Managing, responding, and fulfilling data subject access requests (DSARs)

With the advent of important new privacy laws around the U.S. and across the globe — like California’s CPRA and Europe’s GDPR — people have been empowered with new rights to the ownership and management of their personal data. Organizations worldwide are developing processes for managing the way people can access these rights, ensuring that they don’t run afoul of the law, and developing trusted relationships with the folks who use their services and the people they employ. 

However, many of these new legal requirements can be confusing and are so new that best practices are still developing. Even the words we use to describe these rights can differ from organization to organization, state to state, country to country.

So, we’ve developed this handy guide to help you answer questions like:

• What is a DSAR?
• How do DSARs fit into the many data privacy rights that have been granted to people?
• How should your organization handle DSARs?
• What happens if you don’t handle a DSAR correctly?

Because there are so many questions surrounding data privacy rights, we’ve organized the guide as an FAQ.

What’s a DSAR? Is it the same as a SAR, DSR, or FOIA?

Great question. In many ways, the answer is still developing. Originally, DSAR was an acronym created out of “data subject access request,” which described a specific data privacy right being exercised: Under the EU’s General Data Protection Regulation (GDPR), California’s Privacy Rights Act (CPRA), and an increasing number of state- and country-based laws around the world (Virginia’s VCDPA, Colorado’s CPA, and Brazil’s LGPD), people have what’s known as the “right of access” to their personal data.

This means they can request to see all of the data you’ve collected about them, and you have to deliver it to them in a certain period of time (usually 30-45 days). Because the privacy community often refers to the person to whom the personal data belongs as a “data subject,” the method for people to request their data from organizations became known as a “data subject access request” or DSAR.

However, people have started to use “DSAR” as a shorthand for any person exercising any of their privacy rights (we’ll talk about all the other rights later). For access requests and these broader requests, you might also see:

• ROAR: Right of access request
• SAR: Subject access request (mostly in the U.K.)
• DSR: Data subject request
• CCPA request: California’s first major consumer privacy law was called the California Consumer Privacy Act (CCPA)
• GDPR Request: Many people associate these rights with the GDPR exclusively

All of these terms essentially refer to a person exercising a data privacy right with an organization.

A “FOIA” is a “freedom of information access” request, and is a different matter. In the U.S., the U.K., and many other democracies, a FOIA is a request for information created by a public body to which the citizens of that country have a right to access. This information could be personal information about the requestor, but it could also be something like the minutes of a public meeting, emails between two publicly employed people, or just about any other information created by the government.

In general, private organizations do not have to comply with FOIA requests, and publicly funded organizations do.

How do I know if my organization must respond to DSARs?

The right to access is guaranteed by:

• The GDPR, which means if you market your services to people in the EU, U.K., or those in the European Economic Area, you need to allow people in those countries to submit DSARs.
• Similarly, if you are doing business at all in Brazil, you need to let Brazilians exercise all of those rights with you.
• California and most U.S. state laws have triggering levels for when their laws apply to your organization. For example, the California Privacy Rights Act confers those privacy rights to people residing in California, if the for-profit company that holds their data:
  • Buys, sells, or shares the personal information of 100,000 Californian people or households.
  • Creates 50% or more of its revenues through the sale or sharing of personal information.
• Had $25 million in gross revenue in the preceding calendar year (so Jan. 1, 2022 to Dec. 31, 2023 to start).

If you’re unsure about whether a country’s or state’s laws apply to your organization, it’s important to consult with a privacy-focused lawyer, as a failure to comply can lead to serious consequences.

In California, you can be fined as much as $7,500 for each failure to comply (and “each failure” could be one line of a large database). In the EU, you can be fined as much as 4% of your annual revenues or 20 million euros — whichever is larger.

Many companies have chosen to fulfill DSARs made from any customer, regardless of where they’re from, as the difficulty in figuring out who has the privacy right and who doesn’t takes up more time than simply applying the same processes to everyone, but each company is different depending on business plan, location, amount and type of data held, etc.

Okay, but how does someone actually make a data subject access request?

In general, it has to be “easy” for people to exercise their data privacy rights. For example, in California, you literally have to have a prominent button on your website that allows people to opt-out of having their data shared or sold.

