Blogs
What’s DSAR? Guide to Understanding Data Subject Access Requests
At a time when personal data flows freely across digital ecosystems, users are becoming increasingly protective of their information. As online platforms and legacy businesses migrate their operations online, their reach expands, as does the volume of Personally Identifiable Information (PII) they collect, process, and store.
From data voluntarily shared to information scrapped from devices and collected from third parties, this qualitative and quantitative information has become one of the most valuable assets for organizations worldwide, fueling everything from targeted advertising to personalized user experiences. Yet, with this unprecedented data collection comes a huge responsibility — respecting and safeguarding individuals’ data and privacy rights.
Failure to comply with relevant data privacy laws and implement adequate data protection initiatives has huge ramifications. This not only risks pecuniary fines but also erodes trust and requires additional costs to repair reputational damage and remediate affected uses. Data protection concerns have become such an exceptional issue when 68% of Americans are concerned over the amount of data collected about them by businesses, with 60% believing companies actively and routinely misuse data.
But what’s driving increased awareness of data privacy issues? While news about data breaches makes headlines, it wasn’t until the introduction of the European Union’s General Data Protection Regulations (GDPR) that a new wave of data privacy laws started. This was followed by the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Australia’s Privacy and Data Protection Act.
What are Data Subject Access Requests (DSAR)?
Data Subject Access Requests (DSARs) are formal requests individuals submit to organizations to access their personal data. Under data privacy regulations, individuals are entitled to know what personal information is collected about them and how it is used, shared, and stored.
As companies don’t own user data but are provisionally licensed by users to provide them access to services, DSARs are designed to provide individuals with greater transparency and allow them to rectify, delete, or restrict its use if needed. It is also a huge issue as organizations handling PII are subject to relevant data privacy laws wherever services are engaged, not where it’s stored.
DSARs are essential for several reasons:
- Privacy and Transparency: DSARs give individuals insight into the data that organizations hold, helping them understand their digital footprint and evaluate data privacy risks.
- Accountability: They hold companies accountable for their data practices, compelling them to manage data responsibly and ethically.
- Compliance: Adhering to DSARs is legally required under several data protection laws, and non-compliance can lead to severe fines and reputational damage.
- Trust Building: When organizations carefully manage their data and uphold a level of transparency, they can more easily foster trust among customers and other stakeholders, which is valuable in today’s privacy-conscious environment.
Types of data relevant to DSARs
Personal Identification Information (PII)
Basic personal details that identify the individual or data subject include name, address, email, phone number, date of birth, and government-issued identifiers (e.g., Social Security Number, National ID, Tax File Number).
Contact Information and Communication Records
Communication history with the organization, including emails, chat logs, call recordings, and any other documented interactions that might include or relate to the individual’s data.
Transactional and Purchase Data
Information related to past transactions, orders, or services tendered, including receipts, purchase history, and service records.
Behavioral and Usage Data
Records of interactions, including website visit logs, app usage statistics, device information, and IP addresses, as well as behavioral tracking data — cookies and browsing history.
Employment and HR Data
For current or former employees, data privacy issues may include employment records, performance evaluations, payroll information, benefits data, and any other HR-related information.
Location Data
Geographic or locational information gathered through GPS, IP addresses, or device tracking is relevant if the organization collects this data as part of its service or product usage.
Marketing and Profiling Data
Data used for marketing purposes, such as targeted advertising profiles, preferences, engagement scores, or segmentation attributes that categorize the individual’s behavior or interests.
Financial Information
Banking details, payment information, billing history, and any credit or debit card data related to the individual's transactions.
Third-Party Data
Information shared with or obtained from third-party vendors, partners, or data processors is also considered personal data under DSARs.
Sensitive or Special Category Data
Highly sensitive data, such as health information, biometrics, or data on racial/ethnic origin, political opinions, or religious beliefs, are regulated more strictly under data protection laws.
Each data type may need to be disclosed in response to Data Subject Access Requests, depending on the request's scope and the data subject’s rights under applicable privacy laws. Ensuring efficient access to these categories through organized data mapping and tracking can help streamline the DSAR response process.
Data privacy concerns cover where data was captured — not where it’s stored
DSARs are particularly nuanced when it comes to data privacy and jurisdictional requirements, especially under the principle that data privacy is judged based on where information is accessed or collected, not necessarily where it is stored or where the company is headquartered. This distinction is crucial for organizations operating across multiple regions — for example, a US-based and operated company with data centers in Asia that collects information about users in Europe is still beholden to GDRP compliance.
Data protection is judged by the jurisdiction of where data is collected and accessed, so organizations must implement global data management policies that account for each region’s specific privacy laws. This may include setting up regional data access points with localized data protection measures or geo-blocking access to users in unserved markets.
DSARs and GDPR
General Data Protection Regulation (GDPR) — the oldest and often the most updated omnibus data privacy framework — empowers data subjects to request access to the Personally Identifiable Information that organizations hold about them by phone or via email. GDPR compliance mandates that organizations respond to requests within 30 days — with limited means for extensions — providing a transparent account of what data has been collected, why it’s processed, how long it will be retained, and with whom it may be shared. This access enhances transparency, enabling individuals to verify, correct, or request deletion of their data as needed.
