DSARs and how to go about them

Introduction to DSARs?

A DSAR or a Data Subject Access Report is a request filed by an individual to see a copy of the data that a company has collected on them. This request can include specific categories of information or all information collected on a data subject within a specified period. The standard parameter is to request data collected in the past 12 months. This right is conferred by privacy legislation, and a corporation must respond to it within the period stipulated in the bill.  

Today, major privacy laws mandate the right to submit a DSAR, including laws using an “opt-in” or an “opt-out”  model. An opt-in model requires one to obtain consent before collecting personal information of a data subject, like in the EU’s General Data Protection Regulation (GDPR). In contrast, the opt-out model only requires the data subject to consent if the personal information collected is being sold, as seen in the California Consumer Privacy Act (CCPA).

DSARs in global privacy laws

The GDPR gave the residents of the EU and businesses engaging in activities with the EU several new rights regarding how these entities should collect and process personal information. This legislation codified what information an entity could keep on its customers, what such data could be used for, how long it should be kept, ensuring that the data collected is accurate, and customers’ right to access it. 

Recital 63 of the GDPR outlines the right to submit a DSAR as follows: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, to be aware of, and verify, the lawfulness of the processing.”

The CCPA, when it came into effect in January 2020, established a similar right of access and strengthened the data privacy and access rights of the residents of California. 

Section 2(h)(1) of the CCPA states, “Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:(…)

(4) The right of Californians to access their personal information.”

The intention behind both pieces of legislation is to create greater transparency between the organisations that collect and hold personal data and the subjects whose data is collected. Let’s look at the procedure mandated by these legislations for organisations to follow when receiving a DSAR.

What information is included in a DSAR response? 

A company is required to confirm that it is processing personal data, a copy of the personal data and other information, including as follows:

• The purpose for data processing activities; 
• Third-parties with whom the company has shared the user data;
• What category of data is being processed by the organisation;
• Source from where the information is collected (if it is not directly collected from the user);
• Period of data retention;
• Any information about automated decision making employed by the organisation, including profiling;
• Display the rights available to the data subject to the relevant legislation, such as the right to erasure, rectification, and restriction from processing – known under the GDPR. 

Who can submit a DSAR, and how?

An organisation can receive a DSAR from multiple sources, such as:

• a data subject whose personal information is collected by a company and is covered under the relevant privacy law;
• A child’s parent or legal guardian who is the subject of the data collected;
• an employee who functions on behalf of his employer or a representative on behalf of a client; and 
• a representative appointed by the court who manages another person’s affairs.

When an individual requesting information can prove her identity and legal right to make such a request, a company must release whatever personal data is held on such an individual subject. Each law specifies a time frame for DSARs. For example, under the CCPA, a data subject can request data collected in the past 12 months. A request for data dated 10 years in the past cannot be entertained. 

A DSAR can be submitted in diverse manners. Companies must provide easy and reasonable channels to offer such a request. The tracks that a customer would use to contact a company for other reasons can be used here. An individual cannot be expected to create an account with the company to submit such a request (if they don’t have one in the first place). A written proposal is preferred since they record the request and response. Although, there is no specific legal requirement for making such a request.

No specific usage of words is required. There is no need to mention a Data Subject Access Request or the applicable legislation. A general statement, “I would like to access the data you have stored above me. Please can you provide me with a relevant report?” would suffice as a valid request.

When and in what manner does a company have to respond to a DSAR?

A company must be familiar with the privacy laws applicable to them. The CCPA mandates 45 days to respond to a DSAR, whereas the GDPR expects a response within one month. The phrase “without undue delay” plays a significant role as well. 

A company must specify the reasons for the extra time needed to fulfil the request when the requested data cannot be delivered. The GDPR, for example, prescribes that companies can use an additional 60 days to respond in case it is challenging to track down all the necessary information required. Additionally, a clear explanation for such delay. Repeated extensions cannot be entertained. If a company takes too long to respond to a request, it can be fined, penalised, and can suffer from reputational risk. 

What is not included in a DSAR response?

The personal information that is requested in the DSAR by the data subject must be provided. The following information is not required to be provided:

• data other than what was requested
• data reflecting the interactions between the organisation and the data subject (e.g. internal account notes)
• data of other individuals for whom they are not the legal guardians or representatives.

In other words, the DSAR is always for personal data requested for a particular individual, e.g. dates of birth, addresses, medical records, credit ratings, etc. Any information that can identify an individual can be said to be personal data. The definition of personal data also varies depending on the law of the land. 

On what grounds can a DSAR be refused?

There are two legal grounds when a company can refuse a DSAR: if the request is “excessive” in nature or “manifestly unfounded”. Excessive means that the request overlaps with another request without providing the requester with additional information. For example, a person who requests their data from a company more than once in 12 months, such a request is prohibited under specific laws. However, in a large e-commerce platform, where the data changes regularly, multiple requests may not be termed excessive.

Manifestly unfounded applies when a company does not hold any data on the requestor and the DSAR is in error. If the individual has specifically requested data that the company is not permitted to release, such a request could be termed as manifestly unfounded. 

What is the process for fulfilling a DSAR?

The GDPR mandates the appointment of a DPO responsible for responding to DSARs. As a minimum, companies should also keep a record or database of such requests, including the dates of receipt, initial response, and the final fulfilment of the reaction.

A company must verify the requestor’s identity to protect data and has the authority to make such a request. For example, a company can request copies of identification documentation in their initial response before sending any data to the individual in their initial reaction.  

A company is also not allowed to profit from fulfilling a DSAR and must provide data to the subjects free of charge.

Format of a DSAR request

The requested data can be supplied in paper or an electronic file format. It should be provided in a secure form such as password-protected or only viewable online on a secure app requiring access to credentials. Data sent by post should be trackable, and a signature must be obtained for delivery either through a courier service or registered mail. This provides proof of the date of dispatch and shipping statuses, and final delivery. 

The high volume of DSARs can be tackled through automation which minimises the resources spent. These days, large organisations use online delivery tools for DSAR fulfilment.  

Conclusion

Regulations such as the GDPR and the CCPA provide stringent laws and procedures to be followed when it comes to data management and fulfilment of DSARs. There are a few problems that companies may face while fulfilling these requests, such as the data may be stored in different locations of the organisation and compiling the same may prove to be burdensome; manually reviewing and redacting the data is a laborious process since the data requested can be wide-ranging and the same may require the approval from senior management. Thus, companies must develop comprehensive systems to deal with these obstacles and provide a speedy approach to respond to DSARs. 

This article is written by Aryashree Kunhambu