When a customer wants access to the personal data your company has collected on them, they have the right to submit a DSAR, or data subject access request. Your company must comply promptly. Here’s a quick look at what should happen when your business receives a DSAR.
The DSAR Process
The process begins when a customer submits a request to access their personal data. Privacy regulations place no restrictions on how or when these requests can be submitted. However, most customers (and companies) prefer that the request be in writing for recordkeeping purposes.
Once the request has been filed, the DSAR process generally proceeds as follows:
- Record and update details as you process requests. Keep a detailed record of the entire conversation, from request to completion.
- Verify the requester’s identity. This ensures that your company has the information they’re looking for and can safely provide it to them.
- Respond to the specific request submitted. Some requesters may just want to review the data you’ve collected on them, but others want to both view and make corrections. They may also wish to delete their personal information.
- For a right to portability request, compile the information into a single, securely accessible file for the user to download. The GDPR recommends giving the subject direct access to their own data via a secure system. Whatever method you choose, make sure to provide all relevant data.
Companies can appoint a data privacy officer (DPO) to handle DSARs. However, relying on a single person is not a realistic solution for larger companies with lots of data and more than a few dozen DSARs per month. These companies will find more success in a system to partially or fully automate the process. Think of a well-designed DSAR system as a type of business insurance—it reduces potential costs from future complaints and helps protect your and your customers’ reputations.
Regardless of your exact DSAR setup, one principle holds true: document everything. You need to be able to prove that you complied with the law and made a good faith effort at every step of the process.
How Much Does a DSAR Cost?
There’s no one answer to this question because every company handles DSARs differently. Sources of DSAR costs include:
- Salaries for the privacy team
- Legal fees if attorneys need to be consulted
- Fines resulting from delays or customer complaints
All of these costs hinge upon how many DSARs are submitted in a specific period of time and how long each takes to complete.
An efficiently designed and fully automated DSAR strategy can provide significant benefits to businesses. By automating as much as possible, a company can save costs associated with employee salaries. A streamlined DSAR process also reduces the need for legal representation, resulting in fewer expenses for the company. Additionally, prompt and professional handling of requests can significantly reduce the risk of being fined by privacy authorities.
Responding Properly to DSARs
Increasingly privacy-savvy customers place DSAR requests on a fairly regular basis. Fortunately, this doesn’t have to put an unreasonable burden on your privacy team. 4Comply, our signature privacy compliance software, can take the lead and guide your team through the DSAR process. Get in touch today for a demo.
This is an excerpt from our newest white paper, “Data Subject Access Requests: Costs & Solutions”. Download and read the full white paper here.