When you’re feeling curious about what a business is doing with your personal data, what do you do?
You could head down to their brick-and-mortar offices and demand to speak with a manager—but aside from maybe going viral on social media, that approach isn’t likely to amount to much.
If you’re protected by a data privacy regulation, however, you can make a data subject access request, or DSAR. And if you’re a business on the receiving end of a DSAR, there are steps you can take to make this process easier for everybody involved. One of which is developing a clear, compliant, and well-designed DSAR form.
What Is a DSAR?
A DSAR, or data subject access request, is a legal right granted to individuals under data privacy laws. It enables them to make certain requests of the businesses that process their personal information.
As you might guess from the name, a DSAR usually refers to a request for access to their personal data—if a data subject makes a summary request, then you’ll have to provide all of the information you’ve collected and processed that relates to that individual.
While access or summary requests are the most common, the term DSAR refers to a broad range of possible requests, including:
- Opting out of automated decision-making processes.
- And more, depending on the specific data privacy law in question.
The Importance of DSARs in Data Protection
DSARs enable individuals to verify the accuracy of their data, identify any potential misuse or errors, and ensure that the processing of their data complies with applicable laws and regulations. Thus, DSARs play a vital role in overall data protection.
When an individual submits a DSAR, the organization is legally obligated to respond within a specific timeframe, usually within 30 days. During this time, the organization must gather and review all relevant data, ensuring that any sensitive or confidential information is appropriately protected.
(Technically, it is possible to request an extension if the request is unusually complex or of high volume, but the burden of demonstrating the need for an extension falls on the organization).
Why DSARs Benefit Businesses Too
By responding to DSARs in a timely and efficient manner, organizations can build trust with their customers and demonstrate their commitment to data protection and privacy. They also allow organizations to identify and rectify any potential data breaches or security vulnerabilities, thus mitigating the risk of regulatory fines and reputational damage.
Furthermore, DSARs provide an opportunity for organizations to enhance their data governance practices. By thoroughly reviewing and documenting the personal data they hold, organizations can gain valuable insights into their data processing activities. This analysis can help identify areas for improvement, such as updating data retention policies, implementing stronger security measures, or enhancing data-sharing agreements with third parties.
Legal Requirements for DSAR Forms
Now that we’ve talked a bit about the basics of DSARs, let’s zoom into the specific requirements around DSAR forms.
In reality, however, businesses have a great deal of leeway in how they structure their DSAR forms. In fact, you don’t explicitly need a form to accept DSARs—forms just happen to be one of the most convenient approaches to processing DSAR.
But just because there are very few specific requirements around DSAR forms doesn’t mean you can do anything at all, nor does it mean that there are no best practices to apply. As a rule of thumb, think about the intention behind the data privacy regulations that provide DSAR rights. They’re meant to support:
- Business ethics.
- Consumer rights.
If you apply similar principles when designing a DSAR form, odds are you’ll be on the right side of the law. That means hiding your DSAR form, using vague language, misleading requesters around timelines and expectations, always charging a fee or otherwise retaliating against requesters, and the like is going to land you in hot water.
That said, let’s dive into specific DSAR form requirements for some of the major data privacy laws.
CPRA DSAR Forms
Like most data privacy laws, the CPRA doesn’t explicitly lay out specific requirements for a DSAR form. However, the law does have a few general guidelines.
For one, the phrase “designated methods for submitting requests” appears a number of times in the text of the law. The CPRA defines this phrase as meaning:
a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.
Thus, you aren’t strictly limited to using a form for accepting DSARs. Using a form is still recommended, however, since you can configure it in such a way that data subjects provide all requisite information in advance.
The CPRA also requires that you provide at least two or more methods for submitting requests, at least one of which is a toll-free phone number. This doesn’t apply, however, if your business is online-only, in which case an email address may suffice instead. If your business has a website, the CPRA states that there must be a method for accepting DSARs on your website—again pointing to the benefit of a form.
GDPR DSAR Forms
The GDPR has even fewer specific requirements for DSAR forms than the CPRA, merely stating that “the controller [i.e., you, or the organization that determines the purpose behind the data collection] shall facilitate the exercise of data subject rights.”
That’s because if a data subject makes a request on any channel, controllers must honor them—whether that’s a form, a phone call, a verbal request, a fax, or Morse code. The only requirement that the GDPR lays out is the need to verify the data subject’s identity first—if their identity can’t be verified, then you can’t act on the request.
