The scope of data privacy laws is expanding, and it’s time to prepare your business to respond to Data Subject Access Requests (DSAR), which is when an individual requests to exercise their rights over the personal information you collect from them.
Establishing a transparent DSAR workflow for your business to address consumer requests helps you comply with applicable data privacy laws and builds customer trust.
Use my step-by-step guide to make a reliable, legally-sound, and easy DSAR process for your business and users.
Step-By-Step DSAR Workflow Your Business Needs To Follow
Here are the ten steps I recommend you follow to ensure your business’s DSAR workflow runs smoothly and meets all legal obligations.
Step 1: Receiving and Identifying a DSAR
The first step business owners should take when establishing a DSAR workflow is choosing how you want users to submit their requests.
I recommend choosing a system based on how your users typically interact with your platform and the nature of the personal data you collect while keeping applicable privacy laws in mind.
There are multiple methods you could implement on your site, including:
To help simplify this process, Termly provides all users with a DSAR form you can embed on your website — see what it looks like in the screenshot below.
Some laws require you to provide two or more ways for consumers to submit requests.
You must also respond to consumers even if they don’t follow the specific methods you implement on your platform because privacy laws allow individuals to submit DSARs in any method they choose.
But providing them with a clear avenue for submitting these requests is more efficient, and most users will happily follow your established process.
Verifying a Data Subject’s Identity
Once you’ve chosen the methods you’ll use to allow consumers to follow through on their rights, you must also make a process for verifying consumer requests to ensure you never release personal information to an authorized person.
When verifying the consumer’s identity, avoid asking for more personal information unless necessary, and don’t require them to create an account, as this is forbidden under some laws.
Instead, consider using a two-factor authentication approach and take advantage of pre-existing data you already have; for example, you might send a code to their email address or phone number or have them select and answer a security question correctly.
Understanding the Scope of the Request
You also need to ensure the person or team answering your DSARs understands the scope of the consumer request so that they can respond accurately.
Consumers have different rights and can submit requests to follow through on any of them, so make sure you know what the specific request or request is and reply to all facets of it.
Step 2: Gathering Requested Data
The next step involves gathering the relevant requested data so you can appropriately respond to the consumer.
Your internal procedure should explain which employees are approved to locate the information, the networks where you store the data, if it’s located in multiple places, and if you store any information physically.
Retrieving Personal Data
Depending on your industry, different permissions may be required before your team can access information on behalf of the data subject.
For example, this is necessary under U.S. federal laws like HIPAA, so verify if these rules impact your business and add the appropriate details to your DSAR procedures.
You might also consider implementing data mapping techniques to make gathering this information easier on your team.
Data From Third Parties
When gathering the information, remember to include data collected by third parties you work with, especially if you rely on a third-party data processor.
The consumer request applies to all data collected.
Most data protection laws contractually obligate third parties to help you follow through on consumer requests, so ensure your business contracts reflect these requirements.
Step 3: Data Review and Exemption Consideration
Once you’ve collected the data requested by the consumer, review it for confidentiality and sensitivity to ensure it meets your internal requirements for accepting or rejecting DSARs.
Identifying Exempt Information
Some personal data may be exempt from sharing with the data subject, and you should explain how your team determined this.
For example, you cannot share information with someone if it infringes upon another person’s data privacy rights.
You should reject requests that impede another person’s privacy and clearly explain this to the original data subject.
Balancing Transparency and Data Protection
When responding to a consumer request, your team should log the steps they take, while keeping the data protected.
Have your employees mark down the following in case of a regulatory audit:
- The date and time of each task they’ve completed
- The authorization for the requests
- The potential locations of the data they’ve accessed
You’re also responsible for keeping these details secure from data breaches or unauthorized access, so ensure you have safety measures to prevent this.
Step 4: Communication With the Data Subject
Inform the consumer that you’ve received their request and are working on a response by sending them a verification notice.
Providing Updates on Progress
Depending on applicable laws, you might be subject to a 30 or 45-day timeline for responding to DSARs, so consider sending the user updates on your progress.
