subject access request emails about me

The right of access for data subjects was one of the rights introduced under GDPR.

In general terms, the General Data Protection Regulation (GDPR) provides individuals with the right to request information on how companies are handling their personal data.

This is what the Data Subject Access Request (DSAR) entails.

A data subject can make the request via an email, or a form (online), or in any other form of communication.

Then, a company will verify the requestor’s identity and his data in its data ecosystem and lastly track the request to resolution.

This process takes approximately 30-45 days.

What elements are included in a subject access request for GDPR and CCPA?

The DSARs include:

  1. Contact information of the data subject such as name, email and phone number.
  2. The requests by the data subjects often fall under at least one category mentioned below:
    • What data do you collect on customers?
    • What data do you collect on me?
    • Delete my information
    • Take my data elsewhere
  3. A text field (open) where consumers add any context to their request.

Also, GDPR and CCPA data subject access requests are mostly shown through an online privacy rights request form.

manage subject requestData subject request challenges

It sounds simple, but there are various challenges in fulfilling subject data access requests. The most complex step for many organisations is finding personal data and tying it back to the data subjects.

Consider the following points:

  • A single bank transaction can be replicated through 100 systems.
  • Enterprises gather data in petabytes every year and retain almost all of it.
  • Data is propagated across the enterprise on a daily basis to support a wide variety of users and business initiatives.

Unluckily, as compared to massive growth in data accumulation, there has been no matched effort for data management and data governance.

Therefore, the potential consequences are amplified such as data breaches, data misuse, loss of customer’s trust and more.

In response, companies have put more resources into implementing security controls to restrict access to their data. However, security focuses on who uses the data, and privacy is about how the data is being used and also the purpose of its usage.

Companies are under strict obligation to respect and respond to the requests about the data subject rights, such as “right-to-be-forgotten”.

To accomplish basic compliance, a company must understand what personal data they possess, also its location and purpose.

Until now, the basic data inventory is a manual process which consists of application data owner survey and spreadsheets.

The five critical processes and fulfilment capabilities under DSAR

Intake, verify, search, deletion, and response are five DSAR processes and fulfilment capabilities.

The fulfilment of DSAR is important under the compliance requirements of both the California Consumer Privacy Act and the General Data Protection Regulation (GDPR).

Though, CCPA and GDPR have a unique take on data subject access request processes. The five capabilities below are crucial for this data privacy and data management initiative.

1) Intake
Data subjects make requests through a process known as intake. The request can be made via an online form, whereas law requires data subjects to make a request by an email or other communication means. The company will track and manage the request through to resolution.

2) Verify
The verification of the requestor’s identity is the next step. Companies are providing online services; many require customers to login and verify their identity. GDPR requires that the enterprise should confirm the data subject’s existence within their ecosystem and then locate the corresponding info to include in the response.

3) Search
For fulfilment of the request, enterprises need to search and locate a requestor’s personal data in their data ecosystem. An information type an enterprise can search for may differ, which can be based on data subject type. The search process identifies relevant personal data attributes, categories, and a company’s purpose to collect and process the subject’s information. Then, the search process will identify specific systems and locations containing the data subject’s personal data.

4) Deletion
In order to respond correctly to a deletion request, an enterprise must validate which data within a specific system needs to be deleted and whether there are any regulatory or business constraints. A business constraint could be a warranty registration database containing personal information. An enterprise can refuse to delete a data subject’s information from the database as it impedes fulfilling a legal obligation to render a customer with, say, an extended warranty on his purchase.

5. Response
Templates help to ensure that the DSAR fulfilment process is efficient and consistent. All communications and activities must be recorded into a reporting dashboard and an audit trail maintained to demonstrate accountability, compliance, and progress towards resolving requests.

manage subject requestConclusion

The data subject access request (DSAR) refers to a specific request whereby an individual legally exercises their right to access data collected on them. They may then decide if there is an issue with the data. Or, if they would like to exercise their right to erasure or not. Every organisation that falls under the jurisdiction of the EU must ensure that each data subject access request is dealt with by maintaining privacy and security and the process is conducted in an in-depth manner to comply with the law. Failure to correctly manage or effectively cater to subject access requests has resulted in massive penalties and fines against large companies in the past.

Frequently Asked Questions (FAQs):

1) Can a company refuse a subject access request?
Section 53, DPA 2018, states that if your request is unfounded or if you make excessive requests, your employer can refuse to provide your information or charge a reasonable fee for it.

2) What does a subject access request show?
Under data protection legislation, a consumer can exercise their rights to collect information held on them. The process is called a subject access request, which entitles an individual a right of access. Through this right, they can verify information held on them by an organisation.

3) Can a subject access request be vexatious?
An authority can refuse a request if the requester is vexatious. However, if a data subject has requested information on himself, the authority must tackle the request as a subject access request under the Data Protection Act 2018 and GDPR.

Tags: , , , , , , , , , , , ,