a high volume of requests, before the first response period ends the company must notify the individual that they can’t fulfill the request in the required time, and will need an extension, but that they can expect a response in a set period amount of time
  9. The company then has to fulfill the response within the extended period’s allotted time

How can a DSAR be submitted?

Companies are required to make it relatively easy for consumers to submit a DSAR. Here are a few ways to make the process user-friendly and compliant:

  • Ease of submission: Companies should enable DSARs to be submitted through the same channels customers normally use to contact them, e.g. web forms or email, to help ensure the process is straightforward and accessible.
  • No account requirement: If an individual doesn’t already have an account with the company, they cannot be compelled to create one just to submit a DSAR. Companies can require individuals who already have accounts to login to theirs to submit the request as part of the verification process.
  • Preference for written requests: Although not legally mandated, written requests are often preferred because they create a clear record of the interaction, facilitating a more accurate and complete response. Written records are likely to mostly be in digital format, which enables all records to be kept together in the event of an audit or future request.
  • Flexible wording: Requesters are not required to use specific terminology when making a DSAR. Simple requests like “Can you send me the information you have collected on me?” are as valid as more formally worded requests that cite specific regulations. Request mechanisms like a web form may provide the request language, and the requester simply has to check off the type of request(s) and verify their identity.

When and how does a company have to respond to a DSAR?

Companies need to be familiar with the privacy laws relevant to them. As noted, the CCPA allows 45 days for a DSAR response, though under the GDPR they are expected to respond within one month. The phrase “without undue delay” comes up regularly in regulations and should be followed as closely as possible.

As privacy laws generally apply to residents of a particular jurisdiction, e.g. California or the EU, companies may need to comply with multiple privacy laws, or laws for regions where the company is not physically located, as it only matters if their customers are there and those people’s data is being processed.

After receiving a DSAR and verifying the requester’s identity, a company has to respond by supplying the requested data or otherwise acting on the request, like making corrections or deleting it. Or the company must provide a specific reason why more time is needed to fulfill the request, e.g. they have a high volume of requests.

Under the GDPR, for example, companies can extend their deadline by 60 days if it proves challenging to track down all the necessary information, but this must be clearly explained in their initial response, which must be sent within the initial 60 days.

Companies can’t ask for repeated extensions before supplying the requested data. If a company takes too long to respond to a request, it is a type of violation and risks fines, penalties, and reputational damage.

What does not have to be included in a DSAR response?

DSAR responses must include the personal information of the subject requesting it, which has been collected/processed in the prescribed time frame, e.g. the last 12 months. This is for access or portability requests. For other requests, the company needs to confirm fulfillment, e.g. corrections or deletion. A company is not required to provide:

  • more data than requested
  • data that is exempted due to legal requirements, e.g. in some cases companies cannot delete personal data for a number of years
  • data concerning the subject’s interactions with the organization (e.g. internal account notes)
  • data relating to another individual for whom they are not the legal guardian or representative (this could constitute a data breach)

In other words, the DSAR is always for only an individual’s personal data (or the person they legally represent), as defined by applicable regulations, e.g. addresses, browser activities, dates of birth, medical records, credit ratings, etc.

Anything that can identify an individual alone or combined with other data points could count as personal data. However, the definition of personal data varies depending on the law.

Regulations can also delineate between personal data and personally identifiable data, or specify what is considered sensitive personal data, and definitions can be different across laws.

Some laws provide specific examples of types of such data, but others are more general. Companies can redact data in supplied documentation if it’s not relevant or not legal to supply it, for instance, if it references another person’s personal information.

Grounds for refusing a DSAR

There are only two legal grounds for refusing a DSAR: if the request is excessive, or if it’s manifestly unfounded. Excessive does not mean onerous or large in scale. Rather, it means that the request overlaps with another request(s) and is therefore resource-intensive without providing the requester with any additional information.

For example, requesting personal data from a local library every month could be deemed excessive. Under some laws, a person requesting their data from a company more than once in 12 months is not allowed for this reason. Companies can still choose to fulfill excessive requests, but under some laws can charge a reasonable fee to do so.

However, this frequency may not be deemed excessive for large ecommerce platforms, where data changes regularly. Always err on the side of compliance and stay familiar with relevant privacy laws. Large platforms likely have automated processes for DSARs, so there would be less manual work involved, potentially, than at the local library.

