Recent statistics from the 2023 EY Law Survey show 60% of professionals surveyed reported an increase in Data Subject Access Requests (DSARs) over the past year and more than half (51%) of the respondents had received complaints from data subjects about DSARs, indicating potential challenges in the DSAR handling process.
A significant portion (33%) of respondents had received “bulk” DSARs, suggesting that organizations must efficiently handle large volumes of data requests. Despite the challenges, the majority (88%) of organizations handle DSARs in-house. They often manage these requests through dedicated data protection teams, although responsibilities may be divided among various departments, including HR, legal, IT, and compliance.
These statistics demonstrate the growing importance of DSARs as a tool for individuals to exercise their privacy rights and hold organizations accountable for their data processing practices. As the number of DSARs continues to rise, organizations will need to develop effective processes and systems for managing these requests to ensure they are able to respond in a timely and accurate manner.
What is DSAR?
A DSAR, or Data Subject Access Request, is a legal right granted to individuals under data protection laws, which allows them to request access to their personal data held by organizations.
When someone submits a DSAR, they are essentially asking the organization to provide them with a copy of all the personal data that the organization holds about them. This includes any information related to their identity, contact details, employment, financial records, and other personal information.
The organization is legally obliged to respond to a DSAR within a set timeframe, usually within 30 days. The response should include a copy of the individual’s personal data, along with any other relevant information, such as how the data is being used, who it has been shared with, and for how long it will be retained.
DSARs are an important tool for individuals to understand how their personal data is being used by organizations and to ensure that their data is being processed lawfully and fairly.
Differentiating the Types of DSAR Requests
Data Subject Access Requests (DSARs) can vary in scope and purpose, depending on the specific data protection regulations and the individual’s rights under those regulations. While the core purpose of a DSAR is to request access to personal data, there are different types of DSARs that may include:
- General DSAR: This is a broad request where an individual asks for access to all the personal data that an organization holds about them. It can include information from various departments and systems within the organization.
- Specific Information DSAR: In this type of request, the data subject specifies the particular information they are interested in. For example, they may request only their email communications, HR records, or financial transaction history.
- Rectification or Deletion Request: Data subjects may request corrections to inaccurate personal data or the deletion of their data if it’s no longer necessary or if they withdraw their consent for its processing.
- Portability Request: Some regulations, like GDPR, grant individuals the right to request their personal data in a structured, machine-readable format so that they can transfer it to another organization.
- Restriction of Processing: Data subjects can request that an organization limits the processing of their personal data, for example, during a dispute about data accuracy or while awaiting a response to a rectification request.
- Objection to Processing: Individuals may object to the processing of their personal data on specific grounds, such as for direct marketing or legitimate interests.
- Consent Withdrawal: If the organization is processing personal data based on consent, a data subject may withdraw their consent, and the organization must stop processing that data.
Ensuring DSAR Compliance
Here is a list of some prominent privacy compliance regulations and their requirements related to Data Subject Access Requests (DSARs):
- General Data Protection Regulation (GDPR):
- GDPR grants data subjects the right to request access to their personal data.
- Organizations must respond to DSARs within 30 days.
- DSAR responses should be free of charge, except in certain cases.
- California Consumer Privacy Act (CCPA):
- CCPA gives California residents the right to request access to their personal information.
- Organizations must respond to DSARs within 45 days.
- DSAR responses should include specific details about the personal information collected.
- Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada):
- PIPEDA allows individuals to request access to their personal information.
- Organizations are required to respond to DSARs within 30 days.
- DSAR responses should provide information on how the data is used, disclosed, and retained.
- Health Insurance Portability and Accountability Act (HIPAA):
- HIPAA provides individuals with the right to request access to their protected health information (PHI).
- Covered entities must respond to DSARs within 30 days.
- DSAR responses should provide copies of the requested PHI.
- Brazilian General Data Protection Law (LGPD):
- LGPD gives individuals the right to access their personal data.
- Organizations must respond to DSARs within 15 days.
- DSAR responses should be free of charge.
Maintaining Customer Trust with DSARs
Data Subject Access Request (DSAR) transparency is crucial for organizations because it directly impacts customer loyalty and trust in the following ways:
- Data Privacy Compliance: Demonstrating transparency in handling DSARs indicates that the organization takes data privacy seriously and complies with relevant data protection laws. Customers are more likely to trust a company that respects their rights and follows legal requirements.
