What is Data Subject Access Request (DSAR)?

The implementation of several data privacy laws has changed people’s perspective toward data sharing. They now expect transparency from organizations when sharing their personal data. People want to know what is being done with their information – the how and why behind it.

The California Privacy Rights Act (CPRA) data rights granted to Californian residents closely mirror those given to EU citizens under the General Data Protection Regulation (GDPR). One of the most exercised rights under both laws is the right to access personal data.

In this article, we will discuss what a data subject access request (DSAR) entails and how organizations can manage these requests.

A Data Subject Access Request (DSAR) is a request made by consumers to access the personal data or information the organization has collected from them.

Data subjects, as they are addressed in regulations like the GDPR, have the right to access the information and even request a copy of it.

Organizations have to ensure that individuals have control over their personal data and that they can exercise their rights under the legislation.

A DSAR can include requests for copies of their own personal data and their children’s personal data if they are minors. The request must come directly from the data subject, unless they have authorized another data subject to submit it, such as parents, appointed guardians, or legal representatives.

Any of your team members may receive a DSAR and should know how to deal with it. This can be via email, phone, post, or social media.

The privacy laws make it mandatory for an organization to make provisions for the data subjects to make such requests. The organization must verify the request upon receiving it and make necessary arrangements for the data subjects to access the information. 

Our data privacy legislations in focus here are the GDPR and CPRA. So, let’s see what both the laws say about the DSAR. 

The main difference between a DSAR and a SAR is:

DSAR – Used specifically for requests made under GDPR. DSAR refers to an individual exercising their right to access their personal data held by an organization.

SAR – Stands for Subject Access Request, it is a more general term for requests to access personal data that is not limited to a specific regulation like the GDPR. SAR may be used to describe similar access requests made under other data protection laws like CPRA.

The GDPR applies to any organization, regardless of its location, that collects and processes the personal data of people in the EU. 

The right of access is one of the nine rights the data subjects have under GDPR. 

Recital 63 states that the data subjects have the right to access their personal data collected by an organization. They must be able to easily exercise this right to be aware of and to verify if the data is being processed lawfully. The right extends to health data as well. 

Art. 15 lists down the information related to personal data a data subject has the right to have access to:

• The purpose of processing the data
• The categories of personal data collected
• The recipients with whom the personal data has been or will be shared with
• How long the data will be stored
• Information or awareness about other data subject rights — the right to rectification, right to delete, right to restrict processing, and the right to object to the processing of personal data
• Information about the right of data subjects to file a complaint with their supervisory authority
• The source of personal data, if it was not directly collected from the data subject
• The existence, significance, and consequences of processing personal data through automated decision-making and user profiling
• In case there is cross-country data transfer, the appropriate safety measures taken to secure the data

The organizations are liable to provide a copy of the personal data in a commonly used electronic form if requested. They may charge a reasonable fee for further copies. 

The GDPR recommends organizations ‘-’ have a secure system that gives the data subject direct access to their personal data. However, while providing the copy, you have to ensure that it will not interfere with the rights and freedom of other data subjects. In case there is a request for accessing a large quantity of information, you can request the data subject to specify the information they require. You can refuse a data access request only after careful consideration, and you must specify your reason to them.

The CPRA applies to any for-profit entity that does business in California, that collects and processes Californian consumers’ personal information, and that  satisfies at least one of the following:

1. Has annual gross revenues of over 25 million dollars 
2. Annually buys, receives, sells, or shares, alone or in combination, the personal information of 100,000 or more consumers, households, or devices for commercial purposes
3. Derives 50% or more of its annual revenues from selling personal information

Like GDPR, the CPRA also grants its data subjects or consumers (Californians) the right to access personal information. It gives them the right to request access to the personal information the organizations have on the consumers.

Under CPRA, a consumer can request a business that collects personal information about consumers access to the following information:

• The categories of personal information the business has collected
• The specific pieces of personal information the business has collected
• The categories of sources of personal information it has collected
• The categories of personal information the business has sold or disclosed
• The business or commercial purpose for collecting or selling personal information
• The categories of third parties the business has sold or disclosed the personal information

A business must have two or more designated methods for the data subjects to submit their data access requests. These methods include a toll-free number, a website address, and an email address.

