1. What are DSARs?
2. How are DSARs and GDPR related?
3. Who are the beneficiaries of DSARs?
4. Example of a Data Subject Access Request
5. DSARs under CCPA vs. GDPR
6. Who can submit a DSAR?
7. How to prepare for DSARs?
8. How to respond to Data Subject Access Requests?
9. Who responds to a DSAR?
10. Charging a fee for the DSAR Response
11. What needs to be included in a DSAR?
12. What are some common DSAR response challenges?
13. Deadline for responding to the DSAR?
14. Refusing to respond to a DSAR?
1. What are DSARs?
DSAR stands for data subject access requests and is just one of the eight rights granted by the GDPR.
2. How are DSARs and GDPR related?
A DSAR is a right granted in Article 15 of the GDPR and imposes an obligation on organizations to respect and service data subject requests.
3. Who are the beneficiaries of DSARs?
The data subject is a direct beneficiary of a DSAR. However, the obligation on organizations to comply with DSAR requests also has benefited through the necessity to implement effective data governance measures, which can manage risk and improve efficiency.
4. Example of a Data Subject Access Request
An employee or past employee of an organization could make a DSAR request for their information or a customer of an online retail company could request access to their account details and transactions.
5. DSARs under CCPA vs. GDPR
Both the GDPR and CCPA provide this right, which requires organizations to allocate resources and implement measures to manage requests. The CCPA refers to an access request as the 'right to know' where consumers have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
6. Who can submit a DSAR?
Anyone who is a data subject of an organization, whether they are an employee, customer, member, patient, account holder, etc.
7. How to prepare for DSARs?
Ensure an effective process for receiving, managing and completing DSARs is developed and implemented, and roles and responsibilities are allocated to individuals working on requests
8. How to respond to Data Subject Access Requests?
All requests should be acknowledged without delay, ideally by email if the request has been received by email. Once the request and identity of the data subject has been validated, the data relating to the data subject should prepare in an intelligible manner, without jargon or company acronyms and presented in an easily accessible way, to enable to data subject to receive and access the data they requested.
9. Who responds to a DSAR?
The responsible individual/s should respond to a DSAR request on behalf of the data controller.
10. Charging a fee for the DSAR Response?
A fee is not applicable - unless any further copies are requested then the controller may charge a reasonable fee based on administrative costs.
11. What needs to be included in a DSAR?
All personal data relates to the data subject unless the data subject is only requesting specific data and not all.
12. What are some common DSAR response challenges?
Common challenges are the ability to locate and retrieve data from an organization’s IT estate, which could extend to systems, applications, legacy systems, email mailboxes, folders, repositories, system logs, CCTV, and building access records. Also, DSARs can be very time-consuming which impacts resources and their operational duties.
13. Deadline for responding to the DSAR?
All personal data relates to the data subject unless the data subject is only requesting specific data and not all.
14. Refusing to respond to a DSAR?
There are possible circumstances where a data subject may not be entitled to certain information which they have requested, where an organization relies on an exemption that is provided in Article 23 of the GDPR and detailed further in the Data Protection Act 2018.