The DSAR Guide: Overview of Data Subject Access Requests

Data Subject Access Requests (DSARs) give individuals (also known as data subjects) the right to discover what data an organization is holding about them, why they are holding that data and who else their data and other personal information is disclosed to.

DSAR is a term introduced by the European Union’s General Data Protection Regulation (EU GDPR), which refers to individuals as “data subjects.” It’s often used interchangeably with the term “Subject Rights Request” or SRR and “Privacy Rights Requests”.

Depending on the law, data subjects (which can be consumers and, in the case of GDPR, employees) may have the right to:

• Access the data that your company has collected on them and/ or the categories of data collected
• Delete the personal data that companies have collected
• Correct the data
• Opt out of the sale of personal data
• Opt out of data processing
• Port personal data

They exercise these rights via Data Subject Access Requests also known as DSAR requests or simply DSARs.

Table of Contents

What are the DSAR requirements?

DSAR rules and requirements

Multiple trading blocs (EU with GDPR), countries (such as Brazil and China) and States have data privacy laws that outline Data Subject Access Requests requirements. Each one can require different access to different people.

Whether or not you have to fulfill DSARs depends on:

• Where you do business
• The size of your business
• The type of business
• How you are using personal data
• Geographical location of where the data is stored
• Geographical location of the people whose data is stored

For GDPR, CCPA/ CPRA (California), CDPA (Virginia) and CPA (Colorado), companies must comply if they are:

CCPA/CPRA (California)

For-profit entities that collect personal information from California residents and meet any of the following thresholds:

• At least $25 million in gross annual revenue;

• Buys, sells or receives personal information about at least 50,000 CA consumers, householders or devices for commercial purposes or*;

• Derives more than 50% of its annual revenue from the sale of personal information.*

*When CPRA goes into affect in January 1, 2023:
(ii) above is replaced with “buys, sells or shares personal information of 100,000 or more California residents or households”
(iii) above is replaced with “derives 50% or more of annual revenue from selling or sharing California personal information.

CDPA (Virginia)

For-profit entities that conduct business in Virginia or offer products or services targeted to residents in Virginia and:

• Control or process the data of at least 100,000 consumers or;
• Control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data.

CDA (Colorado)

Legal entities that:

• Conduct business or produce products or services that are intentionally targeted to Colorado residents and;
• Either control or process personal data of more than 100,000 consumers per calendar year or;
• Derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.

For more information on which privacy laws may apply to your business, take a look at our interactive privacy law table.

Once you know which laws are applicable to your business, you need to know which privacy rights can be requested and who can make a DSAR request.

As shown above, depending on the jurisdiction, your consumers will be able to send different types of DSAR requests that you will have to collect, verify, fulfill and store. Although the response time is consistent for US State Privacy Laws (45 days and one 45 day extension totaling 90 days), it is important to note that both CCPA and CPRA require a 15 day response time for opt-out requests.

For more information on other laws, please check our privacy law matrix.

What do I need for DSAR compliance?

Understand the definitions of personal data

Each regulation has its own definition of what personal data constitutes. While they all follow the same approach in protecting key personal information, there are divergences in the details.

In the case of an access request, your organization has to provide all the personal data back to the consumer. This means that you need to have a clear understanding of the definition of “personal data” for each regulation and have this documented internally.

An access request does not require you to compile and provide every single data point you have on a given data subject. You only need to deliver the personal data you own about the consumer.

Linking the personal data definitions to your own data processes is the foundation of any robust DSAR program as it will allow you to:

• Gain a holistic view of the personal data your organization collects
• Spot potential risks or redundancies early
• Recommend operational data management efficiencies to your organization
• Become a trusted partner to the business functions
• Build efficient DSAR operations by focusing on the relevant requirements per regulations
• Scale your entire privacy program as regulations, people, systems and processes change
• Deliver fast, complete and structured responses to your privacy-centric consumers

Helpful Tip:

This important exercise will not only enable your team to be better prepared and more efficient but will also position the privacy team as the team with the most up-to-date overall understanding of the data flows at your organization. Teams such as Data Science, Analytics, Business Intelligence, Operations, Product, or even software developers will likely want to use your data intelligence for their own projects. It is a great way to leverage what you have built to support other business outcomes, re-emphasize the importance of data privacy, and identify your privacy champions.

To better understand how the definitions of personal data differ across privacy regulations, check out this blog post covering personal data under CCPA and CPRA, GDPR, Virginia CDPA, and Colorado CPA.

