ResourcesArticlesPost

DSARs Demystified: What Corporate Counsel Need to Know About Data Protection Laws

Data protection laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are a major cause for concern for organizations.

While the biggest fines garner headlines, such as the €746 million fine issued against Amazon in July 2021 for failing to process personal data in compliance with the GDPR (which the company is appealing), enforcement isn’t limited to the big players. The GDPR Enforcement Tracker website reveals a wide range of fines and penalties imposed for violations of all sizes.

While the CCPA targets the big players more and only California residents can exercise its rights, it still casts a wide net. The CCPA applies to for-profit businesses that do business in California and meet any of the following criteria:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

Companies have had to create new systems and establish new protocols and policies to manage data compliance under these laws. One system that companies must have in place is a means of responding to data subject access requests or DSARs.

What is a data subject access request (DSAR)?

A data subject access request (DSAR) is the means by which protected individuals can request access to the data that companies have about them. The terms “data subject access rights,” “subject rights request,” and “privacy rights requests” are interchangeable.

Although there are nuances to each specific law granting DSAR rights, these data privacy laws provide a similar set of rights for individuals. They give individuals (including employees and consumers) rights over their data, including:

  • The right to know what data companies are collecting about them and why;
  • The right to access the personal data that a company has collected about them;
  • The right to have a company delete the data that it has collected about them;
  • The right to correct their personal data; and
  • The right to opt out of the sale of their personal data.

Each data privacy law defines personal data in its own way, but generally speaking, personal data includes identifying markers such as name, birth date, ID numbers, demographic information, physical or digital addresses, and the like.

What is the cost of a DSAR?

For responding companies, the cost of DSARs can be substantial in terms of both time and money. DSARs are akin to discovery requests in litigation, except that the “plaintiff” doesn’t have to file a case or pay court costs. Responding to DSARs can pose the same challenges as responding to litigation discovery requests—and fortunately, the technology developed to manage eDiscovery can also be used to respond to DSARs.

There is no fee to make a DSAR, and companies are generally not allowed to charge a fee to recoup the costs associated with responding to requests. The GDPR allows for a few exceptions when the company can declare the request “manifestly unfounded or excessive” and either refuse the request or charge an administrative fee.

When is a DSAR response required?

The GDPR requires organizations to respond to DSARs “without undue delay and at the latest within one month,” though an extension of two months is permitted if the request is complex. The CCPA gives businesses 45 days to respond, with an additional 45 days allowed if they notify the individual.

If the individual includes a request for data deletion, the GDPR also requires organizations to share responsibility with all downstream parties to adhere to the request.

Here are six ways that organizations can contend with the demands of DSARs.

  1. Provide a DSAR request form. There are a variety of ways an individual can make a DSAR. They might send an email, mail a letter, post on the company’s social media page, call the company, or send a request through a website chatbot. Companies must therefore have a protocol in place and train their employees to spot DSARs. Organizations can expedite the intake process by providing a clearly designated DSAR request form on their website. The CCPA requires businesses to designate at least two methods to submit a request, with one of those methods reflecting the primary way the business interacts with its customers, such as a toll-free phone number or an online portal.
  • Automate data subject authentication. The CCPA requires businesses to disclose information upon receipt of a “verifiable” consumer request, meaning companies must verify the requester’s identity—or run the risk of creating a data breach while responding to a fake DSAR. Look for automated technologies that can compare user documents to quickly and effectively verify a requester’s identity.
  • Establish protocols for DSARs from employees and former employees. When a DSAR comes in from an employee or former employee, companies must take special precautions. These DSARs may involve sensitive data such as trade secrets, privileged communications, or the personal data of other employees. The company therefore needs to have a separate protocol and policy in place to handle DSARs from employees or former employees, including a heightened review from the legal and HR teams. Note that these requests could also be a precursor to litigation.
  • Delineate a DSAR workflow. To maintain compliance with potentially conflicting privacy laws, organizations need a coherent and comprehensive strategy for responding to DSARs. Efficiency demands that there be a coordinated response across the organization, including the legal and compliance teams as well as IT and any implicated business units. By designating a clear workflow, organizations can respond quickly without duplicating steps or creating bottlenecks.
  • Maintain an up-to-date data map. A data map—a comprehensive inventory of an organization’s IT systems—is a critical tool for identifying data that may be responsive to a DSAR, including data that is kept by third parties. Building and maintaining a data map will also help the organization minimize data duplication.
  • Leverage eDiscovery technology. Companies can gain vast efficiencies by harnessing the capabilities of eDiscovery technology to locate data responsive to a DSAR. The machine learning algorithms of modern eDiscovery solutions make quick work of reviewing unstructured data and automating the process to save time and effort. The same technology can also be used to redact sensitive information that the requester is not authorized to see.

Don’t let DSARs trip up your organization

As the public becomes more aware of their rights under data protection laws, the use of DSARs will continue to grow, causing headaches for organizations that fail to take them seriously.

Companies should be cautious about how much personal information they collect, especially in the age of pandemic-related contact tracing. By planning for DSARs, proactively mitigating data risks, and equipping themselves with advanced eDiscovery technologies, companies will avoid being tripped up by the evolving challenges of DSARs.

Modern eDiscovery tools from IPRO can help organizations maintain compliance and speed in responding to DSARs.