DSARs involve complex processes and rights allocations. Therefore, all GDPR DSAR requests must be registered and authenticated before work can begin fulfilling them, either manually or automatically.
Typically, the Data Privacy Officer (or another designated by their organisation) is charged with managing DSARs; however, companies can automate this process in order to reduce business risk, build customer trust, and eliminate human error.
Verify the identity of the requestor.
Verifying the identity of those making requests under data protection law is essential when responding to DSARs. Although no specific form or format must be followed when making such a request, an organisation is still expected to respond quickly when faced with an inquiry from an individual.
Requests may be submitted verbally or in writing, including on social media platforms like Twitter. A Data Subject Access Request (DSAR) may be made by anyone whose data the company processes without needing to identify themselves or explain why they want access. An authorised agent can also make this request on behalf of data subjects.
An effective GDPR DSAR process should include creating customer-facing webforms that are mobile-friendly and user-friendly and include information on which law the request falls under as well as whether it involves data access, modification, or deletion.
Clarify the request.
GDPR and CCPA both require businesses to comply with any requests made for access to an individual’s personal data. Acknowledging these requests promptly and keeping all staff up-to-date on processing activities should ensure compliance. While responsibility for managing Data Subject Access Requests (DSARs) typically rests with the Data Protection Officer, any staff member with knowledge of how the organisation processes personal data should also be capable of fulfilling this function in accordance with regulatory compliance. In rare instances, fees for responding may be charged; such charges should remain reasonable without being used to profit from them.
Data subjects must understand how to submit a Data Subject Access Request (DSAR), whether verbally or in writing. While GDPR only offers general guidelines, CCPA mandates businesses provide various ways for data subjects to submit requests, including offering toll-free phone numbers, so requests can easily be verified as valid by businesses.
Identify the data subject.
In order to fulfil a request properly, it is crucial that the identity of the data subject be verified. This can be accomplished via email, photo ID, password login, or third-party identity verification services. Failure to do this may violate an individual’s rights and lead to a data breach.
Your organisation must also clearly specify what data it requires from an individual, such as all emails sent and received during a certain period or HR records related to their employment at your company. All requested data must be delivered in an organised format, free of charge.
Establishing an automated process to recognise DSAR requests quickly and respond accordingly is critical to mitigating business risk caused by human error while building trust with data subjects.
Provide the data subject with a response.
Personal data belongs to each data subject, and they have the right to request access to it. An access request often serves as the precursor for other requests such as “forget me”, data transfer, and rectification. Once verified as being who makes the request, be sure to clarify exactly what they need so as not to send any unnecessary or innocuous data their way or place their privacy at risk.
Requests may be made verbally or written—even via social media—without needing to address them as Data Subject Access Requests (DSARs), GDPR, or be addressed as such. Requests should be processed without undue delay (one month from receipt); businesses are permitted to extend this deadline if complex requests need processing in batches of several. Companies should establish clear procedures for filing DSARs; failing to do so could incur fines for breaching data protection laws.
How to Streamline the GDPR DSAR Response Time
Responses to Data Subject Access Requests (DSARs) can be challenging for businesses, especially when they involve combing through data records. A single request could take weeks to fulfil; fortunately, there are ways to streamline this process.
Under GDPR DSAR requirements, companies are expected to respond within one calendar month; under special circumstances, this period may be extended by up to two additional months.
Time limit
According to Article 12 of the GDPR, organisations must respond within one month to requests for accessing personal data submitted by individuals. If this deadline cannot be met within this timeframe, two additional months can be added; in such a situation, however, organisations must notify those submitting requests as to their decision to extend it and explain why extending it might be necessary.
Timely fulfilment of requests can be challenging when there are many of them, requiring extensive searching across multiple systems. Employee time may become expensive, and your overall labour costs could rise accordingly. An automated solution could help streamline this process and decrease its duration significantly.
Failing to comply with legal requirements when responding to DSARs can result in serious fines and damage a company’s reputation, with consumers filing complaints with the Information Commissioner Office or seeking damages from their businesses for distress experienced.
Exceptions
Under certain conditions, the Information Commissioner’s Office allows organisations to extend their time limit for responding to SARs. This applies when additional information or payment from the requester has not yet arrived; in such instances, their response timeline starts from when they received this additional data or payment (whichever came later).
Extension is often necessary when companies receive an unusually large volume of requests, which can put strain on resources, especially if there are multiple data systems or categories of sensitive information present.
The ICO also stipulates that an organisation cannot apply exemptions in a blanket manner; each case must be evaluated on its individual merits. A company could allege that a requester is seeking information for vexatious reasons, such as making complaints against products or services offered by their firm, sending unwanted email correspondence, or making demands that waste both time and money for both themselves and the business in which they reside.
Identifying the requester
As part of their GDPR compliance obligations, businesses must identify and respond quickly to data subject requests for accessing personal information—typically customers but also suppliers or former employees who request access. Failure to do so within the allotted time could incur substantial fines while further harming your reputation.
Under GDPR’s Data Subject Access Request (DSAR) regulations, companies must deliver information to data subjects as quickly as possible and within one month of receiving their request, regardless of weekend or public holiday dates.
There may be exceptions to this rule that allow for charging reasonable fees; however, your DPO should oversee this process to ensure accurate and compliant responses are given; failure to do so could expose your company to serious fines from the ICO.
Responding to the request
Organisations collecting large volumes of customer data may find the DSAR process daunting, yet compliance requirements require them to follow it correctly or face fines or other penalties if it isn’t executed effectively. To protect against potential risks associated with improper DSAR management procedures and policies.
Companies must provide individuals who request data with copies, along with details regarding the processing activity and any third parties who received information, as well as an indication if any sensitive or criminal conviction-related material has been disclosed.
Businesses must consider whether they can refuse a request on the grounds of exemptions. If they decide to do so, they must provide written notification to the individual citing their reasons within one month after receiving their DSAR (this timeframe may be extended if additional identification documents or additional information must be supplied from them, or fees must be paid).