How to Make a Data Subject Access Request (SAR)
Anyone can request access to their personal information from companies and organizations. Based on changes and new regulations, companies are obligated to act upon consumer requests and how their personal info is held, saved, and used by a company, though not necessarily all requests must be fulfilled.
What is a data subject access request:
A Data Subject Access Request (DSAR, also known as Subject Access Request SAR) is a submission request by a private individual to a company or organization asking for access to personal information. Since 2020, DSARs are required to be executed by organizations under GDPR and CCPA.
How to request a data subject access request (DSAR):
To make a request to access and receive a copy of an individual's personal information, any format accepted by the organization can be used. Email, phone call, direct message, letter, and even a tweet to the organization are valid forms of communication to request an organization provide all of the information it holds about you under the Data Protection Act 2018.
Keep in mind - A personal data request, under law, is free of charge, and a company cannot charge a fee for this service.
<hl>Follow these steps to initiate a DSAR:<hl>
Step 1: Verify the correct addressee contact information that will receive your request, a specific department if possible.
Step 2: Draft and organize the letter format and all information you'd like to request.
Step 3: Include the following information in the request:
- Full name
- Phone number
- Account details (for the organization to recognize you) such as account name and email
- Note the one-month deadline a company has to deliver the personal information.
- Optional - Include a reference detailing the right to make a DSAR free of charge under the Data Protection Act 2018.
Save a copy of all correspondence relating to DSARs - both sent and received. If needed, this can be useful if an organization does not comply with your request.
What do companies do when they receive a DSAR
- An organization is required to reply within 30 days from the day it receives the DSAR, under GDPR, whereas under the CCPA regulation, it is within 45 days.
- If the request is complex, a company can extend its period of compliance for another two months. The company will still need to inform you within 30 days of receiving the request with an extensive explanation.
- The copy of personal data an organization provides you must be free of charge unless the request is excessive or repetitive. In this case, it can charge a 'reasonable fee.’
- The company should attempt to provide you with the personal data requisition in a format you can access and use. If a commonly used formation requires disproportionate effort and you agree, it can be simply visible on a screen.
The Data Protection Act 2018 requires companies to let you know what information is held about you, whether on a computer or paper.
What will companies send you once you make a DSAR?
Ideally, an organization will respond promptly to your DSAR and notify you when your request is in progress and when you'll be able to receive a copy of it. The response will also state if it processes your personal information regularly.
The company might also provide, especially if you explicitly state :
- What is your information used for.
- Who is it, or has it been shared with.
- How long will your data be stored.
- How can you delete, object, or challenge your information stored.
- How the company obtained your information.
- If and what security measures are in place if your information was provided internationally.
Do companies have to comply with any data subject access request?
Companies are required by law to comply with data subject access requests within one month of receiving the request. If the process requires a large amount of information, if the request is complex or if quite a few requests have been made from one individual, the time limit may be delayed; though the company needs to communicate if it is still handling the matter.
Legal action may be taken if a company does not comply with DSARs and with today’s climate of corporate public opinion easily accessible to anyone anywhere, companies should do the right thing and have a clear policy to respond to such appeals.
What are your options if your subject access request was denied?
Companies may refuse to fulfill your DSAR pending different circumstances, though they must still inform of such an occurrence.
If a company does not comply or respond to DSAR, the requester can and should approach the organization again detailing what is missing from their response.
If still there is no response or the response received is not satisfactory, a complaint can be made (for instance, in the UK to the ICO, the Information Commissioner's Office), or seek to enforce your rights through mitigation recommended with legal representation.
How Mine PrivacyOps helps companies verify consumer requests
Mine PrivacyOps mission is to help bridge the gap between companies and consumers fulfilling privacy requests. Mine’s Privacy Portal simplifies the procedure of handling privacy requests for companies while making the process more efficient and automated.
Mine Privacy Portal makes it easy to verify and validate consumer requisitions and provides a clear picture of the company's previous consumer interaction, allowing an accurate context of consumer request history.
The Portal also offers code free data integrations that allow businesses to fulfill multiple privacy requests with a click of a button. Automating the process helps companies save valuable time and the risk of human error.
Data privacy and data protection are becoming the standard for both consumer companies and SaaS companies. Businesses need to quickly catch up and enforce this as part of good business practice, strengthening brand trust and compliance with local laws. The Mine PrivacyOps platform allows just that, relieving any friction during the process.