Data Subject Access Requests (DSAR)

DSARs are most often referred to in the context of European Union privacy laws, but they can apply to regulations in several different jurisdictions. Major relevant data protection regulations include:

General Data Protection Regulation (GDPR)

Considered one of the strongest data protection laws in the world, the European Union’s General Data Protection Regulation (GDPR) was passed in 2016 and became enforceable in 2018. Many other countries have modeled their data protection regulations on GDPR, and the United Kingdom retains GDPR policies despite leaving the EU. The rights of data subjects under GDPR include:

• Right to be informed: Data subjects have the legal right to be informed if their personal data is collected or used.
• Right to access: Data subjects have the right to request copies of their personal data.
• Right to rectification: If a company has inaccurate personal information, the relevant data subject has the right to request corrections.
• Right to erasure: Data subjects have the right to request that a company delete their personal data, subject to exemptions.
• Right to data portability: Data subjects have the right to ask that their data be transferred to another party.
• Right to restrict processing: Data subjects have the right to request the restriction of their personal data.
• Right to withdraw consent: Data subjects may withdraw their prior consent to process personal data.
• Right to object: Data subjects have the right to object to the processing of their personal data, including automated processing or profiling.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) was signed into law in 2018 and went into effect in 2020. Created to strengthen the privacy rights of California residents, CCPA applies to all companies that collect consumer data, do business in the state, and meet certain thresholds for gross revenue or consumer reach. The law gives consumers the right to:

• Know what personal information a business has collected about them
• Know if their information has been disclosed or sold
• Refuse the disclosure or sale of their personal information
• Request and receive a copy of all personal information collected about them by the business
• Request that the information be deleted or corrected

Outside of the DSAR process, consumers also must be notified if their data is being collected.

A DSAR is a request directed to an organization from, or on behalf of, an individual. The request exercises the individual right to obtain a copy of any of their personal data that is collected or held by the organization. 

What Information Can Be Requested Through a DSAR?

The type of information that can be requested can vary by specific privacy laws and regulations. In general, however, data subjects have the right to receive a copy of all the personal data that an organization has on file about the data subject.

Is There a Deadline to Respond to a DSAR?

The amount of time that an organization has to respond to a DSAR depends on the relevant privacy statute. Under GDPR, an organization must comply with the DSAR within one month from the date the request was received. In some cases, the organization can be granted a two-month extension to provide the requested data.

Under CCPA, businesses have 45 days to deliver the data requested in a DSAR. Similarly, CCPA regulations allow extensions for responding to complex requests.

Can Companies Refuse a DSAR?

In some cases, a company may have the right to refuse a DSAR. GDPR stipulates that a DSAR can be refused if it is manifestly unfounded or excessive. Typically, if an organization refuses to provide the requested data, it will still respond in writing with an explanation of why the request is unfounded.

What Are the Penalties for Non-compliance With DSAR Requirements?

Failure to comply with a DSAR can result in penalties or fines. In the case of severe violations, GDPR fines can be up to 20 million Euros or 4% of the company’s total turnover, whichever is higher. Under CCPA, penalties are capped at $7,500 per intentional violation or $2,500 per non-intentional violation, but because these are per-person fines, the total amount can balloon quickly.

Here are the key players in the DSAR process:

• Data subject: Privacy laws give individuals the right to know what personal data companies have about them and how it is being used.
• Data controller: The company that holds consumers’ personal data is the data controller. Specific employees, such as a Data Protection Officer, may fulfill the responsibilities of the data controller.
• Data processor: Usually a third party, the data processor handles data on behalf of the data controller and may help with responding to DSARs.

Having a plan in place makes it easier for companies to handle DSARs as they come:

Preparing for DSARs

Your DSAR policy should be built into a larger data governance plan. Create internal procedures and guidelines for how to accept, document, and respond to requests. Educate all relevant employees on DSAR handling procedures.

Receiving a DSAR

Companies often have a dedicated mailbox or portal for receiving DSARs. Before responding, the data controller must confirm the identity of the data subject. They also must have an internal timeline in place for preparing and sending a response.

Processing the DSAR 

Once a DSAR has been received and the requestor's identity confirmed, the company’s data privacy team will need to assess the scope of the request. Next, they will need to locate and extract all relevant data, while ensuring data accuracy and integrity.

Responding to the DSAR

In responding to a DSAR, the data controller must include all required information in their response, balancing transparency and confidentiality. In general, the response should have a copy of the subject's personal data, information about where and how the organization obtained the subject’s data, and an explanation of why the data was collected. Laws such as CCPA and GDPR do not specify a file format for providing personal data. However, it is recommended to use open formats such as:

• Comma-Separated Values (CSV) file
• JavaScript Object Notation (JSON) file
• Extensible Markup Language (XML) file

Reviewing and Finalizing the DSAR

Once the DSAR has been reviewed, finalized, and sent to the data subject, the data controller also will need to complete a few internal policies. A complete record of the response should be retained for regulatory compliance purposes. The data controller also may need to document any actions taken in reviewing and preparing the response. An internal report on the response process can be used to help inform and refine its DSAR policies.

