Data Subject Access Request (DSAR): Everything You Need to Know

Home | Blog | Data Subject Access Request (DSAR): Everything You Need to Know

In our increasingly digitised world, where data is likened to the new currency, businesses must tread carefully to balance innovation with the responsibility of safeguarding individuals’ privacy. One critical aspect of this delicate balance is the Data Subject Access Request (DSAR). 

Let’s find out everything you need to know about DSARs, the challenges faced by key stakeholders, and the solutions to ensure compliance and data protection.

So, What is a DSAR – Data Subject Access Request?

The essence of a Data Subject Access Request (DSAR) lies in enabling individuals with the right to access information about their personal data that an organisation processes. This right allows individuals to easily and reasonably, at regular intervals, inquire into the lawfulness of how their data is being handled by the organisation. It’s a fundamental aspect of data protection, emphasising transparency and giving individuals control over their own personal information

The History of DSARs

The concept of data subject access rights (DSARs) can be traced back to the 1970s, when data protection laws began to emerge in Europe. The first comprehensive DSAR legislation was introduced in Sweden in 1973, followed by similar laws in other European countries. In the United States, the Fair Credit Reporting Act of 1970 gave individuals the right to access their credit reports, while the Privacy Act of 1974 provided similar rights for federal government records.

The European Union’s Data Protection Directive, adopted in 1995, laid the groundwork for the GDPR – General Data Protection Regulation, which became enforceable on 25 May 2018. The GDPR preserves the right of data subjects to access their personal data, as well as to rectify, erase, or restrict processing of their data.

DSARs have become increasingly important in recent years as a result of the rise of big data and the increasing use of personal data by businesses and governments. Individuals are now more aware of their data privacy rights and are more likely to exercise them. This has led to an increase in the number of DSARs being submitted to organisations.

Understanding DSARs with an Example

Is it a fundamental right? Let’s see:

A Data Subject Access Request is a mechanism through which anyone can request access to their personal data being processed by an organisation. This right is protected by various data protection laws worldwide, including the GDPR in the European Union, DPDPA of India, and the CCPA in California. 

It’s akin to having a key to a safety deposit box, where the box is the organisation and the contents are the individual’s personal data.

Better Example of Making a DSAR:

Data Subject Access Requests can take various forms. For instance, a consumer might choose to initiate a DSAR by emailing, calling, posting on social media, or sending a physical letter to the organisation. The content of the request can range from providing detailed information about the specific data they are seeking to a straightforward request like “I would like you to delete the personal information you have about me.” 

The flexibility in the methods and the simplicity of the requests highlight the accessibility and user-friendly nature of DSARs, allowing people to exercise their data protection laws in a manner that suits them best.

Why and Who Can Make a DSAR?

Any person whose personal data is processed by an organisation or a business has the right to make a DSAR. This includes customers, employees, and even job applicants, highlighting the broad scope of this fundamental right. It acts as a universal key, available to anyone whose data is held by the organisation.

Okay. So, Can a Company Make a DSAR Request? 

When it comes to Data Subject Access Requests, it’s important to note that a limited company, as a legal entity, cannot make a DSAR. However, an individual associated with the company, such as a director, can indeed make a Data Subject Access Request on their own behalf. This distinction emphasises that DSARs are designed to empower individuals in gaining access to their personal data, and it’s the individuals within or associated with a company who can exercise this right.

Important: It’s worth acknowledging that the recording of a call may contain various forms of personal data. Therefore, if a director, for instance, wishes to access and review such data, they have the right to make a DSAR to obtain that information.

What Information Can Be Requested Using a DSAR?

The scope of a Data Subject Access Request encompasses a wide range of personal information, including basic details like name and address, transaction histories, payment details, medical records, social security numbers, communication records, personal chats, and much more. This request empowers users of software and the internet to gain insights into how their data is being handled, much like opening the safety deposit box and examining its contents.

How to Process a DSAR?

Making a DSAR is a straightforward process. You need to submit a written request, typically via email or post, including your name, contact details, and any relevant information for the organisation to identify your personal data. 

Companies are legally bound to respond within a specific timeframe, dictated by applicable data protection laws. It’s similar to requesting your bank for access to the safety deposit box and waiting for the bank to verify the request and grant you the access.

Are There Different Ways to Make a DSAR?

There are a number of different ways to make a DSAR. Individuals can submit a DSAR in writing, by email, or by phone. They can also make a DSAR verbally to an organisation’s representative.

The specific requirements for making a Data Subject Access Request will vary depending on the jurisdiction. However, in general, individuals will need to provide the following information:

  • Their name and contact information
  • A description of the personal data they are requesting
  • Any additional information that may help the organisation locate the data

Companies are required to respond to DSARs within a specified timeframe. The GDPR, for example, requires organisations to respond to DSARs within one month.

What are the Benefits of Making a DSAR?

DSARs offer numerous benefits to those seeking insights about their personal data. 

Any Data Subject Access Request is bound to provide you insights into the data an organisation holds about you, enabling the identification and correction of inaccuracies. 

In addition to that, DSARs grant individuals a better understanding of how their data is being used, fostering increased control and trust over their personal information. It’s similar to having the power to not only access the safety deposit box but also to correct or remove its contents.

What are the Challenges in Responding to DSARs?

Responding to DSARs poses a series of challenges for businesses. The primary hurdle lies in identifying all the personal data related to the requesting individual across diverse systems and databases. 