The ideal DSAR response time an organization must take depends on the applicable data privacy law.

For GDPR, you have to respond to a data access request within a month of receiving it. There must be a legitimate reason behind any delay in response. In case there are numerous requests, or if they are complex, you can take an additional two months to respond and specify the reason for the extension. 

The CPRA response time for DSAR is 45 days from the day of receiving the request to respond. The 45 days include the time required to verify the request. If you need additional information from the data subjects, you can take another 45 days. 

Under GDPR, you can refuse to comply with a data access request under certain circumstances, such as

• (Manifestly unfounded) If it is found to be made with the intention of harassing the employers of the organization or purely for gaining favor from you in exchange for withdrawing the request.
• (Excessive) If there are repeated requests made without a legitimate reason.
• If sharing the requested information interrupts the rights and freedom of other data subjects.

Under CPRA, your business does not require to oblige with the DSAR if:

• You cannot verify the identity of the data subject.
• It does not maintain personal information in an accessible format.
• The purpose of storing personal information is solely a legal obligation.
• It does not sell or use personal information for commercial purposes.
• If the requested information is a consumer’s government-issued identification numbers, bank account details, medical data, account password, or other security-related data, or unique biometric data.

You cannot charge fees for a data subject access request unless the request is manifestly unfounded or excessive. Any fees charged must only cover the cost of collecting the relevant information, and it should not constitute a profit for your organization.

We have already seen what information data subjects can request to access. However, it remains a question of how you are going to respond to such a request. Is there a standard DSAR template or a DSAR form? 

Well, the truth is there isn’t any. 

Yes, you do not have to follow a specific format to handle or respond to a DSAR. You can set your template or process that is meticulous and easy for the data subjects to exercise the right. 

The major steps you can follow to handle a DSAR are:

Data request verification

You must verify the data access request to see if it is lawfully abiding. You have to ensure the request for the right to access does not interfere with the rights and freedom of others.

Any request to access sensitive information must be carefully studied and responded to accordingly.

Verifying the request will also help you to determine the time you need to respond to it or if you need any extension.

Identity verification

Perhaps, the most important step.

An insightful experiment by James Pavur, University of Oxford-based researcher, highlights the need for robust identity checks. Pavur sent DSARs to 150 organizations pretending to be his girlfriend, using a fake email address. The results showed:

• Only 84 organizations responded at all
• 39% initiated further ID checks
• 24% complied without verifying identity
• 16% had weak verification processes

The experiment exposed vulnerabilities, especially among smaller organizations that ignored the requests. Meanwhile, big tech companies fared better with stronger identity verification.

These findings demonstrate that all organizations, especially smaller ones, need standardized DSAR procedures to properly verify identities. Proper checks reduce privacy risks and ensure compliance when responding to access requests. Implementing strong identity verification is a crucial step for any DSAR process.

Data verification

Verifying the data requested by the data subject will help determine if you need to proceed with the request. Some data may include personal data of other data subjects. So, giving access to them is a case of a data breach.

Some data have a large quantity of information. You must ensure that the requested data constitutes the entire information or just a part of it.

Send data

After all the verification goes well, you must gather and share the requested data with the data subjects. The information must be presented in an easy-to-understand format.

These are not the only steps you must follow. You may require various steps to complete the process. How your organization carries out the procedure depends on it.

Organizations like Jaquar have their procedure to respond to the DSAR.

Big tech, like Facebook, has an automated procedure that will help its users to access their information and download a copy of the same.

At CookieYes, you can email us your DSAR at [email protected]. We will verify and respond to your request per the applicable law. 

DSAR is useful in many ways. Besides compelling organizations to embrace transparency, they enlighten data subjects. Plus, the lesser-known perk is that a DSAR apparently aids in kicking that online gambling habit. Here is the proof:

I’ve made a subject access request for my data to all the gambling companies I used to bet with. I know it’s not going to make good reading but feel it’s important part of my recovery.

— Rich Thorpe (@rjthorpeuk) February 12, 2021

Seems like a win-win situation.