The right of access for data subjects was one of the rights introduced under the General Data Protection Regulation (GDPR).
In general terms, the GDPR provides individuals with the right to request information. This right extends to how companies are handling their personal data. This is what the Data Subject Access Request (DSAR) entails in a nutshell.
Why is data subject access right important?
Individuals are given the right to their data under the law in many parts of the world. The information about an individual is their property. This is because the use of this information can affect them in a lot of ways. The use of personal data or personal information may affect the wellbeing of individuals.
“This makes the data subject access right important and intrinsically valuable to the individual. The right lies with the human rather than the organisation collecting data and information to erase, edit or delete the information. This is because the analysis of the information, as well as the data, also has a direct impact on the individual in a lot of cases.”
According to the GDPR and the Data Protection Act, individuals have the right to exercise their subject access rights in the following capacity:
- Individuals have the right to access their personal data.
- This is commonly referred to as subject access.
- Individuals can make a subject access request verbally or in writing.
- You have one month to respond to a request.
- You cannot charge a fee to deal with a request in most circumstances.
What is the process for requesting and request management?
A data subject can make the request via an email, or a form (online), or in any other form of communication.
Then, a company will verify the requestor’s identity and his/ her data in its data ecosystem and lastly track the request to resolution.
This process takes approximately 30-45 days.
What elements are included in a subject access request under the GDPR and CCPA?
The following elements are included in the subject access request by the individual exercising their right and the organisation dealing with the subject access request.
The DSARs include:
- Contact information of the data subject such as name, email and phone number.
- The requests by the data subjects often fall under at least one category mentioned below:
- What data do you collect on customers?
- What data do you collect on me?
- Delete my information
- Move my data elsewhere
- An open text field where data subjects add any context to their request.
Online Privacy Rights Access Forms
Also, data subject access requests under the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are mostly shown through an online privacy rights request form.
Data subject request challenges
It sounds simple, but there are various challenges in fulfilling subject data access requests. The most complex step for many organisations is finding personal data and tying it back to the data subjects.
Consider the following points:
- A single bank transaction can be replicated through 100 systems.
- Enterprises gather data in petabytes every year and retain almost all of it.
- Data is propagated across the enterprise on a daily basis to support a wide variety of users and business initiatives.
Unluckily, as compared to massive growth in data accumulation, there has been no matched effort for data management and data governance.
Therefore, the potential consequences are amplified such as data breaches, data misuse, loss of customer’s trust and more.
In response, companies have put more resources into implementing security controls to restrict access to their data. However, security focuses on who uses the data, and privacy is about how the data is being used and also the purpose of its usage.
Companies are under strict obligation to respect and respond to the requests about the data subject rights, such as the “right-to-be-forgotten”.
To accomplish basic compliance, a company must understand what personal data they possess, also its location and purpose.
Until now, the basic data inventory is a manual process which consists of application data owner survey and spreadsheets.
The critical processes and fulfilment capabilities under DSAR
Intake, verify, search, deletion, and response are five Data Subject Access Request (DSAR) processes and fulfilment capabilities. The fulfilment of DSAR is important under the compliance requirements of both the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Though, CCPA and GDPR have a unique take on data subject access request processes. There are a few capabilities below that are crucial for this data privacy and data management initiative.
Data subjects make requests through a process known as intake. The request can be made via an online form, whereas law requires data subjects to make a request by an email or other communication means. The company will track and manage the request through to resolution.
The verification of the requestor’s identity is the next step. Companies are providing online services; many require customers to login and verify their identity. GDPR requires that the enterprise should confirm the data subject’s existence within their ecosystem and then locate the corresponding information to include in the response.
For fulfilment of the request, enterprises need to search for and locate a requestor’s personal data in their data ecosystem. An information type that an enterprise can search for may differ, which can be based on data subject type. The search process identifies relevant personal data attributes, categories, and a company’s purpose to collect and process the data subject’s information. Then, the search process will identify specific systems and locations containing the data subject’s personal data.
In order to respond correctly to a deletion request, an enterprise must validate which data within a specific system needs to be deleted and whether there are any regulatory or business constraints. A business constraint could be a warranty registration database containing personal information.
An enterprise can refuse to delete a data subject’s information from the database as it impedes fulfilling a legal obligation to render a customer with, say, an extended warranty on his purchase.
The data subject access request right is not unlimited or absolute in its nature or functionality. This is because there are case scenarios whereby the data access right can cause other problems if exercised or applied. In cases where the access of the information poses greater risks than benefits, the right may be forgone.
This also means that an individual may not be able to access the information an organisation has on them if the discovery of the information can lead to external or third-party harm. This clause means that the data is the property of the individual and can be edited by the individual as long as it is lawful in other capacities.
6) Erasure of personal data from institutional records
An individual may not be able to request erasure of school penalties that were rightfully imposed. Similarly, an organisation is not obliged to delete the data on an individual only because the individual does not want it there. If the data serves an important role then it must be guarded from erasure. The underlying principle here is the greater good of the society.
For example, a tax collector or financial regulatory body cannot erase your banking information should you feel like requesting them to do so. This is because the details or the personal data serves a functional role in the overall wellness of the country. This may be in the form of legal and fiscal processes.
