Compliance with Data Subject Access Request
Guide to complying with a Data
Subject Access Request (DSAR)
DSAR is a right that data subjects can exercise to know what personal data an
organisation holds on them, for what purpose, how it is processed, and if and with
whom the data is disclosed. Parallel to European GDPR, different data privacy
regulations, including California’s CCPA and Brazil’s PDPA, globally provide
individuals--including employees and customers--with similar rights: to access,
correct or delete personal data held by an organisation.
DSAR has been in practice for a long time. What has changed with recent data
privacy regulations is the ease with which individuals can request access to their
data. Coined by GDPR, DSAR is now a generalised term that is used interchangeably
with Subject Access Request (SAR). DSAR mandates organisations to provide users
with a copy of relevant information upon submission of data subject access
requests.
Before we get to know DSAR in-depth, let’s acquaint ourselves with the
IAPP-formulated definition of ‘data subject’ and ‘personal information’. Under
India’s Personal Data Protection Bill, ‘Data Subject’ and ‘Data Controller’ have been
termed as ‘Data Principal’ and ‘Data Fiduciary’ respectively.
What is a Data Subject?
A data subject is an identifiable natural person who, directly or indirectly, can be
identified via identifiers like a name, an identification number, an online identifier,
location data, or by reference to the person’s one or several factors specific to
physical, physiological, genetic, mental, economic, cultural or social identity. In
other words, data subjects are human beings/people whose personal data is
collected, held and processed by data controllers/organisations.
What is referred to as Personal Information?
GDPR enlists personal information as any information relating to an identified or
identifiable natural person (‘data subject’). In contrast, personal data, as defined in
Section-(o) (1) of CCPA, includes information that identifies, relates to,
describes, is capable of being associated with or could reasonably be linked, directly
or indirectly, with a particular consumer or household.
Data Covered under DSAR
Among others, names, telephone numbers, account numbers, driving license
numbers, passport numbers, employment information, education information,
biometric information, IP addresses, email addresses, property purchasing history,
geolocation data, internet activities, etc. make the Personal Identifiable Information
(PII).
A data subject access request can range from asking for specific personal details to
seeing a full list of personal information that the organisation holds about them.
When data subjects request to access info which an organisation has collected on
them, in addition to letting them know about why the information was collected and
who else with their info was shared, the organisation is also obligated to make data
subjects aware of:
● For how long it has had the data
● For how further it has the plan to hold the data
● If the data was utilised for making an automated decision about them
● If the data was utilised for virtual profiling purpose
Data sharing with third-party vendors
When a request to delete personal data is made by an individual, GDPR requires an
organisation to share the notification with parties that received or processed the
relevant subject’s personal information. As per Article 28 of GDPR, data processors
are held responsible for fulfilling requests with data controllers. Data controllers
should regularly assess what methods the data processors apply or practise to
protect the shared personal data. Under both GDPR and CCPA, it is asked of data
controllers to sign a detailed written contract with data processors, stating the
lawful ways of processing the data, security measures for the protection of data, etc.
Comparative Table of Data Subject Rights
available under GDPR, CCPA, DPA, and PDPB
GDPR
CCPA
DPA
PDPB
Information
Right to
informed
be The right to be The right to be N/A
informed
of informed
data collection
and rights
Accessibility
Right
to
Right
to
The right of The right to
Access
Disclosure
Right to Data
Portability
Right
Disclosure
to
The right to The right to
data
portability
portability
Right
Erasure
Right
Deletion
to
The right to The right to be
erasure/be
forgotten
forgotten
Objection
Right to Object Right
opt-out
to
The right to The right to
object
confirmation
Rectification
Right
to
Rectification
N/A
The right to The right to
rectification
correction
Restriction
Right
to
Restriction
N/A
The right to N/A
restrict
processing
Automated
Decision
Right not to be
subject
to
automated
Decision
Making
N/A
Rights
N/A
relating
to
automated
decision
making
and
profiling
Discriminatio
n
N/A
Right not to be N/A
subject
to
discrimination
for
the
exercise
of
rights
Portability
Deletion
to
access
access
N/A
“
‘Right to be forgotten’ under PDPB--A case in study:
Delhi High Court, citing ‘Right to privacy’--which further unfolds into ‘Right to be
forgotten' and ‘Right to be left alone’--recently ordered a website called Indian
Kanoon to take down the high court verdict link, thus to avoid its indexing on
Google and other search engines. “Owing to the irreparable prejudice, which may be
caused to him in his social life and career prospects, in spite of the petitioner having
ultimately been acquitted in the said case via the said judgement, prima facie this
court is of the opinion that the petitioner is entitled to some interim protection,
which the legal issues are pending adjudication by this court,’ the court noted in
this interim order. The judgement was related to an acquittal sentenced in a drug
case to an American citizen of Indian origin who was slapped with a case under the
NDPS Act when he visited India in 2009.