Plan your DSAR operations ahead

Before you begin to think about DSAR fulfillment, you have to first assess the data situation at your company and gain a good understanding of the nature, location, and flow of your data.

1. What type of data are you collecting or observing? Having a clear understanding of the personal data, anonymized data and public data you have and collect in your systems is a crucial step to speed up your entire privacy operations.
2. Where is the data stored in your organization? Identify and map where the personal data is held in your organization and identify the correct owner.
3. Where does your company send or store personal data outside of your organization? Deletion requests may involve not only team members around your organization, but also all external vendors and partners with whom you shared the personal information.
4. How is the data being used? Virginia CDPA and Colorado CPA have a duty for controllers to avoid secondary use of personal data. Understanding how the data is being used internally is a key step in building your data intelligence.
5. What are your protocols surrounding personal data management? Regulations like GDPR or CPRA include data minimization and retention principles that will push companies to think about how they handle data internally.
6. Who are the team members who will help to fulfill any requests? Systems owners, IT and your legal team will likely be the team you rely on to fulfill these requests.

Develop a process to fulfill DSAR requests

Robust DSAR operations start with understanding the key steps in the lifecycle of a DSAR and some of the challenges you will likely encounter.

A standard DSAR process can be broken down into 5 steps:

• Intake: Collect the information from the requestor. You need to collect just enough information so that you can identify them.
• Process: Once a request comes in, it needs to be validated. Once it’s validated the request needs to be placed in a queue for fulfillment.
• Fulfillment: All of the data related to the request has to be collected from throughout the company. This can be done through manual routing or through automated integrations.
• Delivery: The information has to be delivered to the request in a secure way
• Reporting: Your team will need to track key DSAR operations metrics and set up dashboards or prepare regular reports for your leadership team.

Understand the key operational challenges and risks in your DSAR operations

You now have a good understanding of your data and understand the end-to-end process of DSAR requests. Every step will bring its sets of challenges that may be more or less acute depending on your organization.

Here are some of the potential challenges you may face.

At the intake step

• Easy submission: Make it easy for your consumers to exercise their rights – if you offer them multiple options (form, email, phone, store), you will need a way to centralize these requests.
• Identity verification: Ask enough information upfront to your unauthenticated users or non-account holders so you can validate their identity. But keep in mind that CCPA, for example, has guidelines on the information you should ask based on the request type (§ 999.323 and § 999.325). In addition, the 45-day deadline for the response starts when a business receives a request, regardless of when they verify the request. So you want to make this process efficient so you have enough time.
• Receipt confirmation: Make sure you confirm receipt of the request promptly. Not only is it the appropriate thing to do for your consumers but CCPA requires that businesses send a confirmation of receipt within 10 days of an access or deletion submission(§ 999.313 (a))

At the process step

• Duplicate requests: You may receive “excessive” requests from some consumers. If you have already fulfilled 2 access requests in the past 12 months for the same requestor, you are not obligated to fulfill their additional requests. But you need a system to track and document these duplicate requests for audit purposes. (§ 1798.145 (i)-3)
• Valid requests: While you could decide to fulfill all your US requests following the CCPA regulation, you may not have the operations ready for that volume. Validating rapidly the geography of the requestor and whether you own any data on them could be a challenge but will be important if you want to triage your requests efficiently.
• Leverage automation: Manually copy-pasting the DSAR information into an excel spreadsheet is time-consuming and prone to errors. Triggering automated workflows when a valid DSAR comes through will make your life much easier.

At the fulfillment step

• Data retrieval: Gathering, cleaning, and packaging the relevant information about a data subject from all your systems can be very complex if you do it manually.
• Workflow: Once a request is at the fulfillment step, sending out manual reminders can be a tedious and time-consuming task for the privacy team.
• Data redaction: Depending on your processes or industry, data redaction may be required. Unless you have the right tool, this could be manual and insecure.
• Legal review: If your DSAR operations include a review by your legal team, make sure you provide enough time to your legal colleagues and keep an eye on the due date.

At the delivery step

• Response time: Are you still within the timeframe? Do you need to request an extension? Automated reminders and messages can save you a lot of time.
• Secured delivery: Delivering personal information via email for access requests is not recommended. Encrypted mechanisms should be preferred.
• Open communication: It is possible your consumers will have questions about the data you delivered. Do you provide them an easy way to communicate with your team and ask questions?

At the reporting step

• Audit log: You need a central place to store the logs of your requests for audit purposes.
• DSAR dashboard: Can you quickly see your DSAR volume, your fulfillment rate, and your response time by requests? Having a dashboard to quickly spot trends or issues and assess your performance could be very helpful.

