This article explains the obligations of the receiving party of a data subject access request (DSAR), including who responds, the timeline for response, reasons to refuse or limit a DSAR response, and how to respond in a way that complies with the relevant privacy laws, such as GDPR and CCPA or CPRA.
Contents
- Who responds to a DSAR?
- What are my obligations when I receive a DSAR?
- How to respond to a DSAR
Who responds to a DSAR?
If your organization is covered by a relevant data-protection law and receives a request from an individual who is entitled to access personal information, you must respond to the DSAR.
Related: Who can submit a DSAR? Read the article 👀
The GDPR requires organizations that collect personal data on a large scale to appoint a Data Protection Officer (DPO) overseeing compliance with the law.
The CCPA does not require a DPO, but has requirements for training those handling consumer requests. A DPO or someone trained in compliance with the law would be well positioned to respond.
The GDPR guidelines on responding to access requests note that the organization “will have to search for personal data throughout all IT systems and non-IT filing systems based on search criteria that mirrors the way in which the information is structured.” Accordingly, personnel responsible for preparing responses to DSARs must be able to effectively conduct such searches.
What are my obligations when I receive a DSAR?
There are some key points to keep in mind when a DSAR is received.
Timeline for response
The timeline for response begins as soon as the DSAR is received.
- GDPR: In Europe, information must be provided “without undue delay and in any event within one month of receipt.” That time may be extended by a maximum of two months in the event of complex or numerous requests, but the data subject must be informed of the delay within the preliminary one-month period. It’s helpful to note that the extension does not require the Data Subject’s consent.
Did you know? DISCO Ediscovery’s deduplication and dynamic threading features streamline your DSAR response process by removing duplicates and consolidating email threads, significantly reducing the document population and enhancing efficiency. Learn more.
- CCPA: Under the CCPA, the company must acknowledge receipt within ten days, along with providing certain information about the process. The business must respond to the request within 45 days of receipt. A further 45-day extension is available if the data subject is notified during the first 45-day period. Therefore, the company has a total of 90 calendar days to respond.
Related: How do privacy attorneys think about AI? Read 👀
Reasons to refuse or limit a DSAR
There are limited reasons to refuse or limit a DSAR, including:
- The rights and freedoms of others: The GDPR provides that the right of access “shall not adversely affect the rights and freedoms of others.” Recital 63 of the GDPR, which provides context but is not legally binding, states that these rights and freedoms may include trade secrets and intellectual property, particularly copyright protecting the software. Other rights and freedoms are covered as well, such as the privacy rights of another person whose information may be included in the information about the data subject. The “rights and freedoms” restriction can be accommodated by measures other than full refusal of access, such as redacting the personal information of others.
Did you know? DISCO Ediscovery enables mass redactions of user-specified terms or content, wherever it appears in the document database, making DSARs a breeze.
- Manifestly unfounded or excessive requests: Both the GDPR and CCPA provide that if requests are “manifestly unfounded or excessive, in particular because of their repetitive character,” then the company may charge a reasonable fee for providing the information or refuse the request. These limitations are to be construed quite narrowly and refusals on this basis approached with caution. The company must be able to demonstrate that it is manifestly unfounded or excessive. For example, a statement by a data subject that he only wants to cause disruption to the company may be evidence of an excessive request.
As noted above, companies also should be aware of the special categories of information that are protected by other laws.
Related: Learn how data privacy architects safeguard your data against AI 🕵️
How to respond to a DSAR: Three stages
Receive and assess
At this stage, note the response deadlines and verify the identity of the person making the request as part of any communications acknowledging receipt of the DSAR. If it is a third party, confirm that the entity is authorized to act on behalf of the data subject. It may also be necessary to request further information to verify the data subject.
Also confirm whether it is a request for access (as opposed to another right like deletion) that is covered by a relevant data protection law – e.g., on behalf of an EU or California resident, not for medical information covered by another law, etc..
Your initial response to the DSAR will vary according to the circumstances, including:
- Information has been collected: Acknowledge receipt of the DSAR and confirm the deadline for your response, as well as the proposed method of delivery or response. Provide the contact details of your DPO or similar title holder for further correspondence.
- No information has been collected: If no information has been collected about the individual submitting the DSAR, inform the individual that no information has been collected.
- A large quantity of information has been collected: If the company has a very large quantity of data about the subject, it may ask the data subject to specify the request. A request for specification should not be used to withhold or hide information but to ensure that it provides the information the data subject wishes to access. For example, a long-term employee may request access from its former employer. All data might include information about use of the office parking garage, salary information, computer logins, and more. A request for specification could reveal specific types of data the former employee wishes to access. However, if the subject states that they would like to access all information, the company must comply.
- The request is unfounded or excessive: In very rare circumstances, the company may refuse the request or ask for a processing fee if the request is manifestly unfounded or excessive.
Collect and process the data
Complying with the DSAR will require the collection, processing and review of the subject’s data. This includes:
- defining relevant search processes based on the particular details of the Data Subject/Consumer (e.g., name, account number, etc.)
- any limitations on the type of data such as video or audio files
- If applicable, transferring the data to a secure platform that will allow for efficient review and redaction workflows.
Prepare and deliver DSAR response
The data revealed should be evaluated for exemptions to the provision of data, such as whether the rights of others are implicated, or if any disclosable content is subject to legal privilege or any other legitimate reason for exclusion.
In addition, remember that the laws cover personal information or personal data – information that doesn’t fall within the scope defined by the law should not be included.
Compile and prepare the data in a manner that complies with the relevant law’s requirements;
- For example, the CCPA provides that if the data subject has an account with the company, the data and information shall be delivered through the person’s account. Otherwise, it should be delivered by mail or email at the consumer’s option, “in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.”
- Under the GDPR, it is also permitted to provide the DSAR response in a separate document, for example by copying and pasting the Subject/Customer’s personal information into a separate document and disclosing that instead.
Save 82%+ hours on DSAR response with DISCO
Complying with DSARs can bring up complicated questions and potentially time-consuming procedures. But compiling and preparing the information requested doesn’t have to be overwhelming. With dethreading, deduplication, and mass redaction capabilities, DISCO Ediscovery makes DSAR response fast, compliant, and straightforward.
DISCO client Khadra Isse, Data Protection Specialist at global insurance brokerage Lockton, says,
“Switching to DISCO's DSAR workflow was a game-changer for our team. Previously, a DSAR took us a staggering 817 hours across six people, stretching our resources thin.
“With DISCO's streamlined platform, we completed the same task in just 141 hours, with only three people involved. This impressive reduction in time even includes the 35 hours we spent getting oriented with the platform. DISCO not only saved us hundreds of hours but also significantly improved our team's efficiency and focus. We couldn't be more pleased with the results!"
See for yourself how DISCO can help your organization with DSARs and more: Request a demo.
