What is DSAR?

Data Subject Access Requests (DSARs) give individuals the right to discover what data an organization is holding about them, why the organization is holding that data and who else their information is disclosed to.

DSAR specifically is a term introduced by GDPR and is associated with a specific set of rights and obligations, but has since taken on the more general meaning above. It is often used interchangeably with Subject Access Request (SAR).

How much does responding to all of these requests cost a business? The average cost is around $200, but some organizations report as much as $2,350 because of data complexity!

Are they a big deal? Yes! 46% percent of data protection related complaints lodged with the Information Commissioner’s Office (ICO) in the UK, (where data protection laws have a longer history) focus on DSARs.

 

How will DSAR impact your operations?

Timely responses to DSARs are not only required by CCPA and GDPR, but are critical to building trust with your customers and potential customers. By showing what you are collecting, who you are sharing it with and why, and where you keep their data, you build trust with your customers. 

 Ultimately, how DSAR impacts your brand will depend on how well you prepare for upcoming operational challenges.

 

Complying with DSAR policy requires transparency, collaboration, and human judgment

Preparing for DSAR under CCPA or GDPR isn’t a one and done activity. Now, more than ever, you need to establish a continuous process that can flexibly adjust as requirements change. Technology can increase your visibility and save you time. But, at the end of the day, human judgment is essential to your success.

Preparing for DSAR requests will be a collaborative effort among data privacy officers, information technology teams, and business leaders. To make decisions you must understand your data, be able to quickly and easily log requests, collect and review the information, before you securely deliver it to the requestor. Central to DSAR is being responsive, and ensuring security and data minimization.

Even if your organization has already prepared diligently for GDPR, you’ll need to revisit your DSAR program to comply with CCPA as the two laws have overlapping requirements but distinct differences. 

 

Data covered by DSAR

If you’re accustomed to thinking of personal data as “PII” under U.S. state data breach laws, you’ll find the CCPA’s definition far broader. Personal data as defined in Section 1798.140(o)(1) includes “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Specifically:

Information typically considered PII under state breach laws, such as names, unique personal identifiers, account names, social security numbers, driver’s license numbers, passport numbers, and biometric information.

Aliases, IP addresses, “characteristics of protected classifications under California or federal law,” commercial information (defined to include personal property records or purchasing history), geolocation data, internet activity (including browsing and search history as well as web tracking data), professional and employment information, and education information.

“Audio, electronic, visual, thermal, olfactory or similar information” and “inferences drawn” from any of the information contained in the definition. 

 

DSAR Procedure: How to Respond to DSAR Requests

1. Register, log, and authenticate the DSAR: 

Companies need an easy way to receive, log, and authenticate the DSAR, and to automatically notify the person and company leads.

Risk: Missed or unauthenticated requests: Without automation, important requests could be missed. Without authentication, cannot trust the requestor.

 

2. Collect the personal information:

Assign and manage the collection of information, usually from multiple data stores with multiple owners/managers.

Risk: Tracking, data minimization, and security:Requests need to be managed to make sure deadlines are met. Systems that manage DSARs should keep the personal information centralized and encrypted.

 

3. Review and approve the information:

Review the request and the personal information, and ensure that you are delivering what is required to the right person

Risk: Audit, data minimization and security:Approvals must be tracked and auditable. 

 

4. Safely deliver the customer information:

Personal information needs to be delivered to the right person, in a secure way

Risk: Authentication, verification, and security: Big risks if data is delivered to the wrong person.

 

Risks of Using Email to Manage DSARs

Using existing e-mail or document management systems to manage customer data requests brings huge security risks. You don’t want your customer data floating around in those systems.

Moving personal information into unencrypted systems can be perilous

When starting to manage customer DSAR requests, it can be tempting to use existing systems, like email, content management systems (such as Sharepoint), or something else you have already bought.

But, moving personal information or customer data out of the encrypted data stores, and into other systems can bring significant risks. These critical data sets need to be controlled and secured.

