guide
DSAR Processing
2 min read
Share this doc:
The volume of DSARs submitted by customers and employees continues to increase as expectations evolve alongside data privacy regulations.
Whether you are new to responding to DSARs, or you are expecting an increase in requests, answer the following questions to help you make sure that your team and app are ready to process DSARs in a way that makes efficient use of your time and your resources.
Do you provide multiple options for users to submit a DSAR?
- Define a reasonable number of submission options that are easy for your users and technically feasible for your team
- Design infrastructure that centralizes requests from each submission option
Do you limit the amount of DSARs your users can submit over a given time period?
- Define a reasonable cadence based on your resources (e.g., once every 2 weeks)
- Review all applicable legislation to ensure your timeframes are legally acceptable
- Formalize and communicate your DSAR processing procedures
Is it easy and intuitive for your users to submit a DSAR?
- List the channels currently available to users for submitting a DSAR
- Identify any channels that are hidden, cumbersome, or confusing
- Define alternate channels for submitting DSARs if necessary
Have you integrated multi-factor authentication (MFA) to your DSAR user identity verification checks?
- Review and revise mechanisms for user identity verification to ensure you are enforcing MFA before allowing a user to submit a DSAR
Do you have an identity graph that maps user identities to create a single view of your user's activity and more efficiently handle DSARs?
- Define the various login options users can leverage, such as different SSOs
- Build an identity graph that links user identities with their corresponding data
Have you implemented a DSAR log that maintains a record of all details of each request?
- Build a log that registers requests and all relevant details, the action you took, and how long it took you to respond
- Enable security measures that make the log tamper-proof
- Confirm you have the ability to report on DSAR metrics when requested, and minimally, each year
Are you prepared for exceptions — however few and far-between they may be?
- Review all relevant legislation and make a list of acceptable exceptions
- Define your process for managing and responding to exceptions
- Publish disclaimers, outline essential information for users, and formalize user communication related to exceptions
Next Steps
Evaluate the checklist and take note of the questions you answered “no” to. Review the guidance, identify the necessary stakeholder(s), and work together to make a plan to address gaps or optimize your processes.
For more on this topic, take the Course:
Processing DSARs
This course walks you through creating an efficient processing workflow that will enable scale.
