Recent statistics show a significant increase in the number of DSARs being submitted to organizations around the world. According to a report by the UK’s Information Commissioner’s Office (ICO), the number of DSARs received by UK organizations increased by 39% in 2020, compared to the previous year.

In the United States, the number of DSARs received by companies subject to the California Consumer Privacy Act (CCPA) increased by 130% between 2019 and 2020, according to a report by the International Association of Privacy Professionals (IAPP).

These statistics demonstrate the growing importance of DSARs as a tool for individuals to exercise their privacy rights and hold organizations accountable for their data processing practices. As the number of DSARs continues to rise, organizations will need to develop effective processes and systems for managing these requests to ensure they are able to respond in a timely and accurate manner.

What is DSAR?

A DSAR, or Data Subject Access Request, is a legal right granted to individuals under data protection laws, which allows them to request access to their personal data held by organizations.

When someone submits a DSAR, they are essentially asking the organization to provide them with a copy of all the personal data that the organization holds about them. This includes any information related to their identity, contact details, employment, financial records, and other personal information.

The organization is legally obliged to respond to a DSAR within a set timeframe, usually within 30 days. The response should include a copy of the individual’s personal data, along with any other relevant information, such as how the data is being used, who it has been shared with, and for how long it will be retained.

DSARs are an important tool for individuals to understand how their personal data is being used by organizations and to ensure that their data is being processed lawfully and fairly.

Why were DSARs created?

DSARs, or Data Subject Access Requests, were created to give individuals greater control over their personal data and to promote transparency and accountability among organizations that process personal data.

Central to most privacy laws is the challenge of providing users with clarity and control over their personal information and how it is used.

– Tia Smart, Gartner Analyst

The stakeholders

The stakeholders involved in DSARs are primarily individuals, who have the right to request access to their personal data from organizations that process it. This right is enshrined in data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.

Organizations that process personal data are also stakeholders in DSARs, as they are required by law to respond to these requests and provide individuals with a copy of their personal data. This includes companies, government agencies, healthcare providers, financial institutions, and other organizations that collect and process personal data.

Regulatory bodies and data protection authorities are also stakeholders in DSARs, as they are responsible for enforcing data protection laws and ensuring that organizations comply with their obligations. They may investigate complaints related to DSARs and impose fines or other penalties on organizations that fail to comply with their obligations.

DSARs were created to protect individuals’ privacy rights and to ensure that organizations that process personal data do so in a transparent and accountable manner. By giving individuals the right to access their personal data, DSARs empower individuals to take control of their personal data and hold organizations accountable for their data processing practices.

Ensure data rights compliance today

DSAR regulatory compliance requirements

There are several regulatory compliance requirements that organizations must adhere to when managing DSARs. These include:

  • Responding in a timely manner: Organizations are required to respond to DSAR requests within a specified timeframe, which varies depending on the relevant data protection legislation. For example, under the EU’s General Data Protection Regulation (GDPR), organizations must respond to DSARs within one month of receipt.
  • Providing accurate and complete information: Organizations must ensure that they provide individuals with a copy of their personal data that is accurate and complete. This includes providing any additional information about how the personal data is being processed, as well as any third parties with whom the data may be shared.
  • Verifying the identity of the requester: Organizations are required to verify the identity of the individual making the DSAR request to ensure that they are the subject of the personal data in question.
  • Ensuring the security of personal data: Organizations are responsible for ensuring the security of the personal data they hold, including when responding to DSAR requests. This may involve implementing secure systems for storing and retrieving personal data, as well as restricting access to personal data to authorized personnel only.
  • Keeping a record of DSARs: Organizations are required to keep a record of all DSAR requests they receive, including the date of receipt, the nature of the request, and the outcome of the request. This can help to demonstrate compliance with regulatory requirements and may be required in the event of a regulatory investigation.
  • Ensuring compliance with international data transfer laws: If personal data is transferred between different countries, organizations must ensure that they comply with international data transfer laws, such as the EU’s Standard Contractual Clauses or the Privacy Shield Framework.

Addressing the growing concerns of DSARs

In recent years, there has been a growing interest in DSARs, particularly in the wake of high-profile data breaches and scandals involving the misuse of personal data. Some of the latest concerns and interests surrounding DSARs include:

  • Increasing number of requests: There has been a significant increase in the number of DSARs being submitted to organizations in recent years. This is partly due to the growing awareness among individuals of their right to access their personal data, but also due to the rise in data breaches and other privacy concerns.
  • Time and resource requirements: Responding to DSARs can be time-consuming and resource-intensive for organizations, particularly for those that hold large amounts of personal data. As a result, some organizations have struggled to keep up with the volume of requests, leading to delays and backlogs.
  • Complex requests: Some DSARs can be complex and require significant effort to respond to, particularly if they involve large amounts of data or sensitive information. This can pose a challenge for organizations in terms of managing and responding to these requests.
  • Privacy concerns: While DSARs are designed to protect individuals’ privacy rights, there are concerns that the information contained in these requests could be used to further violate individuals’ privacy. For example, if sensitive information is disclosed in a DSAR response, it could potentially be accessed by unauthorized parties or used for malicious purposes.
  • Legal requirements: Organizations are legally obligated to respond to DSARs in a timely and accurate manner, and failure to do so can result in significant fines and penalties. As a result, there is a growing focus on ensuring that organizations have the necessary processes and systems in place to manage these requests effectively.

