If you want to win your customer's faith while maintaining global compliance with the strictest data privacy laws, then Data Subject Access Request (DSAR) management is for you.
As our modern lives have become entwined with futuristic technology, keeping personal data private has become a big issue for all organizations.
Customers have become more aware of data. 94% of the customers want greater control of the personal information they share with companies and want to know how that data is used.
Transparency has also become a vital point for purchasing decisions by customers. More than 77% factor transparency while deciding on a particular service, and 30% buy the product or services that have demonstrated transparency.
Data Subject Access Request (DSAR), or simply the DSAR process, is businesses' best way to comply with data privacy laws and demonstrate customer transparency.
DSAR: Customers’ Right to Information
DSAR stands for Data Subject Access Request, which helps individuals find out what data a company has on them.
A DSAR request is the request an individual submits to your business to get access to their data in your records.
The data subject is an individual from whom your business collects personal information. If you have a website that doesn't collect personal data, your visitors are not your data subjects.
A data controller is a person/entity that collects and processes the personal data of individuals. You can have people's data in your records, but you need to find a way to make you, its owner. It belongs to your users.
A data processor is a person/entity that collects and processes individuals' personal data on behalf of the data controller. Though a third party can collect and process data, the ultimate responsibility for it lies on the data controller.
Data subjects have certain rights under DSARs. They can exercise these rights, which means businesses must give access to data subject's data if they request.
Why Business Can’t Avoid DSAR: Subject Access Request Anymore!
DSAR gives businesses a chance to show their transparency and ability to take ownership of consequences, whether good or bad. This builds trust, and trust builds brands.
Not only does noncompliance with a substantial financial cost, is has far deeper cuts that are hard to mend. The reputation of the business is one of the most critical factors for people when making a purchasing decision, according to reputation. 84% of marketers consider trusting their primary focus in future marketing campaigns.
Additionally, regulatory data security audits can affect your credit score in the industry. Not taking responsibility and being unempathetic towards your consumers would position your business as untrustworthy, and thus people won't entertain you or your products and services.
Simply put, it is more about money than trust. Not being DSAR compliant means that your business can't be trusted.
But read on for those who want to build trust while being compliant with international privacy laws.
DSAR's Subject Access Rights: What Businesses Need to Know!
Under DSAR, data subjects have certain rights that give power to an individual to make DSAR requests and access their data.
Global data privacy laws grant various rights to citizens. Though some rights exist and need action on the part of the business (for example, the data subject's right to be informed), DSAR falls into the category where the data subject is required to take appropriate action and exercise the rights.
We'll refer to the GDPR's data subject rights as it serves as the basis for most international data privacy laws. These data subject's rights are:
Right to be informed
Right to access
Right to rectification
Right to erasure of data
Right to restrict processing of personal data
Right to portability
Right to object
Right to object automated decision-making and profiling
If you want to know more about GDPR and how to make your business compliant with it, read Startups: Guide to Thrive with GDPR Compliance in 2023
DSAR Requests: From Anywhere, Anytime
Anyone whose data is being collected and processed can submit DSAR. This includes data subjects and internet users with no relations with your business.
DSAR can be submitted by the data subject anytime, and as a business, you'll have to oblige to let them access their personal information.
An authorized agent can also submit a DSAR request, as per law. A person whose personal data you do not collect and the process can also offer a DSAR request. But you'll need something to give them access to.
DSAR is not limited to specific forms and procedures. Therefore, DSAR can be submitted in any way (written, verbal, on the phone, in-person), and the business must reply.
DSAR Request Incoming: What should you do?
Though there is no specific process or workflow for responding to DSAR, there is a simple 5 step process that will clarify how to react efficiently to DSAR requests within the timeframe laid down by the law, ensuring correct data is presented to the right person.
The five-step process to effectively respond to DSAR requests.
Verify the data subject's identity: Nothing can be more detrimental to the data subject and your business than sending the correct information to the wrong person. So have a thorough background check, and provide a receipt of the request if it suits your situation.
Clarify the request: Ask upfront, somewhat regretting later. Several DSAR requests that a data subject can make, like a request to know, to access, to be forgotten, for data transfer, or any other request. If you genuinely don't understand it, then contact your data subject and take their clarification.
Recheck the status of processed data: It's better to recheck from your end whether or not you're even processing the personal data that the data subject has asked for. If the result is negative or positive, you need to inform them and proceed further.
Inspect, process, and package the data: Make the file accessible and readable to the data subject, reminding them that, ultimately, they hold control of their data.
