In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests.
An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR:
Conduct a Data Inventory
Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information. The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements.
Organize DSAR Requests
You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data. There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery.
Fulfill the Request
A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated with providing the data), and finally, providing the information within the required timeframe. Remember that you can’t violate any other person’s privacy rights when delivering data so you will need to mask or redact any personally identifiable information (PII).
According to the provisions of the GDPR, organizations must have the ability to demonstrate compliance with the regulation, including being able to show records outlining all DSARs received. The record should include the data subject’s contact information, a description of the request, when and how the response was made and by whom (including reasons why it was honored or denied) and the time taken to reply.
When responding to a data request, organizations are required to remind the requester that they have the right to object to the processing of the data, request the rectification of it, or lodge a complaint with a supervisory authority.
Next up in this series: DSAR Best Practices and Workflows an Organization Should Follow.