In such a case the data collector has a larger obligation to the government in their capacity as a monetary channel between the public and the state. As compared to your desire to get your tax or credit information deleted the obligation of a bank or monetary institution is higher.
Similarly, if you as an individual need to get your criminal records erased and the effect of them being accessible by an employer or future romantic partner affected you, then too the same rule applies. Unless there is legally viable proof that shows a lethal threat to you by that information being publically accessible or if there is enough evidence of faulty counsel and legal failures, the data cannot be deleted.
Despite your wishes. The data subject cannot request to get official data that has to be reported to the state to be edited. Unless it was a voluntary submission that gives the authority to the individual to be returned or revised.
Templates help to ensure that the DSAR fulfilment process is efficient and consistent. All communication and activities must be recorded into a reporting dashboard and an audit trail must be maintained to demonstrate accountability, compliance, and progress towards resolving requests.
Checklist for the organisations to process the requests with ease:
An organisation must know how to recognise a Data Subject Access Request (DSAR). There must be effective mechanisms in place to understand when the right of access applies and when it does not. This is crucial to the rightful processing and accountability of the organisation in terms of the legal privacy compliance and its obligations towards the public.
An organisation may be able to think along these lines for help with compliance. They may use the following stimulus to gauge whether they are ready to manage the subject access requests or not.
The key concerns regarding the process of answering these requests:
- Yes, our organisation has a policy for how to record requests we receive verbally
- Yes, our organisation has a policy for how to record requests we receive in writing
- Yes, our organisation has a policy for how to record requests we receive electronically
- Yes, our organisation has a policy for how to record requests we receive through walk ins
- Yes, as an organisation we understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
- Yes, as an organisation we understand when we cannot refuse a request and are aware of the information we do not need to provide to individuals when we refuse to do so.
- We understand the nature of the supplementary information that goes along with the subject access request.
- We understand the nature of the supplementary information that cannot be shared in response to a subject access request.
The key concerns regarding compliance with subject access requests and privacy of other data subjects:
- Yes, our organisation has the processes in place to ensure that we respond to a subject access request without undue delay and within one month of receipt.
- Yes, we are aware of the circumstances when we can extend the time limit to respond to a request.
- Yes, we understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.
- Yes, we understand what we need to consider if a request includes information about others.
- Yes, we understand that we need to consider the privacy of others when providing information about a person.
Is it okay to Outsource the Data Discovery Request Management process?
The idea of using the management platform helps with developing a proper channel and a standard system that is up to the standards of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) data discovery rights. The process can be made much more efficient and seamless with the help of a professional and intelligent Data Subject Access Request (DSAR) management system.
The Data Subject Access Request (DSAR) refers to a specific request whereby an individual legally exercises their right to access data collected on them. They may then decide if there is an issue with the data.
Or, if they would like to exercise their right to erasure or not. Every organisation that falls under the jurisdiction of the EU must ensure that each data subject access request is dealt with by maintaining privacy and security and the process is conducted in an in-depth manner to comply with the law.
The individual is then entitled to request and obtain the following information from an organization:
- Confirmation that an organisation is rightfully in the process of processing their subject access request and the corresponding personal data;
- There may be a delivery of a copy of their personal data;
- Other supplementary information required by the individual, say whether a decision was made on the basis of this information, for example the issuance of a home loan, selection for a research programme, a medicine trial and so forth.
- Any such use of the information is also essential to be listed in a privacy notice that all associated data subjects can consent to the collection of this information and the corresponding usage
“Failure to correctly manage or effectively cater to a Data Subject Access Request (DSAR) has resulted in massive penalties and fines against large companies in the past”
Organisations may outsource proper Data Subject Access Request (DSAR) management solutions if they require help with the compliance and collection of the data. The subject access management solutions help in automating the procedure, reduce delays and build trust with your end subjects.
Frequently Asked Questions (FAQs):
1) Can a company refuse a subject access request?
Section 53, DPA 2018, states that if your request is unfounded or if you make excessive requests, your employer can refuse to provide your information or charge a reasonable fee for it.
The request can only and only be rejected if the individual poses a risk to the security and privacy of other individuals. In this event, the organisation must be able to segregate the requested information in a manner that others are protected from privacy breaches.
However, in cases where that is not possible then their request may be refused or brought under the inspection of a data protection officer, a regulatory authority or the government. The information that may damage the safety or security of others may not be shared with the subject accessor.
2) What does a subject access request show?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
Under data protection legislation, a consumer can exercise their rights to collect information held on them. The process is called a subject access request, which entitles an individual a right of access. Through this right, they can verify information held on them by an organisation.
3) Can a subject access request be vexatious?
An authority can refuse a request if the requester is vexatious. However, if a data subject has requested information on himself, the authority must tackle the request as a subject access request under the Data Protection Act 2018 and GDPR.
Therefore, it is also imperative that you as an organisation establish whether the information requested falls within the definition of personal data. The decision has to be legally valid. You must be able to stand by your decision in a court of law or you will be subject to penalties as assigned and in place by the regulatory bodies.