/industry-wired/media/agency_attachments/2024/12/04/2024-12-04t130344212z-iw-new.png)
/industry-wired/media/agency_attachments/2024/12/04/2024-12-04t130332454z-iw-new.jpg)
/industry-wired/media/post_attachments/wp-content/uploads/2022/06/Comply-with-a-DSAR.jpg)
If you're running a business that handles customers’ data, there's a high chance you've already received (or will receive) a data subject access request (DSAR). DSARs can be submitted by any individual who believes you hold information about them - regardless of whether or not you actually do.
A DSAR is a formal request from an individual for information about themselves that is held by an organization.
As a business, you're required by law to comply with a DSAR within 30 days, free of charge. DSAR compliance can be a daunting task, but it's important to remember that you are not alone in this. Below is a list of five steps you can take to make sure you comply with a DSAR. We've also included a few tips to help you along the way.
1. Verify the request
The first step is to verify that the request is coming from a real person. You can do this by asking for identification, such as a copy of their driver's license or passport.
You should also check that the request is made in writing and includes the individual's name, address, and a description of the information they're requesting.
2. Find the data
Once you've verified the request, you'll need to locate the data that's being requested. This can be a challenge if you don't have a good system for storing customer data.
If you have a customer database, run a search for the individual's name and contact information. You can also search through physical records, such as paper files or hard drives.
3. Review the data
Once you've found the data, you'll need to review it to determine what information can be released. This is where things can get tricky, as you'll need to balance the individual's right to information with other rights and interests.
For example, you may need to redact information that would identify other individuals or trade secrets. You should also consider whether or not the information is accurate and up-to-date.
4. Prepare the data
Once you've reviewed the data, you'll need to prepare it for release. This may involve removing sensitive information, formatting the data in a specific way, or translating it into another language.
5. Send the data
The final step is to send the data to the individual who submitted the DSAR. You can do this electronically or by mail.
If you're sending the data electronically, you should encrypt it to protect the individual's privacy. If you're sending it by mail, you should use a secure delivery method, such as registered mail.
The GDPR
The GDPR is a regulation of the European Union that went into effect on May 25, 2018. It strengthens and builds on the EU's current data protection framework, the General Data Protection Regulation (GDPR).
The GDPR sets out strict rules about how personal data must be collected, used, and protected. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.
The GDPR applies to any company that processes the personal data of individuals in the EU, regardless of whether or not the company is based in the EU.
If you're running a business that handles customer data, it's important to be aware of the GDPR and how it affects you.
The CCPA
The state of California has a law similar to the GDPR called the California Consumer Privacy Act (CCPA). The CCPA went into effect on January 1, 2020, and applies to any company that does business in California and meets one of the following criteria:
-Has annual revenue of more than $25 million
-Buys, receives or sells the personal information of 50,000 or more consumers, households, or devices
-Derives 50% or more of its annual revenue from selling consumers' personal information
If your business meets any of the above criteria, you must comply with the CCPA.
The CCPA gives California residents the right to know what personal data is being collected about them, the right to have that data erased, the right to opt-out of its sale, and the right to equal treatment regardless of their source of income.
The CCPA also requires businesses to provide a privacy policy that explains what personal information is being collected and how it will be used.
The CCPA applies to any company that processes the personal data of individuals in California, regardless of whether or not the company is based in California.
If you're running a business that handles customer data, it's important to be aware of the CCPA and how it affects you.
The Bottom Line
Data Subject Access Requests are a way for individuals to exercise their rights under data protection laws, such as the GDPR and the CCPA. If you receive a DSAR, you'll need to take steps to find the requested data, review it, prepare it for release, and send it to the individual who submitted the request.
Complying with DSARs can be time-consuming and expensive, but it's important to do so if you want to avoid penalties.
If you're running a business that handles customer data, it's important to be aware of your obligations under data protection laws. Failing to comply with these laws can result in significant fines.
Hopefully, this article has given you a better understanding of DSARs and how to comply with them.