Article

Data Subject Access Request Guide

Data Access Governance
Time to read: 7 minutes

Data privacy regulations introduced in recent years give individuals more control of their information. Their rights include knowing what data companies hold about them and why, through a provision called data subject access request (DSAR). Employees of enterprises that handle private information should understand how a DSAR might impact operations.

What Is a DSAR (Data Subject Access Request)?

Data subject access requests first became a requirement under European Union’s General Data Protection Regulation (GDPR) and has since been adapted by others, such as the California Consumer Protection Act (CCPA) and the Colorado Privacy Act (CPA). GDPR refers to individuals as data subjects, hence the DSAR nomenclature.

DSAR requirements vary based on the regulation but in general terms, it provides individuals the right to access, correct, and port their data, as well as opt-out of the collection process and request to have the data deleted.

Which Parties Can Submit a DSAR?

Anyone whose information is being managed by the enterprise can submit a data subject access request—including customers, employees, and vendors. Authorized agents, such as parents, guardians, and legal representatives, can also submit a DSAR on behalf of the subject.

The Process of Responding to a DSAR

The response process may vary based on the relevant regulations, but it includes several common steps, as described below.

Responding According to Required Timelines

Those who respond to data subject access requests on behalf of the enterprise must be familiar with the deadlines of each privacy regulation. Under GDPR, for example, the requested information must be provided within one month. CCPA and CPA, on the other hand, allow 45 days to deliver the information. Some provisions also allow for extensions.

Verifying the DSAR

Since anyone can submit a DSAR, it’s important to ensure that the requester is entitled to that information by law. Additionally, the person’s identity must be authenticated to confirm that the request is not fraudulent—for example, due to identity theft.

Existing Account Verification

One way to verify and authenticate the requestor is through the same methods used to collect the data. This may be a member or subscriber account that includes a user name or email address, multi-factor authentication such as a code sent to an authenticator app or email, and security questions that the user provided when opening the account. Some organizations also choose to ask for a copy of an official document, such as a passport or national identification card.

Third-Party Verification

When the DSAR comes from a third party, the responding organization must first ensure this person is entitled to act on behalf of the data subject. The third-party agent needs to show proof, including their own identity and ability to represent the subject.

Which Individual Should Respond to a DSAR?

In the case of GDPR, a designated data protection officer responds to a data subject access request. But other regulations are more flexible, and anyone in the organization may have those responsibilities. Most commonly, this is a legal team, process owners, or the IT department.

DPO (Data Protection Officer)

GDPR requires organizations to appoint a data protection officer (DPO) who is responsible for monitoring compliance. Since the DPO must be the point contact for data subjects, this individual is also the one responding to the DSAR.

The data protection officer could be an in-house employee or someone appointed externally, but in either case must be an expert in data protection who acts independently and reports to the highest leadership level.

GDPR also allows multiple organizations to share the same DPO.

DSAR Response Process

As part of organizational preparedness to comply with privacy regulations, enterprises must implement a process and workflow so responses can be provided in a timely manner. The following are the recommended steps.

Establishing Systems to Receive Requests

Understand if specific regulations prescribe a system for receiving the requests. CCPA, for example, mandates at least two methods, one of which must be a toll-free number.

Verifying Identity

Since information should only be disclosed after verifying the request and authenticating the requester, the organization needs to determine what this process looks like. Generally, the regulations are flexible based on the methods used and typically state that enterprises must take “reasonable” measures for verification.

Collecting Applicable Data

Companies may be storing the requested data across multiple locations and in different formats, including paper records and unstructured files. As part of organizational privacy compliance preparedness, fundamental practices, including data governance, must be implemented, that can help streamline and automate the data collection step. Understanding the kind of data collected (including structured and unstructured), where it is stored, and how it is handled enables more efficient compliance.

Delivering Results

The DSAR results need to be delivered in a format that’s readable and readily accessible. Depending on the regulation, this could range from verbal delivery to a self-service portal where the information can be downloaded. GDPR states that if the request was electronic, then the delivery must be electronic as well, unless the person specified otherwise.

Reasons to Refuse a DSAR

Laws typically allow organizations to refuse a request, even if it’s legitimate. Some circumstances that may warrant refusal include:

  1. A “manifestly excessive request” (e.g., responding would require excessive resources that are disproportionate to other DSAR burdens)
  2. Inability to verify the requestor using reasonable means
  3. Malicious intent (e.g., with the purpose of harassing or overburdening the organization or specific employees)
  4. Compliance with other laws (e.g., national security restrictions)

When organizations refuse to comply with a DSAR, the requester must be informed of the reason, and information must be provided on how they can dispute the refusal.

Charging a “Reasonable Fee” for a DSAR

Usually, regulations state that a fee can’t be charged for fulfilling information requests. However, some allow “reasonable” fees for administrative costs in certain situations.

DSAR Barriers

As noted earlier, complying with DSAR requirements efficiently requires enterprises to have good data governance processes. Without these processes, common barriers that organizations encounter include:

  1. Limited time available to respond
  2. Data distributed across silos throughout the organization
  3. Unstructured data formatting that makes it difficult to search
  4. Overall high cost to manage data processing

In addition to following data governance and data management best practices, enterprises typically seek ways to automate the DSAR steps. Automation streamlines workflows and greatly reduces the risk of errors.

Preparing for a DSAR

The best way to prepare for DSAR requirements is by understanding the data. Managing and gaining visibility into unstructured data, in particular, is a challenge; yet this is extremely important because the majority of data the typical organization holds is unstructured. As enterprises continue to collect vast volumes of information, solving this challenge will grow increasingly difficult.

SailPoint helps enterprises get unstructured data under control. Regardless of the type of files and where they are stored, we enable discovery of where the sensitive data resides, as well as secure access to this data so organizations can comply with other provisions of the GDPR and similar privacy regulations. Learn about the SailPoint File Access Manager solution.

Take control of your cloud platform.

Learn more about SailPoint Identity Security.