A guide to understanding Data Subject Access Request (DSAR): the meaning, procedures, and challenges.
Privacy is the individual’s right to control the use of their personal data, and DSAR is the mechanism by which individuals can enforce this right. This right to their own information, as used by an organization, is guaranteed by privacy laws like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). If your organization collects and uses personal data, especially for European or Californian customers, you should be prepared to respond to DSARs.
The answer to “what does DSAR stand for” is “Data Subject Access Request.” As to what it is, can be derived from the expanded form itself. “Data subject” refers to the individual whose personal data has been collected and is being used by an organization, and “access request” indicates what is being asked of the organization by the individual with respect to this data. Specifically, the DSAR grants the individual the right to access information about their personal data being used by the organization.
Any individual whose personal data is being used by an organization can submit a DSAR to that organization. Additionally, authorized third parties (parent, guardian, someone with Power of Attorney, etc.) can submit a DSAR on behalf of the individual. Such individuals are called “consumers” under CCPA and include any resident of California. Under GDPR, they are called “data subjects” and include any European Union (EU) resident. A DSAR can be submitted in many ways. Common mechanisms include calling a company helpline, sending an email, or submitting a web form on the company website. Sometimes, the term “DSAR” is used interchangeably with other requests that deal with privacy rights of use restriction and deletion, but technically such requests are not DSARs.
The California Consumer Protection Act (CCPA), originally signed into law in 2018 and subsequently amended by the California Privacy Rights Act (CPRA) in 2020, is the most popular privacy legislation in the United States. Unlike Europe, the US does not have a countrywide (or continent wide) privacy law. However, while California was the first off the starting line, other American states are following their lead.
As per CCPA, DSAR applies to California residents only. Moreover, such requests can only be made to for-profit organizations that meet any of the following requirements:
Outside DSAR, the CCPA, unlike GDPR, gives consumers the right to opt out of the sale of their personal data to third parties.
The General Data Protection Regulation (GDPR), adopted in 2016 and effective May 25, 2018, is a pan-European privacy legislation. It was the first comprehensive data privacy law and has become the reference framework for similar legislation across the world. Since Brexit, when the United Kingdom (UK) withdrew from the European Union (EU) in 2020, the UK has enacted the "UK GDPR", which is almost identical to the GDPR. The CCPA also has many similarities with the GDPR.
Compared to CCPA, GDPR rights, including the DSAR, have a broader scope. Unlike the specific “for-profit” requirement and revenue or data thresholds for CCPA, a GDPR DSAR applies to companies and websites of any kind, as long as the company is in the EU or has data of EU residents. Under UK GDPR, a DSAR is actually called a SAR or Subject Access Request and applies to organizations operating in the UK or handling personal data of UK residents.
Outside DSAR, GDPR provides some rights that CCPA does not. One is the data subject’s right to request corrective action to address incomplete or inaccurate personal data stored by organizations. Another is the right to restrict processing of their personal data under certain circumstances or for specific purposes like marketing or research. The DSAR can be the first step an individual uses to obtain information before exercising these other rights.
Any organization that falls under purview of GDPR or CCPA can expect to deal with multiple DSARs. Therefore, it is important that a structured process be established to define how to respond to data subject access requests. Here are the key steps of a DSAR procedure to follow:
The best practice is to aim for a response timeline of 30 days or less. As per Article 12(3) of the GDPR, the data controller must adhere to the data subject access request time limit of one month from the receipt of the DSAR. However, this deadline can be extended to a maximum of three months in certain situations. In general, if more information is required from the requestor to complete the request, the clock stops until it is received. With CCPA, the deadline for a response is longer at 45 days; extensions up to 90 days can be requested for multiple or complex requests.
The consequences of refusing to respond to a DSAR without legitimate reasons (see next section), or not responding in time, are significant. Under GDPR, lack of DSAR compliance can lead to monetary penalties of up to 2% of the organization’s gross annual revenue or €10 million, whichever is higher, if such a refusal is judged to be an unintentional violation. For an intentional violation, the penalty doubles to up to 4% of the organization’s gross annual revenue or €20 million, whichever is higher. The data protection regulator in each EU country has the authority to administer penalties within their jurisdictions. Corresponding numbers under CCPA are up to $2,500 (unintentional) or $7,500 (intentional) per violation. To add to this, affected individuals can sue the relevant organization for damages. The Attorney General for the state of California is in charge of enforcing CCPA requirements and imposing penalties on violations.
Organizations can refuse to respond to a DSAR under very select circumstances. Even then, the organization must inform the consumer (CCPA) or data subject (GDPR) that their request has been denied, provide the reason for the refusal, and describe how the decision can be appealed. Under both GDPR and CCPA, a DSAR can be refused if it is “manifestly unfounded” or “manifestly excessive”. “Manifestly unfounded” means that the requestor has into intention to exercise their right of access, or the request is malicious and used to harass the organization. “Manifestly excessive” can be a scenario where multiple requests are submitted by the same requestor within a short period or the effort to respond will be disproportionately high.
The scope of the DSAR includes personal data not just within an organization’s own environment, but also such data that may have been transferred to third parties such as partners and service providers. While individual organizations often have high visibility into data within their own systems, that is not often the case for data sent to third parties. As a Data Flow Posture Management platform, Riscosity helps address this major visibility gap. Schedule a demo to learn more about how Riscosity enables you to stay in control of your data as it moves.