For DSARs, most organizations have a portal they can log into or a form you can fill out to make your data subject access request, along with an email address you can send a request to and a phone number you can call. California requires that you have a phone number available.

There are no rules for how the request is made; if it comes in, and it’s valid, you have to respond. People can ask for a specific set of data you have about them, or all the data you have about them, or the people with whom you’ve shared their data or to whom you’ve sold their data.

Can anyone submit a DSAR?

Essentially, yes. If they live in a state or country that grants these rights, and you’re covered by the law, they can submit a DSAR and you have to comply.

DSARs can also be submitted by someone on behalf of another person if they are:

• The parent of the under-age person in question.
• The legal guardian of the person in question.
• The lawyer of the person in question.
• The designated representative of the person in question.

How do I know the person submitting the DSAR is the person who owns the data?

Just about all of the laws require some kind of validation process, which can be done via:

• A username and password they already have with your organization.
• A valid form of identification, such as driver’s license, passport, etc.
• Challenge questions that would only be known by the creator and owner of the data.

Similarly, you have to come up with a way to validate that the person submitting on behalf of someone else really does have that authority. Yes, that can be tricky.

Can my employees submit a DSAR?

Yes. Employee data is personal data, too. That means employees can submit DSARs and you have to comply in the same way you do with customers or vendor data. That can mean sharing with them emails that discuss that person.

What if there’s personal information about other people in those emails?

If that happens, you’ll have to “redact” — “redact” means black out or delete — the other person’s personal information. Otherwise, you’ll have committed a data breach.

This may be true of requests made by people outside your organization as well. You only have to return the personal data you have about the person making the request — you can and should redact anything not relevant to that request.

You do not, however, have to turn over every piece of information you have about a person if that information was created by someone else and simply mentions or describes a person. Just because an email says, “Joe is coming with me on the sales call,” doesn’t mean you’d have to turn that over to Joe.

So what counts as personal data?

This is a big question. In general, it is data that can be used to identify a specific person or data that has been created by that person. This is often a much greater collection of information than people might expect.

For example, since researchers have found that possessing just four location data points created by a single person can reliably be used to identify that person most of the time, some jurisdictions consider any location data created by a person as personal data, even if it’s held in a separate database where the name of the person isn’t associated with the data. For another example, a court in Europe has ruled that a person’s answers to a test are personal data, even if the answers are stored without a name or other identifier attached, since that person created that data in the first place.

You should think broadly about personal data and include more rather than less in your answers to DSARs.

How do I fulfill DSAR requests?

As a rule of thumb, you should be looking to automate the “easy” DSARs so you can focus your human resources on the more difficult privacy-rights fulfillment processes. Most organizations report having a privacy team that uses a mix of automated processes and dedicated people who both make sure the automated response is accurate and then complete those tasks that are beyond the software’s capabilities.

Because most organizations have a huge number of different databases — everything from WordPress to Salesforce to HR management to AWS servers to cloud-based data analytics platforms — most larger organizations, for example, use some kind of software to consolidate personal data and deliver it to people making basic access requests, with some human oversight to make sure what’s being delivered is going to the right person.

For tasks like deletion or rectification, some organizations let people change the data in real time, others let people change the data in a staging area and then approve the changes, others have them make requests and then report back when the requests have been fulfilled.

For more complicated requests, like objections to processing or revocation of consent, etc., people generally make the requests through a portal, via email, or on the phone, and then those requests are triaged by the privacy team. Those needing some kind of legal review are typically escalated to more senior members or those with legal backgrounds.

Your basic DSAR process, however, looks like this:

1. Receive DSAR via any of the various ways they come in.
2. Validate the identity of the requestor.
3. Acknowledge receipt, and supply an estimate of how long it will take to respond.
4. Collect all of the data you have on the data subject.
5. Review collection to make sure, for example, you didn’t supply the data of one Jane Smith to a different Jane Smith.
6. Deliver data to the requestor in a secure manner, such as via a portal that people log into and download a pdf from.
7. Document the request, that you fulfilled the request, and how long it took. Some jurisdictions require you to publish how long it took to fulfill requests, on average.

