Handle data subject access requests in a GDPR-compliant and efficient manner.

• The General Data Protection Regulation (GDPR) gives consumers the right to control their personal data and provides comprehensive protection mechanisms
• Data Subject Access Requests (DSARs) allow individuals to access, correct, or delete their data, thereby strengthening trust in companies
• Businesses must establish a structured system to efficiently handle data protection requests and meet legal deadlines
• Proper handling of DSARs improves compliance and reduces the risk of data breaches and penalties
• Tools for automating access requests, such as Kertos, help companies streamline the process and save valuable resources

Data subject access requests:  94% of consumers want control over their own data

First of its kind, the General Data Protection Regulation (GDPR) is an omnibus data protection law that got enacted in 2018. The GDPR emerged as a benchmark for what a modern, omnibus data protection law should be. Following the suit, 137 out of 194 countries around the globe have enacted their own data protection laws to date.

These laws empower individuals to sit in the driver's seat and take control of their data. This control comes with privacy rights such as the right to access, correct, and delete personal information held by organisations. In compliance with data protection laws and regulations, companies must respect the rights of individuals or be ready to face penalties, fines, or even criminal charges in severe cases.

With changing times, users have increasingly become conscious of their data protection online, as evident by the findings of a report: 94% of consumers want control and insights into how that data is used over the data they share with companies. In line with changing societal expectations and regulatory requirements, it is high time that businesses prioritise data protection and respect the rights of individuals.

Explanation of DSARs and what that means under GDPR

GDPR and the laws that have followed it grant certain data rights to consumers. While terminology and specific requirements may vary across different laws, in practise, the fundamental principles and privacy rights remain largely consistent with those established by the GDPR.

Privacy rights under the GDPR are:

1. The right to be informed about the collection and use of personal data.
2. The right to access personal data and how it's processed.
3. The right to rectify inaccurate or incomplete personal data.
4. The right to erasure or be forgotten.
5. The right to restrict the processing of personal data.
6. The right to data portability.
7. The right to object to the processing of personal data.
8. The right to object to automated decision-making and profiling.

What happens before a data subject access request?

A person proceeding to use a website reacts to its data privacy disclosure by clicking on "I agree." The permission given by the person allows businesses to collect and process the data in accordance with the stated terms. Businesses need to understand that the data collected from users isn't really theirs. Originally, it belongs to data subjects, and they can deploy their privacy rights to dictate how businesses can use it.

Exercising privacy rights requires users to either click on a privacy banner or submit a request to a data controller through a data subject access request, or DSAR. DSAR, also called DSR, allows individuals to know what data an organisation (or controller) has on them and how that data is used. Despite only the term "access" encompassed in DSAR, it represents all other rights, from deletion to modification and more.

What happens after a data subject access request?

Upon submission of a DSAR, businesses having data on the subject need to attend to their requests and return with the requested information or take some action to fulfil the request. It's also crucial to emphasise that individuals don't need a specific reason to request DSR. The only questions that a controller can ask in response are to verify their identity and help locate the requested information.

DSARs aren't a recent development and have been used by governments and organisations alike for years. Modern privacy regulations have made it easier for data subjects to make requests. A 2023 survey by EY portrays how DSARs are rapidly increasing: 60% of data protection and compliance leaders in financial services firms witnessed a spike in DSARs in 2022, and 49% expect a further rise in 2023.  

How to respond to DSARs efficiently?

Implement a system for receiving and processing requests

There are numerous ways a data subject can submit an access request. Channels include a toll-free number, by email, filling out a web form, or reaching out in person. In an IAPP survey, 70% of respondents mentioned using email, phone, or an online portal for processing DSARs.

Data subjects need not use only generally acceptable terms like "DSAR," "rights request," or "consumer right." Leveraging the leeway they have about submitting DSARs, they could rather say any of the following:

• I'd like to know what information you have on me.

• I want you to stop selling my data.

• I want to correct incorrect data.

Businesses must establish a structured system for managing requests. At a minimum, they should have legally required methods for data subjects to submit requests and be prepared to handle requests from multiple sources. Businesses also need to systematise requests to avoid letting go of any request unnoticed or unattended.  

Verify the subject's identity

It's important to verify the identity of the requesting person to proceed with the data subject access request. Industry-accepted methods include getting requests from the email itself, logging into the system through an email and password pair, answering the registered challenge question, producing photo ID, or even using third-party identity verification systems.

Per IAPP, email and photo ID comprise the most common methods for verifying a data subject's identity. In adherence to the data minimization principle under GDPR, businesses should not request any extra information in addition to what is primarily required for identity verification.

Businesses should also take reasonable steps to protect this information from spillage or unauthorised access. If businesses cannot verify whether the requesting individual is the same, they can choose not to comply with the request. It's better to refuse a request than to hand over data to the wrong person and cause a data breach mistakenly.  

Locate information about the data subject

Personal information about individuals lies across numerous locations within an organisation, including CRMs, databases, file servers, marketing automation tools, the cloud, applications, emails, hard copy records and forms, etc.

Responding to a DSAR requires scanning through the system to first discover all the information on the requestor and then collate all for further procedures. A company that relies on a third-party processor to store or process data should essentially involve them in the search process as well.

The data subject can either request something specific, like purchase history, or a broad request, like all information. It's always a good idea to seek the assistance of a data subject for additional information. Request-based targeted searches can narrow down the scope of data discovery and speed up the process. The organisation should ensure the comprehensiveness of the requested data. Anything held back could backfire as violating the subject's rights.

Be aware of deadlines

The timeframe for DSAR completion varies by jurisdiction. Organisations should make sure to fulfil the requests within the stipulated timeline of the applicable data protection law. Jumping the deadline can be considered disobedience to the law and is subject to enforcement actions.  

The GDPR requires businesses to respond to a DSAR within one calendar month of receiving the request. In comparison, CCPA/CPRA states the requests to be completed within forty-five calendar days, with an extension up to ninety days if business is having some issue completing the request, and it notifies the requestor with an explanation for the extension, e.g., they've got a high volume of requests.

Share the relevant information and record the communication

Once all the data is collected, the packaged data should be shared with the subject in a common and easily accessible format, like a document or spreadsheet, meeting the requirements of the request. As an alternative, the GDPR encourages sharing data through remote access. It involves setting up a secure online system that allows users to log in and directly manage their data in real-time.

Responses should be concluded with a section reminding individuals of their data privacy rights and their ability to lodge a complaint with supervising authorities. The communication with the data subject, both when receiving and fulfiling the request, should be documented with a mention of the date, method of the request, and actions taken to fulfil it. A well-documented audit trail is a key component of GDPR compliance.

Establish a DSAR management team

Responding to a DSAR requires handling requests from multiple resources. There is a good chance of requests slipping through the cracks if responding is not systematised. To prevent any ensuing legal issues, it's ideal to establish a dedicated DSAR management team. The team can responsibly track and prioritise attending to requests, coordinate with relevant departments to collect and collate data, and ensure deadlines are met.

According to IAPP, 70% of organisations have less than six employees dedicated to DSAR handling; 20% have one dedicated individual; and 50% have 2–5 personnel in charge of DSAR management. About 88% of organisations in Europe have in-house privacy and data protection departments for DSAR management, but they often split the work between other departments like HR, legal, IT, and compliance for efficient handling.

It's also a wise idea to save investment on in-house resources and take third-party assistance to speed up compliance processes. Kertos.io is a reputed name in the market for its efficient and cost-effective solutions for privacy compliance. By outsourcing data subject access request handling to Kertos, you can optimise deletion and information requests by automating the entire process, from receipt and verification to deletion and confirmation.