Compiling your DSAR metrics

Tracking and analyzing your DSAR metrics is crucial to understand your DSAR operations and detect potential issues. It will help you answer questions such as:

• How many of our DSARs are actually coming from California residents?
• Where do people drop off in their DSAR submission process
• How fast do we fulfill deletion requests?
• What is our average monthly volume of access requests?
• Are we requesting fewer extensions than last year?
• For more insights and tips on DSAR metrics, please refer to our guide “DSAR Metrics: What Should You Be Measuring?” Compiling your DSAR metrics is not only the right thing to do for a privacy team but it can also be mandatory for some of you. Indeed, CCPA requires companies buying, receiving, sharing or selling the personal data of 10 million or more consumers (California residents) to compile a standard set of metrics. These companies need to compile and publish by July 1 every year, the following metrics for the previous calendar year:The number of requests to know that the business received, complied with in whole or in part, and denied;The number of requests to delete that the business received, complied with in whole or in part, and denied;
• The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
• The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

Plan ahead. Develop a process to compile your key DSAR metrics. Analyze the metrics regularly. Make improvements on your DSAR operations.

The team at WireWheel has reviewed over 1,000 US websites and analyzed 2020 DSAR metrics for Fortune 1000 companies and Data Brokers. Want to see what we found? Curious to see how you compare?

Business Impacts Around Data Subject Access Requests

Without the right solution to help, managing DSAR can be very challenging and costly. Gartner estimates that a DSAR could cost about $1,400, if done manually but there are also potential indirect costs that could increase your DSAR fulfillment costs.

How will DSARs impact your operations

$1,400

Average cost of processing a DSAR

46%

of all complaints made to the Information Commissioner’s Office (ICO) in the UK were about DSARs and the difficulties people face when trying to get hold of their personal information

• Non-compliance can lead to consumer complaints and potential fines.
• Fraudulent requests can result in a breach causing reputational damage and potential costs.
• Delivering the information to the wrong person can be costly.
• Your brand reputation can be hurt by a bad experience and that could impact NPS and revenues
• Cost to deliver a DSAR request will grow if there are poor internal processes and data mapping.
• Manual work for the privacy team to track the status of different requests.
• Time consuming for stakeholders to retrieve, package and send the privacy team the relevant consumer data.

Potential DSAR Solutions: Build vs. Buy

Companies must have a secure way to accept and deliver requests and a way to manage the workflows. They have two options:

• Build a DSAR Management Solution (In-house)
  Some companies may have decided to build in-house solutions to securely accept requests and deliver information back to their consumers. The downside of this approach is it requires the team that built the tool (typically IT) in-house to maintain it and to add functionality as laws change or to make any changes that would improve response rate. The IT team may also be the one building any integrations and automation from scratch.
• Buy a DSAR Management Solution
  There are multiple vendors, including WireWheel, who offer a DSAR solution. Privacy technology companies are 100% focused on ensuring that companies stay compliant and manage their DSAR operations efficiently.

As WireWheel customers’ have said:

The StockX fundamental thought process has always been can we build it versus buying it…. As we were evaluating what was going on, I don’t think we truly had a full appreciation for the scope of work that would come with the implementation of these privacy laws – whether it was GDPR or CCPA – and the number of requests and the number of customers who would actually leverage the legislation to [exercise their rights]. There was just a lot of analysis required.

“WireWheel is going to allow us to grow over time, allow us to add functionality, and expand our processing capabilities,” he says. “Let’s say that in the next year, five new states have privacy guidelines—we know that WireWheel is going to allow us to open up to those states to be able to process customer data.

5 Tips for managing DSAR:

1. Know where your data is: It will make your entire DSAR operations so much easier.
2. Verify the data subject’s identity: Understand what is needed to verify both your account holders and non-account holders, follow the legal guidelines and automate the verification process.
3. Assign responsibility for fulfillment: Your access and deletion requests will likely have different owners. Route DSARs automatically to the right person based on request types or jurisdiction.
4. Monitor DSAR status closely: If you operate in multiple jurisdictions, you will likely face different deadlines. Leverage reminders, emails and flag high priorities to meet your deadlines.
5. Compile and improve your DSAR metrics: Get an aggregate view of your DSAR performance to identify bottlenecks, develop your own DSAR roadmap and focus on your priorities.

Additional Resources

1. Access best practices to manage your DSAR operations in this Ultimate DSAR guide.
2. Compare personal data definitions and DSAR requirements across regulations with our Interactive Privacy Table.