The data privacy movement that’s sweeping the globe is fundamentally reshaping the relationship between consumers, their personal information, and the companies that use—and profit from—this information.
Until recently, companies gobbled up huge amounts of personal data without regard for data subject privacy. In part, this was because data subjects lacked an enumerated set of rights. But all that is changing, and it’s changing fast. Europe’s General Data Protection Regulation (GDPR), implemented in 2018, set a new standard for privacy and data protection. According to Gartner, by 2023, 65% of the world’s population will be covered by a comparable data privacy law.
A rapidly-growing number of data subjects worldwide are gaining the rights to control how their information is collected, shared, and stored. As individuals exercise their data rights, companies have a responsibility to fulfill them. Companies that disregard data subject rights can not only face penalties, but they also risk damage to their brand and reputation.
What is a Data Subject Access Request?
The different data privacy laws of the world vary in the specifics, but they’re in overall alignment with the purpose and scope of their common predecessor–the GDPR.
A crucial aspect of the GDPR and the laws that have followed it are they give certain data rights to consumers. The GDPR, for example, grants eight fundamental rights to data subjects; the California Consumer Privacy Act (CCPA) creates eight specific data rights; Brazil’s Lei Geral de Proteção de Dados (LGPD) grants nine rights to data subjects; and Utah subjects are provided four main rights under the Utah Consumer Privacy Act (UCPA).
Some of the main rights that these laws have in common are:
The right of access (or right to know): The right of a user to find out what personal data a company holds on them and to receive a copy of the data held.
The right of deletion: The right of a user to erase the personal information that a company has collected from them.
The right of rectification: The right of a data subject to have incomplete or inaccurate data corrected.
The right of portability: The right of a data subject to obtain a copy of the personal data they have provided to a company in a portable format, and to have that data transmitted directly from the company to a third party.
The right to opt out: The right of a data subject to withdraw their consent to the processing of their personal information (e.g., a request to “do not sell” my personal data).
The right to opt in: The right of a consumer to have their data collected and processed only after they have given an organization explicit consent to do so.
While these rights are automatically granted to data subjects who live in a state or country that has passed a data privacy law, they must typically take some action—such as clicking on a privacy banner or submitting a request to a data controller—to exercise their data rights. This is known as a data subject request, or DAR (sometimes spelled DSAR).
The term “data subject access request” may be used interchangeably with “data subject rights request.” For organizations headquartered in the EU, the former is more common. Other terms that have the same or similar meaning are “consumer rights requests,” “data subject access requests,” and “data rights requests.”
DSARs may also refer more narrowly to a user’s “right to access” request. However, in this article, we will refer to the general practice of exercising and fulfilling data rights as DSARs, a definition used by the International Association of Privacy Professionals (IAPP).
A 2020 report from IAPP and BigID surveyed privacy professionals from around the world about their data rights practices. Organizations reported receiving the following types of DSARs:
Access requests (83% of organizations)
Deletion requests (77%)
Correction requests (23%)
Portability requests (7%)
Opt out/do not sell requests (46%)
Opt in requests (9%)
In 2020, more than half of companies reported receiving fewer than 75 DSARs, including 39% that received 1 - 25 requests. On the other end of the spectrum, 13% of companies received more than 1,000 DSARs. These numbers are expected to grow exponentially as data subjects become more accustomed to exercising their rights.
Who can submit a DSAR?
Any data subject (that is, anyone whose personal data your company has collected and stored) may submit a DSAR, so long as they are protected by an applicable regulation. Most of the time, this is customers or users, such as e-commerce clients, but DSAR requests are not limited to consumers. Other individuals who may submit a DSAR request include:
Employees and former employees
In addition, it is possible in some cases for an individual to submit a DSAR on behalf of another individual. This might occur when the third party making the request has legal authority to act on behalf of the data subject, such as when:
A parent submits a DSAR on behalf of a child
An attorney acts on behalf of a client
A court appointed guardian acts on behalf of somebody unable to manage their own affairs
A friend or relative acts on behalf of a data subject who requested help
Organizations handling third party DSARs must take steps to ensure that the requestor is entitled to act on behalf of the data subject. They can ask for a birth certificate, power of attorney documentation, and other forms of supporting evidence. It is the responsibility of the requestor to provide this information.
IAPP notes in its data rights report that consumer requests are by far the most common DSAR request (70%), although this varies by region (75% in the United States vs 64% in the EU). EU employees are more likely to submit a DSAR than U.S. employees.
Do I have to respond to a DSAR?
Unless your company has legal exemptions for fulfilling DSARs under applicable data protection laws, if you collect and store personal data from users, you are required to respond to a user’s DSAR request.
Exemptions can exist at the data level and at an organization level. Most data protection laws, for instance, exempt government agencies and law enforcement. Many also exempt information, such as medical information and personal financial information, that is covered by other privacy laws. In the United States, this includes laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA).
Data that is anonymous, or can’t be traced to a particular individual, does not fall under the scope of data protection laws, nor do cookies necessary for the basic function of a website. And for-profit businesses may be exempt from data privacy laws if they do not meet a revenue threshold or other threshold defined in the law.
A final type of DSAR exemption that businesses may be able to claim is for requests that are considered to be “manifestly unfounded,” particularly if they are “excessive.” However, this criteria is only loosely defined, the burden is on businesses to prove that a DSAR falls under this category, and exceptions may apply differently to each organization depending on the scope of their data practices. For relevant context, the United Kingdom Information Commissioner’s Office explains how to deal with manifestly unfounded or excessive requests.
