Anurag Chaudhary

Guide to complying with a Data Subject Access Request (DSAR) DSAR is a right that data subjects can exercise to know what personal data an organisation holds on them, for what purpose, how it is processed, and if and with whom the data is disclosed. Parallel to European GDPR, different data privacy regulations, including California’s CCPA and Brazil’s PDPA, globally provide individuals--including employees and customers--with similar rights: to access, correct or delete personal data held by an organisation. DSAR has been in practice for a long time. What has changed with recent data privacy regulations is the ease with which individuals can request access to their data. Coined by GDPR, DSAR is now a generalised term that is used interchangeably with Subject Access Request (SAR). DSAR mandates organisations to provide users with a copy of relevant information upon submission of data subject access requests. Before we get to know DSAR in-depth, let’s acquaint ourselves with the IAPP-formulated definition of ‘data subject’ and ‘personal information’. Under India’s Personal Data Protection Bill, ‘Data Subject’ and ‘Data Controller’ have been termed as ‘Data Principal’ and ‘Data Fiduciary’ respectively. What is a Data Subject? A data subject is an identifiable natural person who, directly or indirectly, can be identified via identifiers like a name, an identification number, an online identifier, location data, or by reference to the person’s one or several factors specific to physical, physiological, genetic, mental, economic, cultural or social identity. In other words, data subjects are human beings/people whose personal data is collected, held and processed by data controllers/organisations. What is referred to as Personal Information? GDPR enlists personal information as any information relating to an identified or identifiable natural person (‘data subject’). In contrast, personal data, as defined in Section-(o) (1) of CCPA, includes information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. Data Covered under DSAR Among others, names, telephone numbers, account numbers, driving license numbers, passport numbers, employment information, education information, biometric information, IP addresses, email addresses, property purchasing history, geolocation data, internet activities, etc. make the Personal Identifiable Information (PII). A data subject access request can range from asking for specific personal details to seeing a full list of personal information that the organisation holds about them. When data subjects request to access info which an organisation has collected on them, in addition to letting them know about why the information was collected and who else with their info was shared, the organisation is also obligated to make data subjects aware of: ● For how long it has had the data ● For how further it has the plan to hold the data ● If the data was utilised for making an automated decision about them ● If the data was utilised for virtual profiling purpose Data sharing with third-party vendors When a request to delete personal data is made by an individual, GDPR requires an organisation to share the notification with parties that received or processed the relevant subject’s personal information. As per Article 28 of GDPR, data processors are held responsible for fulfilling requests with data controllers. Data controllers should regularly assess what methods the data processors apply or practise to protect the shared personal data. Under both GDPR and CCPA, it is asked of data controllers to sign a detailed written contract with data processors, stating the lawful ways of processing the data, security measures for the protection of data, etc. Comparative Table of Data Subject Rights available under GDPR, CCPA, DPA, and PDPB GDPR CCPA DPA PDPB Information Right to informed be The right to be The right to be N/A informed of informed data collection and rights Accessibility Right to Right to The right of The right to Access Disclosure Right to Data Portability Right Disclosure to The right to The right to data portability portability Right Erasure Right Deletion to The right to The right to be erasure/be forgotten forgotten Objection Right to Object Right opt-out to The right to The right to object confirmation Rectification Right to Rectification N/A The right to The right to rectification correction Restriction Right to Restriction N/A The right to N/A restrict processing Automated Decision Right not to be subject to automated Decision Making N/A Rights N/A relating to automated decision making and profiling Discriminatio n N/A Right not to be N/A subject to discrimination for the exercise of rights Portability Deletion to access access N/A “ ‘Right to be forgotten’ under PDPB--A case in study: Delhi High Court, citing ‘Right to privacy’--which further unfolds into ‘Right to be forgotten' and ‘Right to be left alone’--recently ordered a website called Indian Kanoon to take down the high court verdict link, thus to avoid its indexing on Google and other search engines. “Owing to the irreparable prejudice, which may be caused to him in his social life and career prospects, in spite of the petitioner having ultimately been acquitted in the said case via the said judgement, prima facie this court is of the opinion that the petitioner is entitled to some interim protection, which the legal issues are pending adjudication by this court,’ the court noted in this interim order. The judgement was related to an acquittal sentenced in a drug case to an American citizen of Indian origin who was slapped with a case under the NDPS Act when he visited India in 2009. ” DSAR Workflow Design When a DSAR is received, a company should make sure it abides by all the regulations to the letter to keep potential fines at bay. Designing a DSAR workflow involves the following steps: 1. Registration and authentication of the request: Registering and logging the request creates a record of when the request was received, what info was asked to deliver, among others. Authentication entails verifying the identity of the data subject. 2. Collection of personal information: Staff across multiple data stores with multiple managers should be informed of data collection request. All data should be centralised in one place and exclusion should be made of company-sensitive data. 3. Information review: Both digital and paper records should be reviewed; not someone else’s information is collected; and that the collected information matches the nature of the request, like rectification, deletion, etc. 4. Illustrate the data subject’s rights: Conclude the response with a section reminding data subjects of their privacy rights, like their right to object to how their data is processed, and complain to a supervising authority. 5. Delivery of information: Information should be delivered securely. Communication with the requester should be documented to demonstrate accountability and compliance. Information should be delivered in a standard format to the right person. A company should invest in the development of a compliance-compatible DSAR workflow design, considering the data privacy regulatory landscape is still rapidly evolving. DataSecure.ind.in is a leading vanguard of data protection. It houses a team of experts whose craftsmanship in DSAR workflow software development is spoken highly of. Our clearly defined workflow helps an organisation stay agile and respond effectively to changing compliance requirements. FAQs Medium for Request Requests can be made in writing or verbally. A person can request access to personal information while having a telephonic conversation with the staff of an organisation; it means there is no documented way required. Writing is considered an apt way though; it works as a record for both individuals and organisations. Do individuals need to provide a reason for a DSAR? No, individuals don’t need to state why. Individuals could be asked to verify the identity though, to help the organisation authenticate the requester and locate the requested information. Is there a charge incurred for DSAR Before GDPR came into force, requesting for information access incurred a charge specified by the data controller. But now that GDPR is applicable, organisations need to provide a copy of a user’s personal data for free. According to GDPR, a data subject can be charged a reasonable fee for administrative costs on SAR only if the organisation finds the request made to be ‘manifestly unfounded or excessive.’ Is it possible to submit a DSAR on behalf of someone else? Yes. Individuals can authorise someone to submit a request on their behalf. This applies when: ● A request is made by a parent on behalf of their child ● An individual appointed by the court is managing an individual’s legal affairs ● A solicitor is appointed to act on behalf of the client ● A relative or friend is asked for help by the data subject Time frame for responding to a DSAR Organisations need to fulfil a request “without undue delay”, and the latest within one month of receipt. While dealing with complex data or requests involving the overseas transfer of data, organisations may ask the applicant to extend the deadline by a maximum of two months, stating why the extension is necessary. Time frame varies with regulations. Person responsible for responding to DSAR Generally, a Data Protection Officer (DPO) looks after DSAR responsibilities. If there is no dedicated DPO in an organisation, the duty falls on someone with data protection knowledge. The responsible person should ensure the completion of the process takes place in line with GDPR or parallel regulatory body. Can information be redacted? Although GDPR and CCPA encourage transparency, organisations, when relevant, may redact anything that’s not within the scope of DSAR. A company may redact information if the individual’s requested data is stored alongside sensitive company data, as well as when documents are stored alongside the personal info of other people.