Introduction
DSARs stand for Data Subject Access Requests, which is a request made by a data subject, to an organization asking for access to the personal data that the organization holds about them. These requests are typically made under data protection legislation, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States.
Data subjects have the right to know what personal data an organization holds about them, how it is being used, and with whom it is being shared. They also have the right to request a copy of their personal data, request that inaccurate or incomplete data be corrected, and in some cases, request that their data be deleted or restricted.
Organizations have a legal obligation to respond to DSARs within a specific timeframe, typically within one month under GDPR, and to ensure that they are complying with data protection legislation when handling personal data. Failure to respond to DSARs within the required timeframe or failure to comply with data protection legislation can result in regulatory action, fines, and reputational damage to the organization.
Challenges in Handling DSARs
Handling DSARs (Data Subject Access Requests) can be a complex and time-consuming process for organizations, and there are several challenges that need to be considered. Some of the challenges in handling DSARs include:
- Identifying the Requester: It can be challenging to verify the identity of the person making the DSAR, particularly if the requester does not provide sufficient information. This is especially difficult when dealing with large volumes of requests.
- The volume of Requests: Organizations may receive a large volume of DSARs at the same time, which can be difficult to manage and respond to within the required timeframes.
- Data Location: Identifying and locating all relevant data can be challenging, particularly if data is stored in multiple locations or on different systems.
- Legal Basis for Processing: Organizations need to ensure that they have a legal basis for processing personal data and that any processing carried out is in line with data protection legislation.
- Redaction and Exemptions: It may be necessary to redact certain information from the data being provided or withhold certain information entirely, which requires a thorough understanding of data protection legislation and legal exemptions.
- Third-party Data: Third-party data may be included in the data being provided, which can add an additional layer of complexity when responding to DSARs.
- Timely Response: Organizations are required to respond to DSARs within a specific timeframe, which can be challenging if there is a high volume of requests or if the request is particularly complex.
Overcoming the challenges
- Process, procedure and practice: Foremost thing an organisation must do is to establish processes and procedures that will make handling a DSAR a matter of routine. This includes the points mentioned below along with verification of the data subjects who have requested access, ensuring that no privileged information is shared while dealing with DSARs, the retention schedule is adhered to and no third-party data is compromised while doing so.
- Data Mapping: The process of data mapping allows ready and updated information regarding where the personal data is stored and how the data flows in the organisation.
- ROPAs: Dealing with data subject requests demands a timely record of where your data is, what it holds, who you’ve shared it with, and how to access it. ROPA provides valuable information about all of your processing of personal data that will make tracking that data straightforward.
- Retention Policy: A robust retention policy provides the retention of personal data for the minimum period required. As a result of the implementation of this policy, there’s less data to search in the accessed request. This policy must be drafted while keeping in mind the legal retention terms that could apply to their processing in different jurisdictions.
- Identity Verification: It is also essential that the identity and validity of the person requesting the access. Chances of data leaks increase when companies give personal data to users without proper verification of the DSAR request.
Overall, it is essential to have a clear and well-documented process in place for handling DSARs to ensure that organizations can respond to requests in a timely and compliant manner. It may also be beneficial to seek legal advice to ensure that the organization is meeting its legal obligations under the particular data protection legislation as the specifications may vary from place to place.