It should be noted that most other data privacy laws also require you to acknowledge requests regardless of channel so long as the data subject’s identity is verified, but at least the CPRA provides a definition for subject rights request submission methods.
Other Best Practices for a DSAR Form
Since legal requirements around DSAR forms aren’t very clear, let’s look at some best practices for what to include on your form and how to operationalize form-based DSARs.
The following are fields you may want to include on a DSAR form:
- The requester’s email: Unless you’re using a solution with a more secure messaging functionality to support your DSARs, you’ll need the requester’s email address to send and receive communications related to their request. Additionally, an email address may serve as a form of identity verification depending on whether you have data associated with that email address. For more sensitive requests, however, you may want a more robust method of identity verification.
- First and last name.
- Country or State of Residence: This will let you know if the requester actually has subject rights afforded to them by a data privacy law. However, many organizations choose to acknowledge subject rights requests regardless of whether the data subject lives in a jurisdiction with a data privacy law in order to minimize risk and complexity in their DSAR workflow.
- Proof of Identity: This would be an additional field where a data subject can attach proof of identity, such as a photo ID. Note that collecting additional forms of identification, such as a photo ID, counts as collecting additional personal information.
- Requester Type: Is the requester a consumer, an employee, or someone else? Not all data privacy laws protect employees and other commercial partners, so these types of requests may not be valid depending on the relevant jurisdiction. If you are obligated to act on employee DSARs, then it’s still a good idea to keep track of requester type since employee DSARs often involve more data and more sensitive data or could be vexatious in nature.
- Request Type: What sort of subject rights request is actually being made? A good practice is to collect this information with a dropdown menu consisting of the sorts of rights requests you expect to receive, such as summary, deletion, correction, and so on. If you were to use a text field for data subjects to describe their request instead, then you might get confusing or vague requests instead.
How To Develop Your Own DSAR Forms
Knowing the requirements and best practices for a DSAR is one thing; how do you actually implement a form? Broadly, there are two approaches.
The Manual Approach
It is possible—even straightforward—to build your own DSAR forms. You could:
- Code your own.
- Build a custom form in HubSpot.
- Use a WordPress plugin.
- Take another approach based on your CMS or hosting platform.
However, all of these approaches suffer from the same fundamental issues. For one, they put compliance on your shoulders. You’ll have to stay abreast of legal developments, new rulings, and audits from advocacy groups and data protection authorities.
The biggest issue, however, is that the DSAR form itself isn’t the most difficult part; the overall DSAR workflow is the real challenge. That’s why businesses use automated DSAR solutions.
Using an Automated DSAR Solution
An automated DSAR solution solves for both the DSAR form creation and maintenance as well as the workflow after a request is made.
Having the right fields and language is one thing—it’s translating that information into speedy and error-free request fulfillment that matters most.
Depending upon the law at hand, DSARs must be fulfilled within 30 to 45 days. If you have a simple form on your website and a spreadsheet to manage your tasks, then you’ll likely be able to handle small volumes of DSARs—it will take time away from the rest of your duties, and the consequences of errors will be significant, but it is certainly feasible.
As DSAR volumes pick up, this approach becomes increasingly fraught. DSAR workflow solutions automate key components of the process and keep all relevant stakeholders in the loop about outstanding tasks and deadlines. Osano Subject Rights, for instance:
- Provides a compliant, embeddable DSAR form to your website (though it can also accept emailed requests or manual requests that come from other channels, like phone calls).
- Connects to your integrated data stores to discover the data relevant to a given requester. Combined with Osano Data Mapping, which discovers data stores in your organization, this capability alone saves an inordinate amount of time that would otherwise be spent pouring through your organization’s systems and personal data stores.
- Automatically fulfills common request types like summaries and deletions. To ensure accuracy, this automated fulfillment is passed to a human being for verification before being finalized.
- Automatically alerts data store owners of outstanding, non-automatable tasks like corrections and updates.
- Notifies stakeholders of pending deadlines for each DSAR.
- Centralizes communications with data subjects to prevent further personal data sprawl.
- And more.
While a clear and compliant DSAR form matters, especially from the customer perspective, the workflow automation that comes afterward is the key to your privacy program’s sustainability and scalability.