The DSAR Process: 5 Steps to Rights Fulfillment

The DSAR Process: 5 Steps to Rights Fulfillment

dsar process
dsar process x

When a customer wants access to the personal data your company has collected on them, they have the right to submit a DSAR, or data subject access request. Your company must comply promptly. Here’s a quick look at what should happen when your business receives a DSAR.

The DSAR Process

The process begins when a customer submits a request to access their personal data. Privacy regulations place no restrictions on how or when these requests can be submitted. However, most customers (and companies) prefer that the request be in writing for recordkeeping purposes.

Once the request has been submitted, the company is obligated to respond in a timely and satisfactory manner. The DSAR process consists of these steps:

  1. Verify the requester’s identity. This ensures that you have the information they’re looking for and that you can safely provide it to them.
  2. Double-check what the subject wants. Some requesters may just want to see the data you’ve collected on them, but others want to change or remove it. (Using a pre-built form for DSAR submissions helps customers make their intentions clearer since they can choose an option from a drop-down menu.)
  3. Compile the information into a single, securely accessible file. The GDPR recommends giving the subject direct access to their own data via a secure system. Whichever method you choose, make sure to provide all the requested data—no more, no less.
  4. Inform the requester of their rights. Remind customers that they ultimately hold the power over their own data.
  5. Send off the requested data. Keep a detailed record of the whole conversation and process for your own legal team.

Companies can appoint a data privacy officer (DPO) to handle DSARs. However, relying on a single person is not a realistic solution for larger companies with lots of data and more than a few dozen DSARs per month. These companies will find more success in a partially or fully automated DSAR response setup. Think of a well-designed DSAR system as a type of business insurance—it reduces potential costs from future complaints and helps protect your and your customers’ reputations.

Remember, regardless of your exact DSAR setup, one principle holds true: document everything. You need to be able to prove that you complied with the law and made a good faith effort at every step of the process.

How Much Does a DSAR Cost?

There’s no one answer to this question because every company handles DSARs differently. Sources of DSAR costs include:

  • Salaries for the privacy team
  • Legal fees if attorneys need to be consulted
  • Fines resulting from delays or customer complaints

All of these costs hinge upon how many DSARs are submitted in a specific period of time and how long each takes to complete.

A well-designed and fully automated DSAR process offer significant value in the first step of this process. Handing tasks over to a computer program obviously saves money on salaries. But more importantly, an automated setup can reduce your chances of having to deal with legal fees or fines. Lawyers are less often required when the DSAR process runs smoothly. Better yet, handling a request promptly and professionally significantly reduces your risk of facing fines from privacy authorities.

Responding Properly to DSARs

Increasingly privacy-savvy customers place DSAR requests on a fairly regular basis. Fortunately, this doesn’t have to put an unreasonable burden on your privacy team. 4Comply, our signature privacy compliance software, can take the lead and guide your team through the DSAR process. Get in touch today for a demo.

This is an excerpt from our newest white paper, “DSARs: Costs & Solutions”. Download and read the full white paper here.