”
DSAR Workflow Design
When a DSAR is received, a company should make sure it abides by all the
regulations to the letter to keep potential fines at bay. Designing a DSAR workflow
involves the following steps:
1. Registration and authentication of the request: Registering and logging the
request creates a record of when the request was received, what info was
asked to deliver, among others. Authentication entails verifying the identity
of the data subject.
2. Collection of personal information: Staff across multiple data stores with
multiple managers should be informed of data collection request. All data
should be centralised in one place and exclusion should be made of
company-sensitive data.
3. Information review: Both digital and paper records should be reviewed; not
someone else’s information is collected; and that the collected information
matches the nature of the request, like rectification, deletion, etc.
4. Illustrate the data subject’s rights: Conclude the response with a section
reminding data subjects of their privacy rights, like their right to object to
how their data is processed, and complain to a supervising authority.
5. Delivery of information: Information should be delivered securely.
Communication with the requester should be documented to demonstrate
accountability and compliance. Information should be delivered in a standard
format to the right person.
A company should invest in the development of a compliance-compatible DSAR
workflow design, considering the data privacy regulatory landscape is still rapidly
evolving. DataSecure.ind.in is a leading vanguard of data protection. It houses a
team of experts whose craftsmanship in DSAR workflow software development is
spoken highly of. Our clearly defined workflow helps an organisation stay agile and
respond effectively to changing compliance requirements.
FAQs
Medium for Request
Requests can be made in writing or verbally. A person can request access to personal
information while having a telephonic conversation with the staff of an
organisation; it means there is no documented way required. Writing is considered
an apt way though; it works as a record for both individuals and organisations.
Do individuals need to provide a reason for a DSAR?
No, individuals don’t need to state why. Individuals could be asked to verify the
identity though, to help the organisation authenticate the requester and locate the
requested information.
Is there a charge incurred for DSAR
Before GDPR came into force, requesting for information access incurred a charge
specified by the data controller. But now that GDPR is applicable, organisations
need to provide a copy of a user’s personal data for free. According to GDPR, a data
subject can be charged a reasonable fee for administrative costs on SAR only if the
organisation finds the request made to be ‘manifestly unfounded or excessive.’
Is it possible to submit a DSAR on behalf of someone else?
Yes. Individuals can authorise someone to submit a request on their behalf. This
applies when:
● A request is made by a parent on behalf of their child
● An individual appointed by the court is managing an individual’s legal affairs
● A solicitor is appointed to act on behalf of the client
● A relative or friend is asked for help by the data subject
Time frame for responding to a DSAR
Organisations need to fulfil a request “without undue delay”, and the latest within
one month of receipt. While dealing with complex data or requests involving the
overseas transfer of data, organisations may ask the applicant to extend the
deadline by a maximum of two months, stating why the extension is necessary.
Time frame varies with regulations.
Person responsible for responding to DSAR
Generally, a Data Protection Officer (DPO) looks after DSAR responsibilities. If there
is no dedicated DPO in an organisation, the duty falls on someone with data
protection knowledge. The responsible person should ensure the completion of the
process takes place in line with GDPR or parallel regulatory body.
Can information be redacted?
Although GDPR and CCPA encourage transparency, organisations, when relevant,
may redact anything that’s not within the scope of DSAR. A company may redact
information if the individual’s requested data is stored alongside sensitive company
data, as well as when documents are stored alongside the personal info of other
people.