“Manifestly unfounded” can be harder to prove. This would apply if a company doesn’t hold any data on the subject, or the data is all very old and does not fall within the required time frame, so the DSAR is in error.

Or if the person is specifically requesting data that the company is not permitted to release—such as the medical records of a relative they do not have custodial responsibility for, or a request to delete data a company is legally required to retain—a company could also argue that the request is unfounded. A request for which the individual can’t be reasonably verified could also fall under this category.

Companies can’t break one part of the law to comply with another, so this is an area where it’s recommended to consult legal counsel.

What is the process for fulfilling a DSAR?

The process to fulfill a DSAR is typically managed by a company’s data protection officer (DPO), whose appointment may be required to ensure GDPR compliance. Under other laws, a DPO may only be required under certain conditions or isn’t required, but is recommended.

To ensure the process runs smoothly, companies should keep an organized and auditable record (i.e. database) of all requests, including the dates of receipt, initial and subsequent responses, and final fulfillment. As noted, for many organizations, especially larger ones, these systems and processes will likely be automated and scalable. There are tools dedicated to DSAR fulfillment.

Here’s a typical process to fulfill a DSAR:

  1. Log the DSAR: When you receive a DSAR, promptly log it in a tracking system and include the date of receipt.
  2. Acknowledge the request: Send an acknowledgment to the person who submitted the DSAR, confirming that you are processing their request.
  3. Verify the requester’s identity: Ensure that the person requesting the data is who they claim to be or legally represent. If there is any doubt, request additional identification documents or deny the request if they can’t or won’t comply.
  4. Collect the requested data: Gather all data related to the request from across your organization, coordinating between departments as needed.
  5. Review and prepare the data or data-related action: Once collected, review the data carefully. Redact any sensitive information that’s not required, or that relates to other individuals. Many laws require the data to be in an accessible and reasonably portable format. Ensure any corrections are accurate or deletions are complete, etc.
  6. Deliver the data or response noting completed actions: Choose the most secure delivery method, either electronic with encryption or password protection, or physical with a trackable, signature-required service. Whichever method you choose, ensure that receipt can be confirmed and proven. The more sensitive the data, the more precautions should be taken for delivery.
  7. Update your records: Finally, mark the DSAR as completed in your tracking system, with the date of delivery and any other relevant details. This is crucial to maintain an auditable record, and to track the number of requests in a given time frame.

Following these steps will help to ensure your DSAR response is quick, efficient, and compliant with relevant regulations.

How to automate DSARs

By automating DSARs, businesses can boost their efficiency, cut down on human error, and take steps toward compliance with privacy regulations.

Automation accelerates the DSAR handling process and should keep procedures updated with the latest in privacy regulation, saving valuable time and resources while focusing human input where it’s needed most.

Automating DSARs also makes the process more convenient for the individual submitting the request, as they’re more likely guaranteed a timely and sufficiently detailed response.

Tools like MineOS DSAR, Usercentrics partner, make this kind of DSAR automation possible. It creates a single, user-friendly point of contact for data subjects on your website, making their experience clearer and easier.

This approach also simplifies the management of requests and ensures that only necessary data is collected or actioned, while maintaining privacy and reducing risk of data being mishandled. The MineOS solution provides an admin panel which allows for easy tracking and centralized management of DSARs, making the process seamless for both your company and the data subject.

This approach also simplifies the management of requests and ensures that only necessary data is collected or actioned, while maintaining privacy and reducing risk of data being mishandled. The Usercentrics solution provides an Admin Interface, which allows for easy tracking and centralized management of DSARs, making the process seamless for both your company and the data subject.

DSAR product - Usercentrics

Our DSAR solution simplifies the DSAR process, minimizing non-compliance risks and enhancing efficiency. Ideal for companies prioritizing data privacy compliance, automation, and resource optimization.