Chances are high you’ll experience a data breach of some sort in an unencrypted system. In fact, you’re more likely to suffer a data breach of at least 10,000 records than you are to catch the flu this winter.2 Considering it takes organizations an average of 196 days to detect a breach, you may already be experiencing one.3

Pick the system now that encrypts the information at rest, in transit, and controls where it will be stored to manage your DSARs. 

 

Operational Challenges to DSAR 

Responding to Access Requests

If a consumer submits a verified request you must provide detailed answers quickly — within 45 days — in an electronic, transferable format. Your obligations to respond vary, depending on what consumers ask for and how their information is handled.

If you collect personal information from a consumer you must provide

  • Categories of personal information your business has collected
  • Specific pieces of personal information your business has collected
  • Assurances that you honor deletion requirements

If you collect personal information about a consumer you must provide

  • Categories of personal information your business has collected
  • Specific pieces of personal information your business has collected
  • Categories of sources from which the personal information was collected
  • The business or commercial purpose for the collection
  • Categories of third parties with whom your business shares the personal information.

If you sell or disclose personal information about consumers you must provide

  • Categories of personal information you have collected about the consumer
  • Categories of personal information you have sold about the consumer
  • Categories of third parties to whom the personal information was sold (organized by category of personal information for each third party)
  • Categories of personal information you disclosed about the consumer for a business purpose.

Managing Deletion Requests

Deletion requests involve not only team members around your organization, but also all vendors and partners with whom you shared the personal information.

If you shared personal information with different internal teams and systems

You must be able to track back to the data stores sources and request that the personal information has been deleted.

If you disclose personal information to third parties, such as vendors or partners

You’ll need to be able to send a deletion request quickly and automatically when you get a deletion request to all of the downstream parties who received that information.

Communication with Consumers

To comply with CCPA you will need to:

  • Include a “Do Not Sell My Personal Information” link on your home page.
  • Set up a publicly accessible web page to allow consumers to opt out, without requiring them to create an account.
  • Share publicly a list of categories of PI collected, shared and disclosed about consumers in the last 12 months and update the information every 12 months.
  • Offer at least two methods for submitting requests for disclosure, including at minimum a toll-free number and a mechanism on your website.

To Comply with DSAR, you need to support customer data requests to:

  • Access their information
  • Have inaccurate information corrected
  • Have information erased
  • Opt-out of direct marketing
  • Opt-out of automated decision-making & profiling
  • Have data portability

 

How to begin preparing for DSARs

Discover and categorize your data

One word in the language of CCPA keeps coming up: “categories.” To comply with disclosure requirements and respond to access requests, you will need to organize data into categories and record and track those categories.

One product at a time

Preparing for CCPA and GDPR can seem overwhelming if you try to tackle every issue at once, particularly if you have multiple products that touch consumer data or complex, multi- party processes for data storage, manipulation, sharing and selling.

Working backwards from the goal of processing a timely, accurate and clear SRR, you can focus on tech systems that directly impact customer data and communications:

  • CRM systems like Salesforce
  • Marketing and advertising systems
  • Product usage data
  • Technical support systems
  • Billing systems
  • ERP systems
  • Customer communities
  • Systems that provide customer data to you
  • Third parties that process downstream data you provide

You can break the problem down by focusing on specific products. If you’re launching new products you should build privacy into the design from the start. For existing products, include product managers and business owners on the team so they have visibility into all process streams that touch data. You’ll have tighter alignment with tangible business goals instead of getting lost in the details of process streams.

“Without good data mapping and inventory, no business can hope to accurately make the category-centric disclosures emphasized by the statute, let alone comply with verified requests from consumers for specific pieces of personal information.”

– Lee Matheson, International Association of Privacy Professionals.

 

How WireWheel Can Help

Whether you’re working to meet CCPA & GDPR  requirements or any other privacy mandate now or in the future, building your privacy operations on these four pillars gives you the visibility and control you need to be successful.

WireWheel allows you to create easy to use DSAR portals that your customers can use to make requests and allows you to respond quickly, efficiently and securely. to them automatically.

Learn more about our DSAR software and request a demo today.