The State of Data Rights - DSARs report. Who can submit a DSAR request?

Any individual who is a subject of personal data held by an organization can submit a DSAR request. This includes customers, employees, patients, students, and any other individual whose personal data is being processed by an organization.

To submit a DSAR request, an individual typically needs to provide their name, contact information, and details about the information they are requesting. This may include specific documents or data points, or a general request for all personal data held by the organization.

Once a DSAR request has been submitted, the organization is required to respond in a timely and accurate manner, providing the individual with a copy of their personal data in a structured, commonly used, and machine-readable format. This may include information such as an individual’s name, address, date of birth, contact information, financial information, employment history, and any other personal data that the organization holds.

Organizations are also required to provide individuals with additional information about how their personal data is being processed, including details about the purposes of processing, the categories of personal data being processed, and any third parties that the data may be shared with.

Steps taken when DSAR violations occur

If an organization violates DSAR requests or refuses to respond, the following steps may be taken:

  1. The individual can file a complaint with the relevant data protection authority, such as the Information Commissioner’s Office (ICO) in the UK, the Federal Trade Commission (FTC) in the US, or the European Data Protection Board (EDPB) in the EU.
  2. The data protection authority may investigate the complaint and take enforcement action against the organization, such as issuing fines, ordering the organization to provide the requested information, or even initiating legal proceedings.
  3. The individual may also have the right to take legal action against the organization for failing to comply with their DSAR request. This may include seeking compensation for any harm suffered as a result of the organization’s non-compliance.
  4. In some cases, individuals may also be able to raise their concerns publicly or through social media, which can create reputational damage for the organization and encourage them to take action to resolve the issue.
  5. Organizations can avoid these consequences by ensuring they have robust processes in place for managing DSAR requests, including training staff on how to identify and respond to these requests, implementing secure systems for storing and retrieving personal data, and ensuring they have clear policies and procedures in place for managing DSAR requests.
  6. Organizations can also engage with individuals to understand their concerns and work with them to resolve any issues related to their DSAR request. This can help to build trust and promote transparency and accountability, while also reducing the risk of regulatory action or legal disputes.
Test drive BigID

Simplifying DSAR Workflows with BigID

BigID provides a comprehensive data management platform for privacy, security, and governance that offers a solution to overcoming the business drivers for DSARs. Here’s how BigID can help:

  • Legal compliance: BigID’s platform is designed to help organizations comply with legal requirements under data protection legislation. It provides automated DSAR workflows that help organizations fulfill DSAR requests in a timely and accurate manner, reducing the risk of financial penalties and damage to an organization’s reputation.
  • Maintaining customer trust: By offering an efficient and transparent process for managing DSAR requests, BigID helps organizations maintain customer trust by demonstrating a commitment to data protection and privacy. The platform provides customers with visibility and control over their personal data, helping to build trust and loyalty.
  • Competitive advantage: Organizations that use BigID to effectively manage DSAR requests may have a competitive advantage over those that do not. By demonstrating a commitment to data protection and privacy, organizations can differentiate themselves in the marketplace and attract new customers.
  • Operational efficiency: BigID’s platform is designed to improve operational efficiency by automating the DSAR response process. The platform uses advanced analytics and machine learning to identify personal data across an organization’s data landscape, reducing the time and resources required to respond to DSAR requests.
  • Brand reputation: By offering a transparent and efficient process for managing DSAR requests, BigID helps organizations protect their brand reputation. By demonstrating a commitment to data protection and privacy, organizations can enhance their reputation and build trust with customers.
  • Risk mitigation: BigID’s platform helps organizations mitigate the risk of data breaches and other data-related incidents by providing comprehensive visibility and control over personal data. The platform uses advanced analytics and machine learning to identify and classify personal data, reducing the risk of data breaches and other incidents.

BigID’s Data Rights Fulfillment App gives you the power to automate end-to-end data rights requests, streamline deletion workflows, and maintain compliance with reporting. Customizable reporting allows you to accurately and automatically run thousands of DSAR’s at scale and manage all requests by type, regulation, and more.

To start saving time, manual effort, and ensure full compliance with your DSARs, get a 1:1 demo with BigID today.