Laws like the GDPR and CCPA establish the rules, rights, and responsibilities around data privacy. The laws detail the process of submitting a Data Subject Access Request (DSAR) and obligations when responding to it, turning the general notion of data access and removal into practical guidelines. But laws are often written by and for lawyers, and it’s essential for companies and individuals to understand exactly what DSARs entail. Not sure how to respond to a GDPR request or a CCPA one? Here’s our step-by-step guide for responding to a data subject access request.

Disclaimer: the following guide is not to be used for any legal purposes and was not created by legal professionals.

What are data access requests?  

There are eight different data subject rights under the GDPR. These include the right to information, access, rectification, erasure, restrict processing, portability, and objection. 

The right to access one’s information is an essential  part of both the GDPR and CCPA. The GDPR establishes the right in Recital 63, stating that: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

The CCPA includes the right to access in the statement: “...To further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights.”

A data access request can ask for specific data items or a copy of all the relevant information gathered by the company from that particular individual. After the request was submitted, the organization must find all the necessary information and provide a detailed copy. 

What should the response include?

The answer to this question depends on the request itself. If the request refers to every detail the company gathered on this person, a broader search will form the base for the organization’s subject access request response. If the individual submitting the request focused on specific details, they will be at the center of the response. Such information may include questions regarding processing and usage, how long the business will hold onto the data, third parties that may have access to it, and more. 

Who should be in charge of the DSAR response letter?

Most laws require that a dedicated employee within the organization remain in charge of this important task. Under the GDPR response requirements, the company’s Data Protection Officer (DPO) shoulders the responsibility. The CCPA doesn’t require the organization to appoint a DPO, but appointing an employee or team devoted to the goal will ensure that the issue isn’t neglected or overlooked. 

How does the process of responding to DSARs work?

After classifying a DSAR as such and realizing that it falls under one of the applicable regulations, the organization must comply with certain steps that must occur. Here’s how to respond to a data subject access request: 

1. The organization should notify the requester that their submission was accepted and is being handled by the company.
2. If further information is needed, the company should inform the person and detail which information is missing. The same goes for requests that may take longer to fulfill. 
3. If the company has to deny the request based on valid grounds detailed under the applicable laws, this response should be provided ASAP and within the specified time frame.
4. The company should prepare the response message for the subject access request and gather the requested information while protecting other individual’s data privacy.
5. After collecting all the relevant data, the company should provide a copy via a standard digital channel, assuming the request was submitted online.
6. Finally, the company should keep a record of the request and response for future audit purposes. 

Can organizations refuse to respond to DSARs?

Relevant regulation states specific terms under which companies can deny such requests. These include excessive or overlapping requests and unfounded requests that were not meant to gain access and will be used to make unsubstantiated claims against the company. Companies must exercise these rights carefully and make sure that the refusal is justified under the applicable regulations to prevent the risk of legal claims and fines. 

How can technology support companies’ response processes?

Companies can use technology solutions to manage DSARs and ensure they are handled on time and by the right people. They can track the progress and create a simple path for collecting and providing information. Technologies like Mine PrivacyOps bring together multiple data sources and help companies streamline and automate their data privacy management. By relying on innovative solutions, your organization will be able to boost its transparency and brand trust and handle data privacy requests at scale.