Provide data subjects with secure access: It's best to give your subjects direct access to their data via a closed system. The specific categories of personal data can't be sent a copy to the requester.
Apart from all this, as a responsible business entity, you must inform the data subject of their other rights besides the right to access, like the right to correct data, object to processing, due to port data, etc. This is not mandatory but will help in brand-making and building trust.
DSAR under GDPR and CCPA: What you should know
Both privacy laws have a difference in regulation with the treatment of DSARs. They are:
CCPA prescribes verification methods for both; password-protected account holders and non-account holders. But GDPR doesn't, and
The method of DSAR submission doesn't matter under GDPR, and you have to respond mandatorily, but under CCPA, you can put the request on hold and guide the data subject to submit it properly.
What should be included in a DSAR response?
You'll have to tell your user or data subject about everything in general, such as:
Whether your organization collects and processes data
What categories of personal data do you control?
What is your purpose in processing
How do you collect data?
With whom do you share their data
The data subject might only request a part of this information.
If a data subject requests to know some portion of the information, then provide them with specific info only. For example, if a data subject requests you to give access to incorrect information, you must provide this detailed information only. Nothing more, nothing less.
It is best to give your data subject remote access, like Facebook and other social media sites have done, to your records or a portal where they can easily access their data.
If you don't have enough budget, give the data subject a copy of their data in a way that is easily readable and accessible.
Verifying the Data Subject's Identity.
Most data privacy laws do not prescribe a set method or technique to verify the requester's identity. The method of choice is left to you.
As a business, you must, at least, reasonably strive to verify the data subject's identity. You can do this by:
Two-step verification of the email address used for the user account
Sending a verification code onto the mobile to verify the identity
Requesting data subject to the log-in on the membership portal
Several other methods can be tried, but these are the most common ones. The best verification method you use while collecting personal data is the one you use.
But CCPA is the only law that gives a method to verify the data subject's identity.
If you get a DSAR under CCPA, then there are a few different steps to take depending on whether your data subject has a password-protected account or doesn't.
Again, it is essential to know that you, as a business owner, must make sure that you don't provide the incorrect data subject or some other data subject's sensitive personal information. This will be treated as a data breach, resulting in a violation of law; thus making you and your business eligible for fines and penalties.
The most challenging part of responding to DSAR!
Data Discovery
The DSAR might look easy on the outside, but the real challenge begins when a business is dropped in with a DSAR request. Apart from identifying and verifying the user, it is important to find relevant data. And this takes much time.
An excellent data process understanding
It's more than just enough to collect and process data, and you must be able to articulate it to your customer. It would be best to inform them what and how you collect data. For what purpose is it collected? How do you process it, and where do you store it?
Not responding to DSAR request? Not recommended.
Under data protection laws, responding to DSAR is your duty, and not responding to it significantly puts in the bad books on the privacy regulations. This will likely cause enforcement actions by the supervisory authority.
DSAR violations lead to penalties such as:
Under GDPR, fines of up to 4% of the annual turnover or 20 million Euro, whichever is greater.
The CCPA levies a penalty of $7,500 per consumer whose rights have been violated.
Under LGPD, fines of up to 2% of the annual turnover or 50 million Reales, whichever is greater.
Timeline to respond to DSAR
Every law has different requirements for responding to DSAR requests.
GDPR allows 30 days for a response
CCPA says that a business must acknowledge the DSAR request within at least ten days and give appropriate information within 45 days of receiving the request.
Adzapier: End – End Automating DSAR
Manually finding data subjects' information can be tiring and time-consuming. That's why Adzapier's come with fully automated DSAR management.
Adzapier helps your business build and maintain a DSAR system that can merge all significant activities in one centralized space. Adzapier's DSAR management components include:
• Web Form - Adzapier helps you build custom web forms on your website/mobile app for users to fill and submit their DSAR requests easily.
• Workflows - Create a workflow of different DSAR requests to help reduce your workload and divide necessary tasks among your team.
• Dashboard - A central informational panel that overlooks all DSAR requests and data subject making your work smooth and easy.
• Data discovery system - When you have too many requests to handle, the data discovery system will search and track the relevant data regarding the data subject through a database or hosting system, making your work fast and efficient.
• Responding system - You need a responding system to validate and respond to each request, including assigning subtasks, messaging, and emailing documents.
Adzapier's DSAR management helps you receive DSARs and manage to respond to requests.
One small mistake and your business's reputation can be dented with fines and penalties. We promise we won't let that happen.