Privacy laws enacted within the past few years, such as the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR), have opened the door for individuals to learn how companies are using and processing their personal information. Consumers can obtain this information by making Data Subject Access Requests (DSARs).
For companies, responding to DSAR requests poses significant challenges. The process is time-consuming and can easily become overwhelming. Finding a consumer’s personal information may be a monumental task, especially if a company has not inventoried its data appropriately.
Additionally, many companies keep years of historical data, which may mean there are many data points for the same action, such as an online purchase. In short, companies need to get their systems ready to respond to DSARs in the most efficient and cost-effective way.
But before we dive into how to respond to DSARs, let’s cover some DSAR basics.
What is a DSAR?
A DSAR is a way for a consumer to exercise their legal right to obtain their personal data held by a company and to learn how that company is using it.
With a DSAR request, a consumer can ask that a company disclose their personal data and how that data is actually used, how it is intended to be used, and why. It is one of the rights granted by data privacy laws like the CCPA and the GDPR. (In the specific case of the UK, DSARs are best know as SAR requests and are ruled by the UK-GDPR.)
A DSAR is one of the more common requests companies receive under the CCPA or GDPR. So much so that large companies may become swamped with millions of these requests.
Who Can Submit a DSAR?
Under the CCPA, DSARs can be filed by or on behalf of “consumers”—defined as any California resident.
Under the GDPR, DSARs can be filed by or on behalf of “data subjects”— identifiable individuals with related personal data.
Parents and guardians can submit a DSAR on behalf of a child. Court-appointed individuals holding the power of attorney can submit a DSAR on behalf of the person whose affairs they are handling.
People entitled to submit a DSAR can do so by calling your company, sending an email, submitting a web form, or even asking in person.
What Should Companies Include in a DSAR Response?
Your company’s response to a data subject access request (DSAR) must provide what is considered personal data under applicable law. But it need not include everything that refers to the data subject, such as, for example, internal memos. Your company can redact information that is private to the company or relates to another person.
That said, your company should include the following in its DSAR response:
- A confirmation that the company is processing the consumer’s personal data
- A copy of or access to the personal data of the data subject
- The lawful basis for personal data processing
- The length of the data retention period (In other words, how long will the data be stored for?)
- The names of third-party organizations with whom the company is sharing information
- Categories of personal data used for processing
- How the data has been obtained (If it wasn’t collected directly from the consumer)
- Any relevant information about automated decision-making, such as profiling
The DSAR Process End-to-End
Your company should strive to respond to a DSAR within about a month. Under the CCPA, your company has 45 days to respond. You can request extensions for numerous and/or complex requests.
Under the GDPR, if your company responds after 40 days, it may incur fines and penalties.
Your company’s process for responding to a data subject access request should include the following steps:
- Identity verification: Your company must confirm the person requesting personal data is the data subject themselves or has a legal right to receive the data subject’s personal data. Sharing personal data with the wrong person could constitute a data breach.
- Request clarification: Most of the time, consumers simply want to know what kind of personal data your company has on them. But sometimes they will file a DSAR in connection with exercising one of their privacy rights, such as the right to erasure. If the request will take longer to respond to and your company will need an extension, you should make that clear in your response.
- Data review: Carefully reviewing the data your company plans to send in response to a DSAR can ensure it doesn’t contain someone else’s personal information.
- Data packaging: Your company should deliver data that is secure and directly accessible to the person that submitted the DSAR.
- An explanation of rights: Your company’s response should include an explanation of the consumer’s data privacy rights. Send this alongside the data to the person making the request and make sure you document this action.
DSARs Under the CCPA and GDPR: The Key Differences
There are a number of similarities between the GDPR and the CCPA (sometimes referred to as the “GDPR of the U.S. of A.”). But in the DSAR context, the differences are important to note.
The territorial reach of both the CCPA and GDPR is extensive even though the latter has a broader reach and scope. Under the GDPR, which applies to companies and websites of every kind, if a company is located outside the European Union but includes EU consumers, or if it is in the EU but doing business outside of it, it may still be within the regulation’s reach.
The CCPA has a narrower scope. It only applies to companies that have a gross revenue of more than $25 million; collect, buy, sell, or share the data of more than 50,000 consumers or households; or receive more than half their revenue from selling personal data. Companies must also collect personal information from consumers in California and they must operate in California.
However, because the European and U.S. authorities have a cooperative agreement, your company needs to be aware of both laws.
The Right to Opt Out
The right to opt out is significantly different under the two laws.
Under the CCPA, consumers can opt out of the sale of their information to third parties. The GDPR, however, does not provide this option. But there are other rights included under the GDPR, such as the right to opt out of data processing for marketing purposes, and the right to withdraw consent for data processing.
The Right of Rectification
Under the GDPR, companies must comply with data subjects’ requests to correct inaccurate personal information, or for incomplete personal information to be completed. Under the CCPA, consumers have no such right to make these requests.
In addition, under the GDPR, consumers have the right to restrict personal data processing under certain circumstances, as well as the right to object to processing for certain purposes (including profiling, direct marketing, and historical research). The CCPA does not provide these rights.
While the GDPR takes a more active position in reprimanding companies that do not comply, the CCPA is more reactionary.
Companies can be fined under the GDPR for non-compliance and data breaches. The penalties can be as high as the larger of €20 million or 4% of their global turnover from the previous fiscal year.
In contrast, the CCPA issues fines for data breaches but not for non-compliance. Its maximum penalties range from $2,500 for violations to $7,500 for intentional violations. It also allows consumers to sue for damages in civil court (limited to $100 to $750 per consumer per incident).
Using DSAR Software to Speed Your Response
Privacy professionals know responding to DSARs is not easy. Responses can take days or weeks and carry hefty costs. A cloud-based, easy-to-use tool like Logikcull can help your company reduce the time and money it spends responding to DSARs.
For one, with Logikcull, you can collect your company’s data directly from the source, such as Slack, Google Vault, and Microsoft 365. For previously exported documents, you can just drag and drop them into the platform.
Additionally, when responding to a DSAR, your company can upload all its information about the consumer into Logikcull, which will then parse it and analyze it, using hundreds of filters and advanced searches to automatically bypass duplicate and irrelevant data. On average, only 3% of this data will be relevant, which leads to significant time and cost savings.
Logikcull also helps your company automate the processing of its data—allowing you to cull 60% of the documents before you even begin reviewing. And, the document review is streamlined with features in place to protect your company’s privacy, sort and tag the collected data, convert audio and video into searchable text, and thread emails, to name just a few.
Responding to multiple DSARs can stall a company’s operations. But failing to respond in a timely manner can cause financial and reputational damage.
Logikcull’s DSAR software provides your company both the technological solution it needs to process incoming DSARs—and the peace of mind that comes with knowing your company’s DSAR response procedure complies with applicable privacy laws.
If you’d like to see how Logikcull can fit into your DSAR response process, request a demo with us today.