Privacy laws enacted within the past few years, such as the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR), have opened the door for individuals to learn how companies are using and processing their personal information. Consumers can obtain this information by making Data Subject Access Requests (DSARs).
For companies, responding to DSAR requests poses significant challenges. The process is time-consuming and can easily become overwhelming. Finding a consumer’s personal information may be a monumental task, especially if a company has not inventoried its data appropriately.
Additionally, many companies keep years of historical data, which may mean there are many data points for the same action, such as an online purchase. In short, companies need to get their systems ready to respond to DSARs in the most efficient and cost-effective way.
But before we dive into how to respond to DSARs, let’s cover some DSAR basics.
A DSAR is a way for a consumer to exercise their legal right to obtain their personal data held by a company and to learn how that company is using it.
With a DSAR request, a consumer can ask that a company disclose their personal data and how that data is actually used, how it is intended to be used, and why. It is one of the rights granted by data privacy laws like the CCPA and the GDPR. (In the specific case of the UK, DSARs are best known as SAR requests and are ruled by the UK-GDPR.)
A DSAR is one of the more common requests companies receive under the CCPA or GDPR. So much so that large companies may become swamped with millions of these requests.
Under the CCPA, DSARs can be filed by or on behalf of “consumers”—defined as any California resident.
Under the GDPR, DSARs can be filed by or on behalf of “data subjects”— identifiable individuals with related personal data.
Parents and guardians can submit a DSAR on behalf of a child. Court-appointed individuals holding the power of attorney can submit a DSAR on behalf of the person whose affairs they are handling.
People entitled to submit a DSAR can do so by calling your company, sending an email, submitting a web form, or even asking in person.
Your company’s response to a data subject access request (DSAR) must provide what is considered personal data under applicable law. But it need not include everything that refers to the data subject, such as, for example, internal memos. Your company can redact information that is private to the company or relates to another person.
That said, your company should include the following in its DSAR response:
Your company should strive to respond to a DSAR within about a month. Under the CCPA, your company has 45 days to respond. You can request extensions for numerous and/or complex requests.
Under the GDPR, if your company responds after 40 days, it may incur fines and penalties.
Your company’s process for responding to a data subject access request should include the following steps:
There are a number of similarities between the GDPR and the CCPA (sometimes referred to as the “GDPR of the U.S. of A.”). But in the DSAR context, the differences are important to note.
The territorial reach of both the CCPA and GDPR is extensive even though the latter has a broader reach and scope. Under the GDPR, which applies to companies and websites of every kind, if a company is located outside the European Union but includes EU consumers, or if it is in the EU but doing business outside of it, it may still be within the regulation’s reach.
The CCPA has a narrower scope. It only applies to companies that have a gross revenue of more than $25 million; collect, buy, sell, or share the data of more than 50,000 consumers or households; or receive more than half their revenue from selling personal data. Companies must also collect personal information from consumers in California and they must operate in California.
However, because the European and U.S. authorities have a cooperative agreement, your company needs to be aware of both laws.
The right to opt out is significantly different under the two laws.
Under the CCPA, consumers can opt out of the sale of their information to third parties. The GDPR, however, does not provide this option. But there are other rights included under the GDPR, such as the right to opt out of data processing for marketing purposes, and the right to withdraw consent for data processing.
Under the GDPR, companies must comply with data subjects’ requests to correct inaccurate personal information, or for incomplete personal information to be completed. Under the CCPA, consumers have no such right to make these requests.
In addition, under the GDPR, consumers have the right to restrict personal data processing under certain circumstances, as well as the right to object to processing for certain purposes (including profiling, direct marketing, and historical research). The CCPA does not provide these rights.
While the GDPR takes a more active position in reprimanding companies that do not comply, the CCPA is more reactionary.
Companies can be fined under the GDPR for non-compliance and data breaches. The penalties can be as high as the larger of €20 million or 4% of their global turnover from the previous fiscal year.
In contrast, the CCPA issues fines for data breaches but not for non-compliance. Its maximum penalties range from $2,500 for violations to $7,500 for intentional violations. It also allows consumers to sue for damages in civil court (limited to $100 to $750 per consumer per incident).
Privacy professionals know responding to DSARs is not easy. Responses can take days or weeks and carry hefty costs. A cloud-based, easy-to-use tool like Logikcull can help your company reduce the time and money it spends responding to DSARs.
For one, with Logikcull, you can collect your company’s data directly from the source, such as Slack, Google Vault, and Microsoft 365. For previously exported documents, you can just drag and drop them into the platform.
Additionally, when responding to a DSAR, your company can upload all its information about the consumer into Logikcull, which will then parse it and analyze it, using hundreds of filters and advanced searches to automatically bypass duplicate and irrelevant data. On average, only 3% of this data will be relevant, which leads to significant time and cost savings.
Logikcull also helps your company automate the processing of its data—allowing you to cull 60% of the documents before you even begin reviewing. And, the document review is streamlined with features in place to protect your company’s privacy, sort and tag the collected data, convert audio and video into searchable text, and thread emails, to name just a few.
Responding to multiple DSARs can stall a company’s operations. But failing to respond in a timely manner can cause financial and reputational damage.
Logikcull’s DSAR software provides your company both the technological solution it needs to process incoming DSARs—and the peace of mind that comes with knowing your company’s DSAR response procedure complies with applicable privacy laws.