Data Subject Access Requests: Process & Costs
DSAR stands for Data Subject Access Request. It is a request made by an individual, also known as a data subject, to a company or organization, asking for access to the personal data that the company holds about them. The purpose of a DSAR is to allow individuals to understand what personal information is being collected, how it is being used, and whether it is being shared with any third parties.
Today, we’ll be looking at how the DSAR process works and what it might cost your company.
The DSAR Process
The process begins when a customer submits a request to access their personal data. Privacy regulations place no restrictions on how or when these requests can be submitted. However, most customers (and companies) prefer that the request be in writing for recordkeeping purposes.
Once the request has been filed, the DSAR process generally proceeds as follows:
- Record and update details as you process requests. Keep a detailed record of the entire conversation, from request to completion.
- Verify the requester’s identity. This ensures that your company has the information they’re looking for and can safely provide it to them.
- Respond to the specific request submitted. Some requesters may just want to review the data you’ve collected on them, but others want to both view and make corrections. They may also wish to delete their personal information.
- For a right to portability request, compile the information into a single, securely accessible file for the user to download. The GDPR recommends giving the subject direct access to their own data via a secure system. Whatever method you choose, make sure to provide all relevant data.
Companies can appoint a data privacy officer (DPO) to handle DSARs. However, relying on a single person is not a realistic solution for larger companies with lots of data and more than a few dozen DSARs per month. These companies will find more success in a system to partially or fully automate the process. Think of a well-designed DSAR system as a type of business insurance—it reduces potential costs from future complaints and helps protect your and your customers’ reputations.
Regardless of your exact DSAR setup, one principle holds true: document everything. You need to be able to prove that you complied with the law and made a good faith effort at every step of the process.
How Much Does a DSAR Cost?
There’s no one answer to this question because every company handles DSARs differently. Sources of DSAR costs include:
- Salaries for the privacy team
- Legal fees if attorneys need to be consulted
- Fines resulting from delays or customer complaints
All of these costs hinge upon how many DSARs are submitted in a specific period of time and how long each takes to complete.
An efficiently designed and fully automated DSAR strategy can provide significant benefits to businesses. By automating as much as possible, a company can save costs associated with employee salaries. A streamlined DSAR process also reduces the need for legal representation, resulting in fewer expenses for the company. Additionally, prompt and professional handling of requests can significantly reduce the risk of being fined by privacy authorities.
To start improving your DSAR management process, contact our team of privacy experts today.
This post is an excerpt from our eBook “Data Subject Access Requests: Costs & Solutions”. Download and read the full eBook for free here.