Are You Ready for DSAR Fulfillment?

DSAR Fulfillment Steps

Check off each action that you and your organization implement:

1. Local Data

Define what personal data means within our organization

Review our data classification and data inventory practices

Identify and validate all the places that personal data is stored both internally and by third parties

If you left a box unchecked, you have more work to do. Use the following guidance to begin strategizing how to close these gaps.

Evaluation Questions:

What processing pre-checks do you have in place?
How do you define personal data?
What are your data classification practices?
Where is data being stored across internal systems and third-party platforms?
Do you maintain an up-to-date, accurate, and complete data map?

Why It Matters:

Running pre-checks before processing a DSAR can help you avoid taxing your resources unnecessarily.

Understanding and evaluating your data governance processes, like the quality of your data map, can help you confidently locate all of the data required to fulfill a DSAR.

2. Assemble Data

Utilize clear and concise language in our DSAR responses

Deliver user data in a ready-to-use format

Design our processes for output and delivery with a focus on how our users will access and use the data

Define our security practices to ensure a DSAR response doesn't compromise another user's personal data

Implement redaction capabilities in our DSAR fulfillment process

Consider whether building and/or purchasing (a) tool(s) would more efficiently scale, based on our organization's resources and/or processes

If you left a box unchecked, you have more work to do. Use the following guidance to begin strategizing how to close these gaps.

Evaluation Questions:

Do you have a ready-to-use format for DSAR responses?
How do you ensure that you will not compromise another user's privacy when you respond to a DSAR?
What is your current process for redaction when assembling data for a DSAR response?
What kind of tools and/or software would be beneficial to scale your DSAR fulfillment process?

Why It Matters:

The format and size of your response will depend on the type of data you collect and the characteristics of your users.

Creating templates will enable you to reduce some of the strain on your systems and resources.

While you aren't required to accommodate a user's personal preferences, you must make sure your fulfillment processes keep your users safe. Redaction can be costly and time consuming, but it is critical to ensure other users' data isn't compromised. Choosing whether you buy or build tools will depend on your current resources, processes, and expected DSAR volume.

3. Approve & Deliver

Confirm that responses fulfill user requests and meet all defined requirements

Maintain working relationships with teams like legal and/or privacy to stay compliant with applicable data privacy laws

Clearly define an appropriate and compliant timeframe for DSAR responses

Implement a secure method to deliver DSAR responses

Enable strict access controls to limit access to DSAR data to essential employees only

Strictly monitor access logs

If you left a box unchecked, you have more work to do. Use the following guidance to begin strategizing how to close these gaps.

Evaluation Questions:

How do you stay up-to-date on applicable data privacy laws?
What are your requirements for approving and delivering DSAR responses?
How long does fulfillment take, on average, from DSAR submission to delivery?
What steps, if any, do you currently take to ensure that the DSAR responses are secure during transit and delivered within the required timeframe?

Why It Matters:

Working with teams like legal and privacy will help you stay compliant as regulations evolve.

Defining requirements around DSAR response approval and delivery will help you stay compliant and fulfill DSARs on time.

Maintaining strong security standards, like safe delivery and strict access controls, is essential to building trust with your users.

4. Delete

Clearly define a standard retention period for DSAR response data following delivery, after which that data is deleted

Maintain a detailed log of DSARs that are received, processed, and fulfilled

Design our dashboard with relevant requirements in mind, like providing annual DSAR metrics

If you left a box unchecked, you have more work to do. Use the following guidance to begin strategizing how to close these gaps.

Evaluation Questions:

Do you have a specific retention period for storing DSAR response data?
How long do you give users to download their DSAR response before deleting that data?
How do you log the DSARs that you receive, process, and fulfill?
What metrics are you currently required to report under applicable data privacy laws, and how often are you required to do so?
Does your dashboard enable you to report on DSAR metrics when you need to, with all required information?

Why It Matters:

Deleting DSAR response data after a specified retention period helps reduce your attack surface by eliminating unnecessary copies of your users' personal data.

Logging DSARs you receive, process, and fulfill helps you prepare for potential audits and stay compliant with applicable data privacy laws.

For more on this topic, take the Course:

1 Course

Fulfilling DSARs

In this course, you will learn how to manually respond to a DSAR as a proof of concept, and to determine if you are prepared to manage DSARs at scale.

Get Started