- Empowering Customers: Providing a clear and accessible process for customers to request and receive their personal data, organizations empower customers to have greater control over their information. This transparency shows respect for customer rights and fosters trust.
- Data Security and Trust: Transparent handling of DSARs assures customers that their data is secure and not misused. This trust is essential for maintaining a positive relationship with customers who expect their data to be handled responsibly.
- Brand Reputation: Companies known for their commitment to data transparency and privacy are likely to have a stronger brand reputation. Positive public perception and trust can contribute to customer loyalty.
- Competitive Advantage: In a world where data privacy is a growing concern, organizations that excel in DSAR transparency can gain a competitive edge. Customers may choose to do business with companies that are more respectful of their privacy rights.
- Customer Retention: When customers feel that their data is handled transparently and securely, they are more likely to stay loyal to the organization. A positive experience with DSARs can lead to long-term customer relationships.
- Reduced Risk of Legal Issues: By handling DSARs transparently and in compliance with regulations, organizations reduce the risk of legal actions and fines. This, in turn, can protect their reputation and customer trust.
Who Can Submit a DSAR Request?
Any individual who is a subject of personal data held by an organization can submit a DSAR request. This includes customers, employees, patients, students, and any other individual whose personal data is being processed by an organization.
To submit a DSAR request, an individual typically needs to provide their name, contact information, and details about the information they are requesting. This may include specific documents or data points, or a general request for all personal data held by the organization.
Once a DSAR request has been submitted, the organization is required to respond in a timely and accurate manner, providing the individual with a copy of their personal data in a structured, commonly used, and machine-readable format. This may include information such as an individual’s name, address, date of birth, contact information, financial information, employment history, and any other personal data that the organization holds.
Organizations are also required to provide individuals with additional information about how their personal data is being processed, including details about the purposes of processing, the categories of personal data being processed, and any third parties that the data may be shared with.
Responding to DSAR Requests
The time a company has to respond to a Data Subject Access Request (DSAR) can vary depending on data protection regulations in the relevant jurisdiction. Commonly, under the General Data Protection Regulation (GDPR) in the European Union, and similar laws in other regions, companies are required to respond to DSARs within 30 days. However, this time frame may be extended in certain cases, such as when the request is complex or there are numerous requests.
Providing Data Subject Access Request (DSAR) responses to customers can pose several challenges:
- Data Complexity: Organizations often store data across various systems and departments, making it challenging to locate and compile all requested information accurately.
- Data Volume: DSARs can involve a large volume of data, especially in cases of “bulk” requests, requiring substantial time and effort for retrieval and processing.
- Data Security: Safeguarding sensitive customer data during retrieval, transfer, and sharing is a significant concern to prevent data breaches or unauthorized access.
- Legal Compliance: Ensuring that the DSAR response aligns with data protection regulations, such as GDPR, can be complex and may require legal expertise.
- Timeliness: Meeting the statutory response deadline (e.g., 30 days under GDPR) can be challenging, especially when dealing with a high volume of requests.
- Data Accuracy: Verifying the accuracy of the data provided to customers is essential to avoid errors and potential disputes.
- Third-Party Involvement: Handling DSARs submitted on behalf of data subjects by third parties, like claims management companies, can add an extra layer of complexity.
- Customer Expectations: Meeting or exceeding customer expectations for transparency, speed, and ease of access can be challenging, as customer preferences can vary.
Build Transparency and Simplify DSAR Workflows with BigID
Some of the ways BigID can help with DSARs:
- Identify, Classify, and Know Your Data: BigID’s data discovery foundation uncovers all structured and unstructured data, on-prem or in the cloud, with multiple connectors. This allows organizations to inventory, map, and classify across the entire data ecosystem — with greater insight and context.
- Automate Data Rights Fulfillment: From access to deletion— dynamically manage DSARs at scale with streamlined deletion workflows and compliance reporting.
- Leverage Risk Scoring: BigID scores risk based on a variety of data parameters like data type and location, providing a risk-centric view of data so organizations can be proactive about reducing risk.
- Legal compliance: BigID’s platform is designed to help organizations comply with legal requirements under data protection legislation. It provides automated DSAR workflows that help organizations fulfill DSAR requests in a timely and accurate manner, reducing the risk of financial penalties and damage to an organization’s reputation.
To start saving time, manual effort, and ensure full compliance with your DSARs, get a 1:1 demo with BigID today.