Can my organization charge a fee for DSARs?

No. When people exercise their privacy rights, you have to fulfill their requests without any charge — for free — regardless of how much effort it entails.

As your organization thinks about the return on investment for collecting personal data, you should think about the future costs of DSAR fulfillment as part of that equation.

How long do I have to fulfill a DSAR?

Under the GDPR, you’re supposed to fulfill requests “without undue delay,” which means as fast as you’re able. However, it shouldn’t take longer than 30 days. If it is going to take longer than that, you have to notify the data subject that it will take longer. If it’s more than 60 days, you subject yourself to penalties unless you can prove it really needed to take that long.

Under the CCPA/CPRA in California, you have 45 days and can ask for an extension if you can demonstrate it needs to take longer. After 90 days, you subject yourself to penalties unless you have a really good reason for not responding.

What if I can’t get a DSAR done in time?

Again, in California, you can be fined as much as $7,500 for each failure to comply, but you can also be sued for a civil violation. In the EU, you can be fined as much as 4% of your annual revenues or 20 million euros — whichever is larger.

It’s unlikely that failing to comply with one DSAR would wind up costing you millions of dollars, but we haven’t really seen much enforcement action on this yet.

What other subject rights do we need to manage?

Starting with the GDPR, and now reinforced by the CPRA, LGPD, VCDPA, CPA, and other new laws soon coming into force, a set of common privacy rights have emerged and been adopted in whole or in part by an increasing number of states and countries. If you care about DSARs, you should be aware of them and ready to comply.

While there are variations and nuances from law to law, they can be grouped into the following basic privacy rights:

Right to access: People have the right to know whether you have personal data about them and to see a copy of all the data that you possess.

Right to deletion (or right to be forgotten): People have the right to ask you to delete all of the personal data you have about them. In California this right is extended so that if they ask you to delete all their data, you also have to tell all of the people you’ve sold their data to or shared their data with to also delete that data.

There are exceptions in the U.S. for journalists and news organizations, and just about every law has an exception for fulfilling contracts, saving people’s lives, and doing certain research.

Right to correction: People have the right to ask you to correct or fix the personal data you have about them.

Right to no retaliation: Most major privacy laws say you can’t decide to not offer a service or charge extra just because someone hasn’t consented to give you their personal information.

Right to data portability: People have the right to ask you to provide their data to another organization, generally in a standard format they can easily upload into their systems.

Right to know with whom you’ve shared their data: People have the right to know with whom you’ve shared their data or to whom you’ve sold it. In California, though, you only need to explain the types of organizations, not the specific companies.

Right to opt out of sharing and selling: In California specifically, people can tell you not to sell or share their data and you must comply.

Right to withdraw consent: At any time, people need to be able to say they no longer consent to whatever processing of their personal data they originally allowed.

Right to object: This is largely a European phenomenon, but this right allows people to ask you to pause the use of their personal data until you can demonstrate you have the right to use it.

Right to not be the subject of automated decision-making: Under the GDPR, if you are using an algorithm or some other automated decision-making that uses people’s personal information to create a decision that has a legal effect on them (like offering them a different price, say, on a website), they have a right to ask you to stop.

This is not an exhaustive list, but represents the large majority of common data privacy rights granted by the major laws.

Does my organization have to comply with all of those?

Well, maybe. Other than the right to opt out of sharing and selling, which is mostly just specific to California, all of those rights are granted by the GDPR, which means if you market your services to people in the EU, U.K., or those in the European Economic Area, you need to allow people in those countries to exercise those rights with you.

Similarly, if you are doing business in Brazil, you need to let Brazilians exercise all of those rights with you.

And we’ve already told you about the rules for California.

Judging by the way things are going, you should expect these privacy rights to be more common in more places for more people as time goes on. Many organizations that know personal data is vital to their business plans have already started complying with these data privacy rights for all of their customers, as it is becoming a standard expectation and way of building trust.

It may well be that your organization will soon look outdated or uncaring if you’re unable to fulfill these data privacy rights requests as they start to come in as people assume you’re responsible. Each organization will have to make the determination for their best course of action on their own.