As an alternative legal services provider (ALSP), QuisLex has extensive experience in helping clients navigate privacy laws and handle DSARs. QuisLex’s attorneys will work in close collaboration with your in-house legal counsel and governance staff to deliver legal process outsourcing for privacy and compliance programs.

With more than 1,000 permanent employees, QuisLex takes a cross-functional approach to our work, so our attorneys are supported by project managers, process experts, technologists, programmers, statisticians, data scientists, and privacy and cybersecurity experts. We use leading legal technology to help clients deal with complex or voluminous data and use AI-powered tools to automate data review processes. QuisLex also can help clients address third-party data or legal exemptions and navigate cross-border data transfers.

QuisLex is well-versed in compliance program design and implementation for a range of global data protection regulations, including:

• GDPR
• CCPA
• California Privacy Rights Act (CPRA)
• The Personal Information Protection Law (PIPL)
• The Personal Information Protection and Electronic Documents Act (PIPEDA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)

To improve DSAR compliance, we standardize our clients’ internal request management processes and workflows, with an eye toward efficiency and cost savings. We also use data mapping technology to identify trends and targets more effectively.

Given the high volume of data held by most companies, a manual review of consumer records is simply not feasible. Responding to DSARs in the allotted timeframe requires software tools to automate data review and collection processes. Using technology to expedite data review and collection offers cost savings and programmatic efficiencies, and helps businesses respond within the legally required timeframe.

As a technology-agnostic firm, QuisLex does not require clients to use a specific platform for compliance management. Instead, we can offer straightforward advice regarding the software solutions that can help clients automate their data discovery processes and handle DSARs thoroughly and efficiently.

Because of several high-profile data breaches in recent years, many organizations have seen a growing number of DSARs. Plus, although DSARs are designed to protect the privacy rights of individuals, the information contained in DSAR responses can pose a further risk to privacy. Thus, robust cybersecurity measures are crucial for ensuring data privacy protections, both for companies and the consumers they serve.

QuisLex offers DSAR support as part of an ecosystem of data privacy and compliance services. To protect companies during and after data breaches, QuisLex has established a strategic partnership with Exterro to integrate their Smart Breach Review software into our privacy services.

If a data breach occurs, a company must quickly determine whether sensitive personally identifiable information (PII) has been leaked. This type of breach often triggers mandated government reporting and notification of affected consumers. Through our partnership with Exterro, QuisLex can rapidly assess data breaches, fulfilling all relevant privacy law compliance regulations. QuisLex has helped many companies manage DSAR responses after a data breach or incident. Our team knows how to safeguard personal data during DSAR handling and can advise clients on additional security protections for risk mitigation moving forward.

GDPR offers guidance for managing certain categories of sensitive personal information. The regulation outlines multiple special data categories and limits the processing of these data categories unless certain requirements are met, such as explicit consent from the data subject. These special categories include data that reveal:

• Political opinions
• Religious or philosophical beliefs
• Racial or ethnic origin
• Trade union membership
• Health, genetic, or biometric information
• Sexual orientation or sex life

Health Information

GDPR stipulates that specific safeguards for personal health data are needed to maintain consumer confidence and trust, especially given technological advancements in healthcare and telemedicine. Healthcare organizations have an added burden to manage patient data, including genetic and biometric information. Under GDPR, processing this type of health data is prohibited unless one of the following conditions has been met:

• The data subject has given explicit consent.
• Processing the relevant health data is necessary for healthcare services, such as medical diagnosis, assessing the subject's working capacity, or providing treatment.
• Processing relevant health data is necessary for public health purposes, such as protection against cross-border health threats.

Financial Data

While financial data does not fall within the specific categories listed above, the financial services industry still is subject to general GDPR requirements. For online or in-person merchant transactions, the payment service provider is considered the data processor, and the merchant is considered the data controller. Sensitive financial data that must be safeguarded under privacy laws such as GDPR and CCPA include:

• Account numbers
• Credit card numbers
• Credit scores
• Transaction information
• Purchase histories

Use these recommendations to improve your DSAR compliance strategy:

• Ensure good data governance: Allocate sufficient resources for a strong governance program that maintains clean, organized data.
• Maintain transparency: Establish accountability by making sure you have a complete picture of how data flows throughout your organization and any third parties you may share it with.
• Review regularly: Set aside time to audit and update your DSAR procedures as needed, especially as new privacy regulations are passed and existing laws are amended.

For nearly two decades, QuisLex has worked to expand the capacity of in-house legal teams for clients all over the world. Our unparalleled combination of legal expertise and technology savvy means QuisLex is poised to offer robust support for data privacy and compliance programs. Boasting knowledge of data privacy laws in more than 30 domestic and international jurisdictions, our team delivers sophisticated solutions that are tailored to each client’s unique needs.

Headquartered in NY and India, QuisLex has worked with many Global 100 law firms and large corporations. For more information about QuisLex and our data subject access request (DSAR) services, contact us today.