One of the legislation to protect customers’ privacy and confidential data is the General Data Protection Regulation (GDPR). This law applies to European residents and the organizations that do business with EU companies and gives them rights regarding how a company collects, stores, and uses their personal data. With these rights, they also have the right to access their own data by making a data subject access request (DSAR request). Every company must respond to this request. For instance, Apple and even its competitors have set procedures in place to help its customers to request their personal data conveniently.
Likewise, the California Consumer Privacy Act (CCPA) has established similar rights as well. However, you may be wondering what a DSAR is and how you, as an organization, can comply with it in order to prevent loss of reputation and hefty penalties. In order to know the details, keep reading this article!
What is a Data Subject Access Request (DSAR)?
If a company holds the personal data of an individual (data subject), they can request information for their data in order to know what kind of data the company has stored of that individual and how it is used.
They can also ask you to remove their data, alter any incorrect data, or even stop storing their data in the future. DSAR can be made by an individual whenever they want you to have to respond within a limited timeframe.
Who Can Submit a DSAR?
Although many organizations may think that personal data can be requested by their employees or customers only, it’s not limited to them. Data can also be requested by partners, contractors, and suppliers.
In some cases, these individuals may not directly submit a data subject access request with you. Instead, someone else may submit it on their behalf. For instance:
- A parent
- A guardian
- A legal representative
- A relative or a friend
In such a scenario, you must make sure that you are handing over the personal data to an authorized person, otherwise, you may be subject to a breach of privacy.
How to Verify the Data Subject?
As it’s critical for a company to confirm the identity of the data subject, it can obviously access the personal data it already holds of that individual for assurance and confirmation.
Email and photo identification are a few of the common ways to verify the data subject. However, you shouldn’t ask for extra information and stick to the essentials only for the verification process.
What Is the Time Limit for a Data Subject Access Request?
As soon as you receive a DSAR from an individual, you are required to respond within 30 days by GDPR and 45 days by CCPA.
However, it’s ideal to respond within a month and in case you get a lot of requests from the same person or the requests are quite complex, you can respond within 2 months. In this case, you must inform the individual about the delay and provide them with an explanation.
If your explanations aren’t valid, you may have to face legal charges and regulatory penalties, and this will simply cause you to lose your goodwill.
Who Should Respond to a DSAR?
A corporation can hire a Data Protection Officer (DPO) or a controller who can take care of all the matters related to DSAR.
Now, it doesn’t mean that a DPO must execute all the requests. A team can be appointed for the regulation of the process, and a DPO can simply overview the processes and document all the requests to make sure no request is accidentally overlooked.
As this can be quite exhausting and time-consuming, some companies even have automated DSAR processes in place to make sure every request is executed more efficiently and in a timely manner.
Can You Charge a Fee for a DSAR?
You can never view data subject access requests as a source of profit, but you can charge an administrative fee in certain circumstances.
You can charge a reasonable fee if you are certain that the data subject is making unreasonable requests, or they are requesting the same information over and over again.
This can allow you to keep the data subject access requests under control and prevent overlapping, but you must be very sure that you are not charging them a fee unnecessarily.
What Happens if You Refuse to Respond to a DSAR?
There’s no set definition for the exceptions to a DSAR, and therefore, this can be a bit problematic for some organizations as to when it is reasonable to refuse a request.
However, you can only refuse to respond to a DSAR if you are sure that the intent is malicious or the data subject keeps making requests frequently to simply cause disruption. Another exception could be when the request is clearly and simply unreasonable.
When refusing a request, there shouldn’t be any confusion, so you can stand your ground to the supervisory authorities when asked for an explanation. You should also notify the data subject of the reasons for refusal, along with their right to file a complaint with the authorities.
Follow Techdee for more!