How to Respond to a DSAR
Now that you know what a DSAR is, who can submit a request, and when you may be able to avoid responding to a request, the next step is to develop DSAR request protocols. Rather than going into the details of how to respond to every type of DSAR under each data privacy law, we discuss the steps you should take to manage data subject requests more broadly.
In order to maintain legal compliance, it is crucial that your organization familiarize itself with the different data privacy laws in regions where you conduct business. Data privacy laws can impose steep penalties on noncompliant businesses, as this GDPR enforcement tracker shows. In the first half of 2022, there have been multiple fines for “Insufficient fulfillment of data subject rights,” with one fine exceeding €500,000, and others in the €5,000 – €10,000 range.
1. Understand where data subject information is located
The information that you hold on an individual data subject may be varied and held in numerous locations across the company (databases, file servers, the cloud, applications, hard copy records and forms, emails, etc.). When receiving a DSAR, it is paramount to first and foremost understand what personal information you have on the requestor and where it is stored so that it can be collated. More than half of respondents in the IAPP data rights survey indicated that they plan to invest in data discovery/inventory/mapping to facilitate this process.
2. Have a system for receiving and processing requests
Data subjects have a good amount of leeway for how to submit DSARs. They can submit a request via a toll-free number, by email or filling out a web form, or in person. To complicate matters further, they don’t have to use a term like “DSAR” or “rights request” or “consumer right.” They could just say, “I’d like to know what information you have on me” or “I want to correct inaccurate data” or “I want you to stop selling my data.” Again, know the law for the applicable jurisdiction. The CCPA, for example, stipulates that businesses must provide “two or more designated methods” for submitting requests, including a minimum of a toll-free phone number, and at least one other “acceptable” method, which could be a designated email address or form sent through the mail. But for “Do not sell” opt-out requests, the two or more designated methods must include an interactive form on the website or app.
At a minimum, your business must establish the legally-required methods for data subjects to submit requests. You should also be prepared to handle requests from multiple sources, clarify the nature of the request, and systematize requests to keep them from slipping through the cracks. About 70% of respondents to IAPP’s survey said they process DSARs using email, phone, or an online portal.
3. Be able to verify the requestor’s identity
Before fulfilling a DSAR, you must be able to verify the requestor’s identity. There are several ways to do this, such as email, photo ID, email and password login, challenge question, or using a third party identity verification system. Email and photo ID are the most common methods for verifying a data subject’s identity, per IAPP. In keeping with the data minimization principles found in most privacy laws, businesses should take care not to request more information than is necessary to verify a person’s identity.
After requesting additional data from a subject for verification, businesses need to take steps to protect this information. If a company cannot reasonably verify a person’s ID, they do not have to comply with the request. Turning over data to the wrong person could constitute a data breach. For an overview of ID verification pitfalls under the GDPR and how to avoid them, see this IAPP article.
4. Be aware of deadlines
It is crucial to respond to DSARs within statutorily defined deadlines. These deadlines can vary by request and by data privacy law. For example, the GDPR gives businesses one calendar month within the receipt of the request to respond. The CCPA, on the other hand, has a 45 calendar day response time for requests to know and requests to delete, which may be extended up to 90 days, but only if the business provides the requestor with notice and an explanation for the extension. For CCPA opt-out requests, companies must comply within 15 business days from the date the request was received.
5. Provide the relevant information and record the communication
When responding to a DSAR, the information companies are obligated to return depend on the right being exercised and the relevant data privacy law. Different jurisdictions may have different requirements, even for similar rights. The CCPA’s “Right to Know” is similar to the GDPR’s “Right of Access,”for example, but the GDPR gives subjects the right to obtain more extensive information from a company.
Always document your communication with a requestor, both when receiving and fulfilling a request. A well-documented audit trail is crucial for compliance and accountability.
6. Establish a DSAR management team
It is considered best practice to have a dedicated individual, or group of individuals, for DSAR management. According to IAPP, 70% of organizations have fewer than six employees responsible for DSAR management. Nearly 20% have 1 person and around 50% have 2 – 5 personnel in charge of DSAR management.
Some data privacy laws require companies to appoint a Data Protection Officer (DPO). About half of organizations in Europe have privacy/data protection departments that are in charge of DSAR management, compared to just over 40% in the U.S, where DSAR management is more commonly handled by a company’s legal department. Other departments that may be in charge of DSAR compliance include regulatory compliance, information technology, information security, and customer service.
DSAR compliance as business opportunity
People have become increasingly concerned about, and distrustful of, how companies use their personal information. A recent survey from market research firm Invisibly found that 79% of people disapprove of companies profiting from their personal data. At the same time, an even greater number (81%) told Formation.ai that they would trade their information for a more personalized experience.
What are digital marketers to make of this apparent contradiction? It’s simple: personalization is the key to earning customer loyalty. And the key to earning customer loyalty is trust. These basic points underlie the zero-party data strategy that is emerging out of the shifting data privacy landscape.
Data protection laws are intended to empower individuals and crack down on abusive data practices of the past. While they place added costs and compliance burdens on companies, they also are creating business opportunities.
Understanding–and respecting–data rights are integral to building brand trust. In IAPP’s data rights survey, the most-cited business driver for fulfilling DSARs was GDPR and CCPA compliance–but reputation and transparency were also near the top.
Didomi helps brands create value with trust. To test your compliance for free and learn more about our products, please schedule a demo.