DSARs and CCPA/CPRA
The CCPA and CPRA are similar to GDPR but have specific California-focused nuances, such as extended protections for sensitive data categories and the right to opt out of data sales. Compliance with DSARs under these laws is mandatory for eligible businesses, with a 45-day timeframe to respond to requests.
DSARs and Australia’s Privacy and Data Protection Act
Under Australia’s Privacy Act 1988 and associated Privacy and Data Protection laws, Data Subject Access Requests give individuals the right to access personal information that organizations hold about them. Australian citizens can request details about what data has been collected, its usage, and any third parties it has been shared with. They also have the right to correct inaccurate or outdated information.
Organizations must respond to DSARs promptly, typically within 30 days, ensuring transparency in data handling. The Australian Privacy Act emphasizes responsible data management and individual rights, holding companies accountable for non-compliance through regulatory actions by the Office of the Australian Information Commissioner (OAIC). This DSAR framework aligns with global privacy standards, promoting trust in Australian data privacy practices.
Your data subject rights
Data subject rights are the legal rights individuals have over their personal data, allowing them to exercise control over how their information is collected, used, stored, and shared by organizations. These rights are core to data privacy laws worldwide, such as the GDPR, CCPA, and other similar regulations, helping ensure transparency and accountability in data handling.
Key data subject rights include:
- Right to Access: Individuals can request access to their personal data held by an organization, including details on how it’s being used and shared.
- Right to Rectification: If data is inaccurate or incomplete, individuals have the right to request corrections to ensure data accuracy.
- Right to Erasure — Right to be Forgotten: Under certain conditions, individuals can request the deletion of their personal data, such as when it is no longer needed for its original purpose.
- Right to Restrict Processing: Users can request that organizations limit how their data is used, such as temporarily halting processing in data accuracy disputes.
- Right to Data Portability: Individuals can receive their data in a structured, machine-readable format and transfer it to another service provider if applicable.
- Right to Object: Objections can be made to certain data processing activities, particularly those involving direct marketing or profiling.
- Rights Related to Automated Decision-Making and Profiling: Individuals can challenge decisions made solely by automated means, such as algorithms, that significantly impact them and request human intervention.
- Right to Be Informed: Organizations must inform individuals about data collection and usage purposes in clear and accessible language, typically through privacy notices.
Who can submit a DSAR?
Individuals (Data Subjects)
Any individual whose personal data is held by an organization can submit a DSAR, including customers, employees and users. In these instances, users aren’t required to provide a reason for submitting a request. However, organizations are permitted only to ask questions that confirm the requester’s identity and assist in locating the relevant information.
Authorized Representatives
An individual may appoint an authorized representative, such as a lawyer, to submit a data privacy request on their behalf. Organizations typically require proof of authorization, such as written consent, to process the request.
Parents or Guardians
For minors, parents or legal guardians can submit DSAR requests on behalf of their dependents if the child is below the age of consent under the applicable law.
Next of Kin or Executors
In some jurisdictions, next of kin or executors may be allowed to access the personal data of a deceased person, depending on local laws and the organization’s policies.
How long do I have to respond to a DSAR?
Most government bodies, including the GDPR and Australia’s Privacy Act, have a framework that recommends that organizations process requests without undue delay. Typically, within 30 days and the provision of extensions in specific scenarios. On the other hand, California’s CCPA/CPRA allow up to 45 days.
Failing to respond to a Data Subject Access Request within the specified timeframe without an allowable reason can leave your organization exposed to financial penalties, as the presumption is that there is no permittable reason to delay or reject a request without justification.
Can organizations charge fees to process DSAR requests?
Previously, organizations were once entitled to charge fees to process DSAR requests. While it’s no longer permissible and is considered a cost of doing business, there are some exceptions allowing corporations to recover payment, such as:
- Managing unfounded or excessive requests
- Providing additional copies of data
- Processing complex or demanding requests
How to process a DSAR request
Processing a DSAR (Data Subject Access Request) requires a structured approach to ensure compliance, accuracy, and transparency. Here’s a step-by-step guide to handling DSARs effectively:
1. Acknowledge the request
Promptly acknowledge the receipt of the request with the data subject. This acknowledgment should typically occur within a few days and include any anticipated timeframes for completion.
2. Verify the Identity of the data subject
To prevent unauthorized access to personal data, verify the requester’s identity by asking for additional information or documentation, especially if the request is made on behalf of someone else. To uphold data privacy standards, it’s best to avoid requesting more data than necessary for verification.
3. Clarify the scope
If the DSAR is broad or unclear, contact the data subject for clarification to understand what types of data they require and the action they’re motivated to take to avoid excessive data retrieval.
4. Locate and retrieve data
Identify all locations where the requester’s data might be stored, including databases, emails, cloud storage, CRM systems, and any relevant third-party systems. Data mapping can be beneficial in this step, as it allows quick identification of data sources.
5. Review and redact data
Carefully review the retrieved data to ensure it is complete and relevant to the request. Redact any information that might infringe on the privacy of others or contain legally protected data not subject to disclosure.
