• santander dsar

    The Right of Access for data subjects was one of the rights introduced under GDPR.

    In general terms, the General Data Protection Regulation (GDPR) provides individuals with the right to request information on how companies are handling their personal data. This is known as a Data Subject Access Request (DSAR). A data subject can make the request through an email, or a form (online), or in any other form of communication. Then, a company will verify the requestor’s identity and his data in its data ecosystem and lastly track the request to resolution.

    This process takes approximately 30-45 days.

    What elements are included in a subject access request for GDPR and CCPA?

    The DSARs include:

    1. Contact information of the data subject such as name, email and phone number.
    2. The requests by the data subjects often fall under at least one category mentioned down below:
    •  What do you collect on customers?
    • What do you collect on me?
    •  Delete my information
    • Take my data elsewhere

    3.  A text field (open) where consumers add any context to their request.

    In addition, GDPR and CCPA data subject access requests are mostly shown through an online privacy rights requests form.

    Data subject requests challenges

    It sounds simple, but there are various challenges in fulfilling subject data requests. The most complex step for many organisations is finding personal data and tying it back to the data subjects.
    Consider the following points:

    • A single bank transaction can be replicated through 100 systems.
    • Enterprises gather data in petabytes every year and retain almost all of it.
    • Data propagated across the enterprise on a daily basis to support a wide variety of users and business initiatives.

    Unluckily, as compared to massive growth in data accumulation, there has been no matched effort for data management and data governance.
    Therefore, the potential consequences are amplified such as data breaches, data misuse, loss of customer’s trust and more.

    In response, companies have put more resources into implementing security controls to restrict access to their data. However, security focuses on who uses the data, and Privacy is about how the data is being used and also the purpose of its usage.

    Companies are under strict obligations to respect and respond to the requests in relation to the Data subject rights, such as “right-to-be-forgotten”.

    To accomplish basic compliance, a company must understand what personal data they possess, also its location and purpose.

    Until now, the basic data inventory is a manual one which consists of application data owner survey and spreadsheets.

    The Five Critical processes and fulfilment capabilities of DSAR

    Intake, verify, search, deletion and response are five DSAR process and fulfilment capabilities. Fulfilment of DSAR is important for the compliance requirements of both the California Consumer Privacy Act and General Data Protection Regulation.

    Though, CCPA and GDPR have a unique take on data subject access requests processes. Below five capabilities are crucial for data privacy and data management initiative.

    1) Intake
    Data subjects make requests through a process known as intake. The request can be made via an online form, whereas law requires data subjects to make a request by an email or other communication means.
    The company will track and manage the request through to resolution.

    2) Verify
    The verification of the requestor’s identity is the next step. Companies are providing online services; many require customers to login and verify their identity.

    GDPR requires that the enterprise should confirm the data subject’s existence form their ecosystem and then locate the corresponding info to include in the response.

    3) Search
    For fulfilment of the request, enterprises need to search and locate a requestor’s personal data in their data ecosystem. An information type an enterprise search for can differ, which can be based on data subject type.

    The searching process identifies relevant personal data attributes, categories and a company’s purpose to collect and process the subject’s information. Then, the search process will identify specific systems and locations containing the data subject’s personal data.

    4) Deletion
    To respond for deletion, an enterprise must validate which systems data can be deleted from is based on regulatory or business constraints.

    A business constraint could be a warranty registration database containing personal information. An enterprise can refuse to delete a data subject’s information from the database as it is an impediment in fulfilling a legal obligation to render a customer with, say, an extended warranty on his purchase.

    5. Response
    Templates help to ensure that the DSAR fulfilment process is efficient and consistent. All communications and activities must be recorded into a reporting dashboard and audit trail to demonstrate accountability, compliance, and progress towards resolving requests.

    Frequently Asked Questions:

    1) Can a company refuse a subject access request?
    Section 53, DPA 2018, states that if your request is unfounded or if you make excessive requests, your employer can refuse to provide your information or charge a reasonable fee for it.

    2) What does a subject access request show?
    Under Data Protection legislation, a consumer can exercise their rights to collect information held on them. The process is called a subject access request, which entitles an individual a right of access. Through this right, they can verify information held on them on police computers.

    3) Can a subject access request be vexatious?
    An authority can refuse a request if the requester is vexatious. However, if a data subject has requested information on himself, the authority must tackle the request as a subject access request under the Data Protection Act 1998.

    Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

    Protect yourself, get compliant fast.

    Scan & Audit your Cookies

    Scan your website Cookies, generate a fully-customisable Cookie Consent Banner
    & create a Cookie Policy – FREE