What are DSARs and how should you handle them?

A Data Subject Access Request (DSAR) is a request from a member of the public – which can include colleagues, clients, suppliers, etc. – to see a copy of the data about them that a company has collected.  This can be a request to see specific categories of information, or all of it, within a specified time frame. Data collected in the last 12 months is a common parameter. It is a privacy right conferred by legislation, and a company’s response within a set time frame is mandatory. 

The right to submit a DSAR is included in all major privacy laws passed to date, including laws using an opt-in model – which requires you to obtain consent before collecting consumers’ personal information, like the European Union’s General Data Protection Regulation (GDPR) – or an opt-out model – which only requires consumer consent if personal data collected is to be sold, like the California Consumer Privacy Act (CCPA).

DSARs, as they have become common to data privacy management, were introduced with the GDPR in 2018. This legislation codified what information a company could keep on its customers, what this data could be used for, how long it should be kept and the rights of customers to access that data and ensure its accuracy.

The right to submit a DSAR is outlined in the GDPR (Recital 63) as follows: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

The similar right of access was granted by the CCPA when it came into effect in January 2020, and strengthened data privacy and access rights of California residents. 

Section 2 of the CCPA states “[…] It is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: […] (4) The right of Californians to access their personal information.”

The intention behind both pieces of legislation is the same: to create greater transparency between organizations that hold personal data and the subjects of that data. Let’s look a little more closely at what the legislation requires organizations to do when they receive a DSAR.

Organizations can receive Data Subject Access Requests from a variety of sources. They can be submitted by:

• any data subject covered by relevant privacy law whose personal information a company has collected
• the parent or legal guardian of a child who is a data subject
• an employee on behalf of their employer or a representative on behalf of a client
• a court-appointed representative of an adult who manages someone else’s affairs

So long as the requester can prove their identity and legal right to make the request, a company is required to release whatever personal data is held about the individual subject. 

Each law specifies a time frame for such requests. For example, under the CCPA, a data subject can request data collected about them in the last 12 months. A person couldn’t, for example, demand data going back 10 years. Companies typically also have a specified amount of time to respond to DSARs. Under the CCPA, it’s 45 days, with the possibility of an extension for special circumstances.

A DSAR can be submitted in a variety of ways. Companies have to make it relatively easy to submit such a request, and via reasonable channels. So the same ones a customer would use to contact the company for other reasons, typically. Companies can’t require someone to create an account with them in order to submit their request if they don’t already have one, however. Written requests tend to be preferable, since they provide a record of the request and response, and are easier to satisfy fully and accurately. But there is no specific legally required method for making the request.

There is also no specific wording requesters must use. They don’t have to specifically reference that it’s a Data Subject Access Request or refer to the legislation. “Can you send me the information you have collected on me?” would be just as valid a request as a lengthy letter quoting the relevant statutes.

Companies need to be familiar with the privacy laws relevant to them. As noted, the CCPA allows 45 days for response, though under the GDPR they are expected to respond within one month. The commonly included phrase “without undue delay” is important as well. 

A company has to respond by supplying the requested data, or with specific reasons why more time will be needed to fulfill the request. Under the GDPR, for example, companies can use an additional 60 days if it proves challenging to track down all the necessary information, but this must be clearly explained in their initial response. Companies also can’t keep asking for repeated extensions before supplying the requested data. If a company takes too long to respond to a request, it risks fines, penalties, and reputational risk. 

DSAR responses must include the personal information of the subject requesting it. A company is not required to provide:

• more data than requested
• data concerning the subject’s interactions with the organization (e.g. internal account notes)
• data relating to another individual for whom they are not the legal guardian or representative (this could constitute a data breach)

In other words, the DSAR is always for personal data, e.g. addresses, dates of birth, medical records, credit ratings, etc.  Anything that can potentially identify individuals could count as personal data, though the definition of personal data or information also varies depending on the law. Companies can redact data that’s part of what’s included in a request if it’s not relevant or not legal, e.g. if it references another person.

There are only two legal grounds for refusing a DSAR: if you can reasonably argue that the request is excessive or manifestly unfounded. Excessive does not mean onerous or large in scale. It means that the request overlaps with another request and is therefore vexatious without providing the requester with any additional information. 

An individual requesting the personal data that a local library holds on them every month could be deemed excessive. Or in some cases a person requesting their data from a company more than once in 12 months is not allowed under some laws. However, this same frequency applied to a large ecommerce platform, where data changes regularly, may not be deemed excessive. It always pays to err on the side of compliance and being familiar with relevant privacy law.

“Manifestly unfounded” can be harder to prove. This would apply if a company doesn’t hold any data on the subject, and the DSAR is in error.  Or if the person is specifically requesting data that the company is not permitted to release, e.g. the medical records of a relative they do not have custodial responsibility for, a company could also argue that the request is unfounded. 

Companies can’t break one part of the law to comply with another, so this is an area where consulting legal counsel well versed in privacy law is recommended.

Many organizations appoint a Data Protection Officer (DPO) to oversee such requests, and under the GDPR, for example, that appointment is a requirement for many organizations. This is a good way to ensure that DSARs are responded to on time, properly fulfilled, and that the process is recorded and regularly reviewed. As a minimum provision, companies should keep an organized and auditable record (like a database) of such requests, including the dates of receipt, initial response, and final fulfilment.