6. Prepare the response
Organize the data in a user-friendly format, typically in a structured, readable format such as PDF or CSV file. The response should include:
- Confirmation of data processing
- Categories of personal data
- Purpose of data processing
- Data retention periods
- Third parties who had access to the data
- Any relevant rights, e.g., right to rectification, deletion, etc
7. Deliver the Response
Provide the data to the data subject securely, typically within the required timeframe (often 30 to 45 days, depending on jurisdiction). Use secure channels to protect the requester’s information, such as encrypted email or secure download links.
8. Document the Request and Response
It’s best practice to keep a record of the DSAR, including the request details, response date, and any communications with the requester. This documentation is valuable for audits and can help demonstrate compliance with data privacy regulations.
Can organizations refuse a DSAR?
While data privacy is an inalienable right, there are specific events when an organization can or is forced to reject a DSAR. In these instances, the organization needs to justify the decision to the recipient and share information regarding their right to appeal or ability to file a complaint with the relevant supervisory authorities, e.g., the Information Commissioner’s Office in the UK or the Office of the Australian Information Commissioner.
This transparency helps maintain trust while balancing privacy and operational concerns. Scenarios where organizations can refrain from processing DSAR requests include:
- Unfounded or Excessive Requests
- Insufficient Proof of Identity
- Legal and Regulatory Exemptions
- Impact on the Rights of Others
- Requests Concerning Non-Personal Data
Who should be responsible for processing DSAR requests?
Depending on the size of your organization, multiple departments can assist in processing DSAR requests as part of your data protection functions. However, it’s best practice to assign a dedicated data protection officer who can lead data privacy efforts for consistent compliance. Professionals who help handle DSAR requests include:
- Data Protection Officer (DPO): Oversees DSAR compliance, especially in organizations required by law to appoint a DPO.
- Privacy/Compliance Team: Manages requests, coordinates with departments, and ensures responses meet data privacy standards.
- Legal Team: Guides exemptions and ensures compliance, particularly for complex legal requests.
- IT/Data Management Teams: Locates and retrieves requested data from relevant systems.
- Customer Service or HR for Employee Requests: Handles initial communication for customer or employee DSARs, collaborating with the compliance team as needed.
What are the Challenges of Handling DSARs?
While DSARs are crucial for transparency and data protection, they present several challenges that can become a burden on internal resourcing:
- Resource-Intensive Process: Gathering and reviewing data across various systems requires substantial time and effort, particularly for large organizations.
- Data Localization: Personal data may be spread across different systems, departments, and even third-party vendors, complicating data retrieval.
- Privacy and Security: Responding to DSARs requires securely handling personal data to prevent breaches or unauthorized access.
- Compliance with Exemptions: Some information may be exempt from disclosure, and identifying these exemptions requires careful legal review.
Investing in automation tools and DSAR data protection management platforms can help streamline the process and simplify complexities involving PII, GDPR, and CCPA/CPRA, especially for organizations that handle numerous DSARs.
Penalties and consequences for DSAR non-compliance
Implementing a proactive DSAR framework helps organizations avoid consequences by ensuring efficient, compliant data management and building trust with data subjects.
Non-compliance penalties
- Fines and Penalties: Data privacy regulations like the GDPR can impose significant fines for non-compliance with DSAR obligations, reaching up to €20 million or 4% of global annual turnover, whichever is higher. Other laws, like CCPA, also permit fines per violation.
- Legal Action: Individuals may have the right to file complaints with regulatory bodies or pursue legal claims, potentially leading to costly settlements or further regulatory scrutiny.
Reputational Damage: Failing to respond to DSARs can damage an organization’s reputation, eroding customer trust and loyalty, especially in a privacy-conscious marketplace.
Lack of a proactive DSAR framework
- Operational Inefficiency: Without a structured process, organizations may struggle to locate, verify, and respond to requests within the required timeframe, leading to inefficiencies and non-compliance risks.
- Higher Compliance Costs: A reactive approach often requires more resources, as each request may require extensive manual processing. Establishing a proactive framework can help reduce these ongoing costs.
- Increased Risk of Data Breaches: Lack of a clear framework raises the chance of unauthorized access or accidental data disclosure, which can lead to further penalties.
- Regulatory Scrutiny: Regulators may view the absence of a proactive DSAR process as indicative of broader non-compliance with data privacy standards, prompting more frequent audits or investigations.
Take control of your DSAR and data protection with Nuix Neo
Between Data Subject Access Request (DSAR), Right to Information (RTI), Access to Information (ATI), and SO52, your organization needs to be across an endless amount of data privacy laws and standards.
This is where Nuix Neo comes in. Our intelligent software can ingest thousands of data sets, helping to implement a comprehensive data mapping exercise to effectively filter information and identify where your data is stored at scale for easy data discovery.
With a unique ability to process vast troves of data across multiple data points, you can efficiently process DSARs and other tasks like never before. Get in contact with our team and learn how Nuix helped a government body accurately manage data requests 95% quicker.
Request a demo today and discover how you can save on resourcing costs by streamlining workflows so you can effortlessly work within timeframes and remain compliant with data protection laws and standards.