Ensuring the exclusion of third-party personal data adds an extra layer of complexity. That’s like a bank trying to locate all the safety deposit boxes belonging to a single customer in a large vault, while also ensuring that the contents of other customers’ boxes remain confidential.

How Organisations Can Prepare to Better Handle DSARs? 

To navigate the DSAR landscape successfully, organisations must have robust policies and procedures in place. This includes appointing a dedicated team for DSAR response, conducting regular audits, and implementing measures to protect and ensure data accuracy. 

For instance, if you’re a bank then hiring a dedicated team to manage your safety deposit box requests, conducting regular audits to ensure all boxes are accounted for, and implementing measures to protect the contents of the boxes can help.

What’s the Job of Global Compliance and Regulations while Making a DSAR?

GDPR, DPDPA, or CCPA are Privacy Laws, and they play a pivotal role in protecting everyone globally and nationally. These regulations provide a framework for businesses to adhere to, fostering a culture of data protection and trust. It’s like international banking regulations from the IMF or World Bank that ensure the safety and security of customers’ deposits, money transfers, forex reserves, and assets’ management.

Curious to know more about some of the crucial global compliance and regulations, how business leaders can re-imagine their security protocols? Read this: A Complete Guide to Data Privacy for Business Leaders – 2024 Edition

What Are the Potential Consequences of Not Complying with DSAR Regulations?

These consequences to not complying with regulations can include:

Regulatory fines: Organisations that fail to comply with DSAR regulations can be fined by data protection authorities. The GDPR, for example, allows for fines of up to €20 million (which is approximately £17,134,0001) or 4% of global annual turnover, whichever is greater.

Reputational damage: Organisations that are found to be in breach of DSAR regulations can suffer reputational damage. This can lead to a loss of customer trust and business.

Legal action: Organisations that fail to comply with DSAR regulations may be subject to legal action from data subjects.

In addition to these specific consequences, failure to comply with DSAR regulations can also lead to a number of other problems for organisations, such as:

Increased costs: Organisations may incur additional costs in responding to DSARs if they do not have efficient processes in place.

Operational disruption: Responding to DSARs can be a time-consuming and resource-intensive process. This can disrupt an organisation’s operations.

Loss of data: Organisations may inadvertently lose or destroy data when responding to DSARs. This can lead to data breaches and other compliance issues.

What are Some Praeferre’s Privacy Solutions to Tackle DSARs?

Praeferre’s privacy solutions are designed to address the complex challenges of Data Subject Access Requests (DSARs) for diverse stakeholders. Our comprehensive suite of tools and features offers the following benefits:

Simplified consent management: Praeferre’s innovative CRM (Customer Relationship Management) plugin enables effortless customer consent management, allowing them to modify preferences or opt out at any time.

Streamlined compliance: Achieve seamless compliance with GDPR, DPDPA (Data Protection and Digital Privacy Act), CCPA (California Consumer Privacy Act), and other data regulations with a single click, reducing administrative burden for DPOs (Data Protection Officers) and IT teams.

Automated response processes: Automate routine DSAR tasks, freeing up valuable time and resources for your team to focus on complex requests, providing support to DPOs and legal teams.

Enhanced data discoverability: Quickly locate and access relevant data across your organisation, ensuring accurate and timely responses to DSARs, addressing a key challenge for CIOs (Chief Information Officers).

Improved operational efficiency: Streamline DSAR workflows, reduce errors, and optimise resource allocation with our user-friendly platform, assisting business administrators and IT heads.

By leveraging Praeferre’s cyber security services and data privacy solutions, complex businesses can easily and effectively tackle DSAR challenges, ensuring seamless compliance, protecting data, and building trust with their customers. This collaborative approach benefits diverse stakeholders, from DPOs and CEOs (Chief Executive Officers) to IT heads and cyber experts, ultimately contributing to the organisation’s overall success and competitive edge in today’s data-driven world.

Are There Some Privacy Management Solutions for My Small Business?

For businesses of all sizes, investing in data privacy and  privacy management solutions is crucial. These solutions, tailored for startups, small businesses, large enterprises, and individuals, offer tools to streamline DSAR responses, ensuring efficiency and compliance.

Imagine it like a library using catalogue systems and security measures to protect its books. Similarly, businesses can use data protection measures like encryption, secure storage, and access control to safeguard their data. 

Meaning, it’s akin to managing books in a library, involving careful cataloguing, secure storage, controlled access, and responsive customer service. 

This is how businesses can promptly respond to DSARs and other data-related requests like subject access requests (SARs).

Where to DO WHAT with DSARs?

DSARs are not just legal obligations; they are an opportunity for organisations to showcase their commitment to data protection. 

By adopting best practices, investing in resources, and leveraging privacy management solutions, businesses can transform DSARs into a means of building trust and enhancing customer relationships. 

As the human race navigates the digital age, it’s now everyone’s sole responsibility to remember that data is not just the new oil – it’s the lifeblood of our digital identities. And like any lifeblood, it deserves to be treated with care, respect, privacy, and transparency (DO NOT CONFUSE PRIVACY WITH TRANSPARENCY & VICE-VERSA). 

It’s to build trust and enhance customer relationships. After all, in the digital era, data is the heart of our digital identities, and like any heart, it deserves to be treated with utmost care and responsibility. 

Also, if you’re planning to go ahead in fencing your business operations with modern data privacy management solutions, connect with our experts. We might have some solutions for you to bring everything in order and control.