Updating the data subject about how long the process may take reassures them and holds your DPO or privacy team accountable for progressing your DSAR workflow promptly.
Seeking Clarifications, if Necessary
It’s okay for you to request clarifications from the data subject if it’s necessary to fulfill a request or for legal obligations.
For example, you might need to verify what rights they’re following through on or clarify if they’re acting on behalf of their child.
But your DSAR process must follow all applicable laws, and there are limitations about what you can and cannot ask a data subject depending on what legislation applies to your business.
Step 5: Processing and Compiling the Response
Make sure you are well organized when processing and compiling your response to a DSAR.
Many laws give consumers the right to a portable copy of their information, which means it must be presented to them in a way that’s easy to share with another data controller.
The purpose of this right is to prevent user data from being stored on closed platforms, which makes changing accounts or switching services a big challenge.
I recommend implementing the following, when possible:
- Provide the data using a common, accessible file type
- provide the consumer with remote access using a secure system
- Format it in a way that’s easy to read and understand
Redacting Third-Party Information
When fulfilling DSARs, you might need to redact information relating to third parties, so have a process in place for identifying and removing this type of information.
For example, you might redact:
- Private organization information
- Information that falls outside the scope of personal data
- Data about another individual not making the request
Step 6: Drafting the Response
When drafting a response to a DSAR, use straightforward language that’s easy to understand, be thorough, and double-check that you’re providing everything the consumer requested.
Explaining Data Processing Activities
Be transparent about your processing activities, and ensure anyone working on your DSAR workflow understands these protocols so they can craft accurate responses.
Consider preparing templates your team can adapt and tailor to the type of request received.
Addressing Exemptions and Limitations
You must clearly explain to the requester if any data they seek is exempt, can only be shared in limited quantities, or if it must be fully denied.
Denying DSARs is permitted in very specific scenarios — under the GDPR, you can deny one if it’s unfounded or excessive.
Explain what would cause DSARs to get denied in your DSAR protocols based on applicable data privacy laws so your team knows when it is or isn’t appropriate.
Step 7: Review and Quality Assurance
Once you’ve drafted your response, review it internally for accuracy and quality assurance.
Performing an internal review as part of your overall workflow helps you find and correct mistakes or legal errors before they occur.
Ensuring Accuracy and Compliance
Before you send an official response to the data subject, double-check that all personal data and details are accurate and that you followed the applicable laws.
Data subjects from different regions have different rights, so put details about their rights in your DSAR protocols to ensure everyone on your team understands them.
If you make a mistake, data privacy laws will hold your business accountable.
Legal and DPO Approval
If necessary, have your DPO or legal team review DSAR responses before sending them to the data subject so they can double-check that everything is done correctly and in a compliant way.
Step 8: Sending the DSAR Response
Before sending your DSAR response, check applicable laws to determine the proper formatting and delivery methods.
For example, under the GDPR, any data subject requests made electronically should be replied to in the same manner.
Include the necessary response methods as part of your DSAR workflow, so your team understands the legally appropriate way to send a response to consumers.
Timely Delivery and Communication
Most data privacy laws require you to respond to data subject requests without undue delay or within 30 to 45 days of receipt.
Under the GDPR, you have 30 days to respond to DSARs, whereas under the CCPA, you have 45 days.
Replying sooner is always better than responding too late, at which point the law could hold legally accountable.
Step 9: Handling Appeals and Further Steps
After you respond to a DSAR, you must provide an easy method for data subjects to appeal your decisions regarding their requests.
Laws like the VCDPA stipulate that the appeal process must be as simple as and similar to the system you initially used to allow consumers to submit requests.
You then have a set amount of time to reply to an appeal, depending on the legislation that applies to your business.
Escalating Complex Cases
After responding to a consumer, you may face complex requests or complicated appeals.
For example, a legal guardian may contact you over concerns about your website or app collecting information about their child despite your business not targeting minors.
To prepare your business, make a process for escalating these requests to the proper channels so you can resolve them efficiently.
Continuous Improvement of the DSAR Process
As you receive more DSARs and test your workflow, continuously adjust it as necessary.
