Data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), are a major cause for concern for organizations. These data privacy laws have teeth—and enforcement agencies have shown that they are hungry.

While the biggest fines garner headlines, such as the €746 million fine issued against Amazon in July 2021 for failing to process personal data in compliance with the GDPR (which the company is appealing), enforcement isn’t limited to the big players. The GDPR Enforcement Tracker website reveals a wide range of fines and penalties imposed for violations of all sizes, including:

• a €200 fine imposed in 2019 on a German individual’s YouTube channel for processing data with an insufficient legal basis after the person used a dashcam to record public road traffic and then published those clips;
• a €500 fine imposed in 2020 on an Estonian housing association for processing data with an insufficient legal basis by publishing photos of association members without obtaining their consent; and
• a €1,000 fine imposed in 2021 on a Spanish hairdressing salon for insufficiently fulfilling information obligations after installing video surveillance cameras without informing data subjects about the cameras or the data they captured.

While the CCPA targets the big players more and only California residents can exercise its rights, it still casts a wide net. The CCPA applies to for-profit businesses that do business in California and meet any of the following criteria:

• Have a gross annual revenue of over $25 million;
• Buy, receive, or sell the personal information of 50,000 or more residents, households, or devices; or
• Derive 50 percent or more of their annual revenue from selling California residents’ personal information.

The takeaway is clear: Data protection cannot be ignored. Companies have had to create new systems and establish new protocols and policies to manage data compliance under these laws. One system that companies must have in place is a means of responding to data subject access requests or DSARs. In this blog post, I’ll explain what a DSAR is, review the required response, and provide six tips for managing DSARs.

Contents

What is a data subject access request (DSAR)?

How do consumers make a DSAR?

What is the cost of a DSAR?

When is a DSAR response required?

Six tips for managing DSARs

Don’t let DSARs trip up your organization

What is a DSAR (data subject access request)?

A data subject access request (DSAR) is the means by which protected individuals can request access to the data that companies have about them. The terms “data subject access rights,” “subject rights request,” and “privacy rights requests” are interchangeable.

Although there are nuances to each specific law granting DSAR rights, these data privacy laws provide a similar set of rights for individuals. They give individuals (including employees and consumers) rights over their data, including:

• The right to know what data companies are collecting about them and why;
• The right to access the personal data that a company has collected about them;
• The right to have a company delete the data that it has collected about them;
• The right to correct their personal data; and
• The right to opt out of the sale of their personal data.

Each data privacy law defines personal data in its own way, but generally speaking, personal data includes identifying markers such as name, birth date, social security or other ID numbers, demographic information, physical or digital addresses, and the like.

How do consumers make a DSAR?

 Quick quiz: Which of these statements is a DSAR?

1. “Can you please tell me what personal data you hold on me?”
2. “What information do you have of mine?”
3. “Please send me all of the information you hold on me. I want it deleted.”
4. “Please tell me what data you have about me and where you got it from.”

Answer: Each of these constitutes a DSAR—and each should trigger a prompt response.

What is the cost of a DSAR?

The individual does not have to pay a fee to make a DSAR, and companies are generally not allowed to charge a fee to recoup the costs associated with responding to requests. The GDPR allows for a few exceptions when the company can declare the request “manifestly unfounded or excessive” and either refuse the request or charge an administrative fee. These exceptions include situations where the individual makes repeated requests or requests additional copies of their data. The CCPA permits a company to deny a request where necessary to avoid violating federal, state, or local laws.

For responding companies, the cost of DSARs can be substantial in terms of both time and money. DSARs are akin to discovery requests in litigation, except that the “plaintiff” doesn’t have to file a case or pay court costs. Responding to DSARs can pose the same challenges as responding to litigation discovery requests—and fortunately, the technology developed to manage eDiscovery can also be used to respond to DSARs.

When is a DSAR response required?

The GDPR requires organizations to respond to DSARs “without undue delay and at the latest within one month,” though an extension of two months is permitted if the request is complex. The CCPA gives businesses 45 days to respond, with an additional 45 days allowed if they notify the individual. Either way, it’s a tight turnaround.

If the individual includes a request for data deletion, the GDPR also requires organizations to share responsibility with all downstream parties to adhere to the request.

Six tips for managing DSARs

Here are six ways that organizations can contend with the demands of DSARs.

1. Provide a DSAR request form. There are a variety of ways by which an individual can make a DSAR. They might send an email, mail a letter, post on the company’s social media page, call the company, or send a request through a website chatbot. Companies must therefore have a protocol in place and train their employees to spot DSARs. Organizations can expedite the intake process by providing a clearly designated DSAR request form on their website. The CCPA requires businesses to designate at least two methods to submit a request, with one of those methods reflecting the primary way the business interacts with its customers, such as a toll-free phone number or an online portal.
2. Automate data subject authentication. The CCPA requires businesses to disclose information upon receipt of a “verifiable” consumer request, meaning companies must verify the requester’s identity—or run the risk of creating a data breach while responding to a fake DSAR. Look for automated technologies that can compare user documents to quickly and effectively verify a requester’s identity.
3. Establish protocols for DSARs from employees and former employees. When a DSAR comes in from an employee or former employee, companies must take special precautions. These DSARs may involve sensitive data such as trade secrets, privileged communications, or the personal data of other employees. The company therefore needs to have a separate protocol and policy in place to handle DSARs from employees or former employees, including a heightened review from the legal and HR teams. Note that these requests could also be a precursor to litigation.
4. Delineate a DSAR workflow. To maintain compliance with potentially conflicting privacy laws, organizations need a coherent and comprehensive strategy for responding to DSARs. Efficiency demands that there be a coordinated response across the organization, including the legal and compliance teams as well as IT and any implicated business units. By designating a clear workflow, organizations can respond quickly without duplicating steps or creating bottlenecks.
5. Maintain an up-to-date data map. A data map—a comprehensive inventory of an organization’s IT systems—is a critical tool for identifying data that may be responsive to a DSAR, including data that is kept by third parties. Building and maintaining a data map will also help the organization minimize data duplication.
    
6. Leverage eDiscovery technology. Companies can gain vast efficiencies by harnessing the capabilities of eDiscovery technology to locate data responsive to a DSAR. The machine learning algorithms of modern eDiscovery solutions make quick work of reviewing unstructured data and automating the process to save time and effort. The same technology can also be used to redact sensitive information that the requester is not authorized to see.

Don’t let DSARs trip up your organization

As the public becomes more aware of their rights under data protection laws, the use of DSARs will continue to grow, causing headaches for organizations that fail to take them seriously. Companies should be cautious about how much personal information they collect, especially in the age of pandemic-related contact tracing. By planning for DSARs, proactively mitigating data risks, and equipping themselves with advanced eDiscovery technologies, companies will avoid being tripped up by the evolving challenges of DSARs.

[View source.]