From a customer experience perspective, it’s recommended to send a response to requesters as soon as possible. Even if it just acknowledges receipt of the request, and that it is being processed. Then followup communication can either include the requested data or communicate the need for more time to fulfill the request.

A company does need to verify the requestor’s identity for data protection purposes, and is entitled to make this request. For example, perhaps the subject wrote from an email address other than the one the company has on file. (Only checking an email address is poor security authentication, as they are easily spoofed.) A company can request copies of identification documentation in their initial response and before sending any data.  

Companies are not allowed to profit from DSAR fulfilment, and subjects must be provided with their data free of charge.

Companies can supply the requested data in paper or electronic file format. The data should be supplied in a secure format, e.g. sent password-protected or viewable online on a secure app that requires access credentials. Anything sent by post should be trackable and require a signature for delivery, like a courier or registered mail service. This provides a further data trail to prove date of dispatch and shipping statuses, in case there is a complaint about the data not having been received.

Large organizations that may receive a high volume of DSARs should consider automating the process to manage resources, time and expenses. There are online delivery tools developed for DSAR fulfilment.  

Regulations like the GDPR and CCPA place stringent requirements on organizations regarding data management and DSAR fulfillment, which can be difficult to fulfil at times. Here are the most common problems that companies encounter when trying to respond to a DSAR:

• The data is in many locations. Pulling together disparate data sources from many different departments can be challenging – account details, billing details, medical records, etc. Companies may need to invest in better data mapping, or in a system that tracks and amalgamates personal data, to speed up the preparation of DSARs.  This is an issue that may require companies to take longer to fulfill requests.

• The data requires complex redaction. Manually reviewing and redacting documents can be a laborious process when it’s necessary, as can getting approvals from senior management and/or legal before releasing potentially sensitive data. Again, it is beneficial to have all individual customers’ personal data accessible in one location or at least efficiently tagged or linked, so that a company doesn’t end up having to redact dozens of documents.

• The data requested is wide-ranging. If a member of the public simply asks for “all the data you hold about me”, this may sound vague, but it still constitutes a valid DSAR. Remember, however, that you are only required to release personal data, which will help to narrow down what you compile and send. As noted, however, relevant personal data that has to be included can be located in a variety of locations, departments and systems around a company.

Every organization should develop and communicate their own processes by working with their legal counsel and data protection officer, and ensure the whole organization is aware. Here is a general process outline.

1. Authenticate the data subject’s identity, and that the company does hold personal information on them as requested.
2. Clarify the nature of the request if it is unclear. Remember that the requester has the right for the information you hold about them to be accurate, so they may request changes once they have reviewed your response. If the requestor has asked for an excessive amount of data, e.g. data other than personal information, or data going back beyond the legally required scope of the DSAR, they should be informed of this as well. 
3. Respond to the initial DSAR with written acknowledgement and expected time for fulfillment. Don’t over-promise, but keep in mind the mandatory timescales under relevant law.
4. Gather and review the data requested. Make any necessary exclusions and redactions, then have a senior manager, or DPO, oversee the final package.
5. Format and send the data to the data subject. The letter or email included should list the recipient’s rights with regard to data erasure or change as well.
6. Make sure sending the data is done securely, and in a manner whereby only the intended recipient can access it (password protection, signature required for delivery, etc.). Where possible, it is also a good idea to check that the recipient has received the package, even if there is an automated delivery notice. Check that the recipient is happy with what they have received and make any necessary changes and updates to the data provided, within the scope of relevant regulations. Changes of address, phone number and email address are common.

Have an internal or external appointee who is the expert in data protection, privacy legislation and data management. This individual may have other roles, but DSARs will become a key part of their remit. It is also a good idea to have deputies or backup for the role as well. The GDPR outlines the role and its tasks and responsibilities in Chapter 4, Articles 37-39.

Consider investing in a data compliance tool to help deal with such requests. This will make the process auditable and safer from noncompliance penalties, enable tracking of timescales, provide a single point of provision for data and prompt when deadlines are approaching. A Consent Management Platform will help with compliance for apps and websites by recording user consent-related actions and preferences and working with other web technologies for them to function accordingly.

Companies should have a recorded and accessible policy for dealing with such requests, and it should be part of new hires’ training, since, as noted, data can be stored throughout a company. Such a policy can form a subsection of a more general Data Protection or Data Management Policy.

Human Resources and Customer Management departments tend to hold the greatest volume of personal data.  However, Sales, Marketing and IT may also manage relevant records.  

Consider centralizing customer records and personnel files so that DSARs can be fulfilled more easily, the data can be kept accurate, up to date, or be deleted in a timely manner, and access and changes to the data tracked better.

The EU Data Protection Principles are a helpful guide to secure and appropriate handling of data. In brief:

Lawfulness, Fairness and Transparency – only keep information you are permitted to, and allow access to data subjects, via DSARs.

Purpose Limitation – Data should only be collected for a specific, stated purpose and held on file only for the time necessary to fulfil that purpose.

Data Minimization – Keep only the minimum data set to fulfil your function.

Accuracy – Data must be kept up to date and rectified when it is found to be inaccurate.

Storage Limitation – Data must only be kept for as long as it is required. Although hard to define, one way of thinking of this is that you can keep a customer’s data on file so long as you can realistically consider them a customer.

Integrity and Confidentiality – Data must be kept secure and not shared with parties who do not require access to it.

A focus on best practices will serve companies well long-term both for legal compliance and efficient use of their resources, as well as helping provide better customer experiences.