The implementation of several data privacy laws has changed the perspective of people towards data sharing. They expect transparency from an organization when they share their data. People want to know what you do with their data and the how and why of it. A study conducted last year by Truyo revealed that more people are exercising their rights under the California Consumer Privacy Act (CCPA). And, as the COVID-19 pandemic hit, the number of requests did not show any sign of decline. The study, released in April 2020, found that 51% of companies are receiving more than 10 requests per week and 20% receiving more than 100 requests per week.
The CCPA data rights granted to Californian residents are almost the same as the rights for people within the EU under the General Data Protection Regulation (GDPR). One of these rights —— the right to access data — has been one of the most exercised by people.
In this article, we will discuss what is data subject access request (DSAR) and how to handle it.
What is DSAR?
A Data Subject Access Request (DSAR) is a request made by consumers to access the personal data or information the organization has collected from them.
Data subjects, as they are addressed in regulations like the GDPR, have the right to access the information and even request a copy of it.
The privacy laws make it mandatory for an organization to make provisions for the data subjects to make such requests. The organization must verify the request upon receiving it and make necessary arrangements for the data subjects to access the information.
Our data privacy legislations in focus here are the GDPR and CCPA. So, let’s see what both the laws say about the DSAR.
DSAR under GDPR
The GDPR applies to any organization, regardless of its location, that collects and processes the personal data of people in the EU.
Right of access is one of the nine rights the data subjects have under GDPR.
Recital 63 states that the data subjects have the right to access their personal data collected by an organization. They must be able to easily exercise this right to be aware of and to verify if the data is being processed lawfully. The right extends to health data as well.
Art. 15 lists down the information related to personal data a data subject has the right to have access to:
- The purposes of processing the data
- The categories of personal data collected
- The recipients with whom the personal data has been or will be shared with
- How long the data will be stored
- Information or awareness about other data subject rights — the right to rectification, right to delete, right to restrict processing, and the right to object to the processing of personal data
- Information about the right of data subject to file a complaint with their supervisory authority
- The source of personal data, if it was not directly collected from the data subject
- The existence, significance, and consequences of processing personal data through automated decision-making and user profiling
- In case there is cross-country data transfer, the appropriate safety measures taken to secure the data
The organizations are liable to provide a copy of the personal data in a commonly used electronic form if requested. They may charge a reasonable fee for further copies.
The GDPR recommends organizations ‘-’ have a secure system that gives the data subject direct access to their personal data. However, while providing the copy, you have to ensure that it will not interfere with the rights and freedom of other data subjects. In case there is a request for accessing a large quantity of information, you can request the data subject to specify the information they require. You can refuse a data access request only after careful consideration, and you must specify your reason to them.
DSAR under CCPA
The CCPA applies to any for-profit entity that does business in California, that collects and processes the Californian consumers’ personal information, and that satisfies at least one of the following:
- Has annual gross revenues over 25 million dollars
- Annually buys, receives, sells, or shares, alone or in combination, the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Derives 50% or more of its annual revenues from selling personal information
Like GDPR, the CCPA also grants its data subjects or consumers (Californians) the right to access personal information. It gives them the right to request access to the personal information the organizations have on the consumers.
Under CCPA, a consumer can request a business that collects personal information about consumers access to the following information:
- The categories of personal information the business has collected
- The specific pieces of personal information the business has collected
- The categories of sources of personal information it has collected
- The categories of personal information the business has sold or disclosed
- The business or commercial purpose for collecting or selling personal information
- The categories of third parties the business has sold or disclosed the personal information
A business must have two or more designated methods for the data subjects to submit their data access requests. These methods include a toll-free number, a website address, and an email address.
How long do you have to respond to a DSAR?
The ideal time an organization must take to respond to a DSAR depends on the applicable data privacy law.
For GDPR, you have to respond to a data access request within a month of receiving it. There must be a legitimate reason behind any delay in response. In case there are numerous requests, or if they are complex, you can take additional two months to respond and specify the reason for the extension.
For CCPA, you can take 45 days from the day of receiving the request to respond. The 45 days include the time required to verify the request. If you need additional information from the data subjects, you can take another 45 days.
Can you refuse a DSAR?
Under GDPR, you can refuse to comply with a data access request under certain circumstances, such as
- (Manifestly unfounded) If it is found to be made with intention of harassing the employers of the organization or purely for gaining favor from you in exchange for withdrawing the request.
- (Excessive) If there are repeated requests made without a legitimate reason.
- If sharing the requested information interrupts the rights and freedom of other data subjects.
Under CCPA, your business does not require to oblige with the DSAR if:
- You cannot verify the identity of the data subject.
- It does not maintain personal information in an accessible format.
- The purpose of storing personal information is solely a legal obligation.
- It does not sell or use personal information for commercial purposes.
- If the requested information is a consumer’s government-issued identification numbers, bank account details, medical data, account password or other security-related data, or unique biometric data.
How to respond to a DSAR?
We have already seen what information data subjects can request to access. However, it remains a question of how you are going to respond to such a request. Is there a standard DSAR template or a form?
Well, the truth is there isn’t any.
Yes, you do not have to follow a specific format to respond to a DSAR. You can set your own template or process that is meticulous and is easy for the data subjects to exercise the right.
The major steps you can follow to respond to a DSAR are:
Data request verification
You must verify the data access request to see if it is lawfully abiding. You have to ensure the request for the right to access does not interfere with the rights and freedom of others.
Any request to access sensitive information must be carefully studied and responded to accordingly.
Verifying the request will also help you to determine the time you need to respond to it or if you need any extension.
Perhaps, the most important step. Why? Let’s try to understand using an example.
James Pavur, an Oxford University Ph.D. student, ran an experiment in 2019, where he sent DSARs to 150 organizations assuming his girlfriend’s identity using a fake email address. The results of the experiment are insightful.
Of 150, only 84 organizations responded to the request. 39% of them initiated further identification processes. 24% responded to the requests without any need for further proof of identity. 16% have weak verification processes.
His experiment proves how anyone can get access to someone else’s information if there is no strong verification. This is a privacy risk. Also, sending a data subject’s data to someone else is a breach of data.
The results also showed that big techs fared well against smaller organizations. Most of these organizations ignored the DSARs.
Such findings prove that the organizations (especially smaller ones) require a standard DSAR practice for identity verification.
Verifying the data requested by the data subject will help determine if you need to proceed with the request. Some data may include personal data of other data subjects. So, giving access to them is a case of a data breach.
Some data have a large quantity of information. You must ensure that whether the requested data constitutes the entire information or just a part of it.
After all the verification that goes well, you must gather the requested data and share it with the data subjects. The information must be presented in an easy-to-understand format.
These are not the only steps you must follow. There are various steps you may require to carry out to complete the process. It depends on your organization how you want to carry out the procedure.
Organizations, like Jaquar, have their procedure to respond to the DSAR.
Big tech, like Facebook, has an automated procedure that will help its users to access their information and download a copy of the same.
At CookieYes, you can email us your DSAR at firstname.lastname@example.org. We will verify and respond to your request per the applicable law.
DSAR is good. Not only does it make organizations, who amass personal data of their data subjects, practice transparency; it also makes way for the data subjects to be more aware. And… as this good fellow believes, it may help you leave your online gambling habit:
I’ve made a subject access request for my data to all the gambling companies I used to bet with. I know it’s not going to make good reading but feel it’s important part of my recovery.— Rich Thorpe (@rjthorpeuk) February 12, 2021
So, better take advantage of it.