If you discover any gaps in your policy or pain points, you can address and fix them, because the overall DSAR response process is entirely up to you.
You should also pay attention to new and changing data privacy laws that may impact parts of your DSAR process.
Step 10: Record Keeping and Documentation
Keeping secure records of your DSARs and responses is essential for internal organization purposes and in case of a privacy audit.
Under the GDPR, you must keep a detailed record of your processing activities and make them available upon the request of regulatory authorities, including DSAR responses and appeals.
According to Article 31 of the GDPR, this is a Record of Processing Activities or RoPA.
Regardless of legal obligations, doing this is a best practice as it can help you prove legal compliance if issues arise.
Audit Trail and Accountability
Documenting your communications with data subjects who submit DSARs creates an audit trail that can help prove you complied with applicable laws if regulatory authorities questions you.
So log all your steps and store these details in a secure environment.
As an additional benefit, if the same consumer submits another DSAR in the future, your team can respond to their request faster and easier.
Overview of Data Subject Access Requests
Now that I’ve explained how your business can make a DSAR process, let’s cover users’ privacy rights as granted by different data privacy laws.
While the specific rights vary, typically, people protected by these pieces of legislation have the right to request to:
- Access the personal data you’ve collected about them and know what you use it for
- Correct or amend their personal data
- Delete the data you’ve collected about them
- Obtain a portable copy of the data you’ve collected about them
- Opt out of certain types of data processing activities, like profiling, the sale of their data, or targeted advertising
Data subject access requests have become increasingly prominent since the introduction of the General Data Protection Regulation (GDPR), the influential data privacy law that protects people within the European Union (EU) and the European Economic Area (EEA).
But the DSAR process can apply to users who submit requests to follow through on rights granted to them by these and other privacy laws:
- Brazil General Data Protection Law
- California Consumer Protection Act (CCPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- New Zealand Privacy Act
- Oregon Data Privacy Act (ODPA)
- Switzerland Revised Federal Act of Data Protection (Swiss FADP)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
The Importance of a DSAR Process for Businesses
Establishing an adequate DSAR process is important for businesses because it’s often a multi-step undertaking, and some laws, like the GDPR and the CCPA, outline specific timeframes for how long you have to respond to and complete consumer requests.
Additionally, you’re not usually allowed to charge any fees regarding the entire DSAR process, so it’s essential that your business can meet these requirements in an affordable manner.
Additional Ways To Prepare for a DSAR
Next, I’ll explain additional ways you can prepare for DSARs from consumers.
Appointing a Data Protection Officer (DPO)
For some businesses, appointing a Data Protection Officer (DPO) may be necessary.
Your DPO helps your company collect and process data in legally compliant ways and may respond to DSARs or oversee and help manage the process, depending on the size and scope of your business.
For example, smaller companies usually only require a single DPO to meet legal obligations, while companies that process large amounts of data or highly sensitive information may need a team of employees to assist the DPO.
When choosing a DPO, ensure they’re familiar with data privacy legislation and know your business’s operations inside and out.
Avoid choosing someone on a short-term contract and ensure there are no conflicts of interest.
Employee Training and Awareness
Train your staff about data privacy to increase employee awareness regarding best practices and the DSAR process your business implements.
Ensuring your entire team is privacy literate will help make your DSAR process more efficient and effective.
At a minimum, all employees should be trained to recognize a DSAR and escalate it as appropriate.
Your employees also have data privacy rights regarding how you collect, use, and process their data, which you must also consider when creating a DSAR workflow.
Summary
Ultimately, creating a DSAR workflow puts your entire team on the same page and helps you adhere to data protection regulations outlined by relevant laws.
If you violate any of those laws, even on accident, it could lead to public backlash and significant fines that add up fast — just check out this list of the biggest GDPR fines of all time.
An efficient DSAR process also proves to your consumers that your company continuously commits to protecting their data privacy.
Current data privacy statistics suggest that consumers care more about what’s happening to their personal information online today than ever before.
Prove to them that you care about protecting the integrity of their information just as much by implementing a coherent and well-structured DSAR process.
More about the author
Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT
James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author