Challenges of the DSAR fulfillment process

Regulations like the GDPR and CCPA include stringent data management and DSAR fulfillment requirements, which can be difficult to meet in some circumstances or for some organizations. Here are the most common challenges that companies encounter when trying to respond to a DSAR:

  • The requests are not reasonable or verifiable: The company is responsible for providing a reasonable mechanism for requests, but human error in making requests still happens, and people are often impatient online or don’t read carefully or follow instructions well. The burden of verification and security lies with the company, and they also have rights regarding fulfillment. A regulatory violation is a much bigger issue than a disgruntled customer. This is one area where a purpose-built tool that is user-friendly, like Usercentrics’ DSAR solution, can help.
  • The data is in many locations: It can be a challenge to pull together data from many different departments—like account details, billing details, website activity, and medical records. Companies may need to invest in data mapping, or in a system that tracks and centralizes personal data, to speed up the preparation of DSARs. Without these tools, it may take companies longer to fulfill requests and the risk of error is higher.
  • The data requires complex redaction: Manually reviewing and redacting documents can be a laborious process, as can getting approvals from senior management and/or the legal department before releasing or deleting potentially sensitive data. Again, it’s beneficial to have all individual customers’ personal data accessible in one location or at least efficiently tagged or linked, so that a company doesn’t end up having to redact dozens of documents.
  • The data requested is wide-ranging: If a member of the public simply asks for “all the data you hold about me”, it still constitutes a valid DSAR. Remember that you’re only required to release personal data, and usually only that from within a specific time frame, which should help to narrow down what you compile and send. As noted, the relevant personal data that has to be included or actioned can often be located in a variety of locations, departments, and systems around a company.

DSAR fulfillment checklist

Every organization should develop and communicate its own processes that are based on relevant regulations by working with its legal counsel and data protection officer. The whole organization should have data privacy training and be aware of DSAR processes as well.

Here is an outline of a general process.

  1. Authenticate the requesting data subject’s identity and whether the company has the requested personal information that’s within the legally required time frame and categories. Further authentication can be required if there’s any doubt.
  2. Clarify the nature of the request if needed and inform the subject of any issues, e.g. if they’ve asked for an action that falls outside of the regulatory scope, or for excessive amounts of data, data that legally can’t be provided, or data going back beyond the legally required scope of the DSAR.
  3. Respond to the initial DSAR with written acknowledgment and expected time for fulfillment within the legally prescribed time period. Don’t overpromise, but keep within the legally mandated timescales. The initial response may include fulfillment, or reason for a required extension.
  4. Gather and review the requested data. Make any necessary exclusions and redactions or prepare the requested action(s), then have a senior manager, or DPO, approve if needed.
  5. Format and send the data to the data subject. Include the recipient’s rights regarding data erasure or change. If the request was for an action, include confirmation of changes, deletion, etc.
  6. Ensure the data is sent securely and is only accessible to the intended recipient. Where possible, confirm that the recipient has received the data package.
  7. Check that the recipient is happy with what they have received and make changes and updates as needed, within the scope of relevant regulations. Changes to physical address, phone number, and email address are common.

Data protection policy best practices

A focus on best practices will serve companies well long-term both for legal compliance and efficient use of their resources. It will also help provide better customer experiences. Here’s how.

  • Designate a data protection officer: Appoint an expert in data protection and privacy legislation to oversee DSARs, ensuring deputies are in place as backup. The GDPR outlines this role’s tasks and responsibilities in Chapter 4, Art 37–39. It’s a legally required position under some regulations and circumstances, but only recommended in others.
  • Record and automate DSAR requests: Invest in the right tool for data management, like a robust consent management platform that seamlessly integrates with a DSAR management solution, to streamline consent and DSAR management. This helps ensure an auditable, efficient process, safeguard against privacy noncompliance, and track user consent and requests.
  • Create a DSAR policy: Companies should have a policy for handling DSARs as part of their broader data protection or data management policy, which should be part of every new hire’s training. DSAR information should also be included in the company’s privacy policy, typically found on the website.
  • Centralize customers’ or users’ personal data: Centralize customer records and personnel files from across departments like HR, sales, marketing, and IT as much as is reasonable, so that data is more easily kept up to date and can be tracked, changed, provided, or deleted in a timely manner.
  • Adhere to other data protection principles: Following world-leading data protection practices, which tend to be more strict, will help to ensure secure and appropriate handling of data and regulatory compliance. The EU Data Protection Principles, for instance, cover lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and data integrity.

Manage data subject access requests with MineOS and Usercentrics

Usercentrics provides a leading CMP for consent management, and a streamlined, scalable, and user-friendly DSAR management solution through the partner solution MineOS DSR that fully integrates with the CMP—and simplifies and optimizes the DSAR process.

With customizable intake forms, secure data handling, and reliable automation, you can minimize errors, streamline fulfillment, and help to ensure ongoing regulatory compliance.

Tailored for companies seeking to fortify data privacy practices, improve operational workflows, and minimize manual effort.