guide
DSAR Resource
4 min read
Share this doc:
Consumers exercise the right to access a copy of the personal data an organization collects about them by submitting a Data Subject Access Request, or DSAR.
Before you begin responding to DSARs, it's important to know which rules apply to you.
GDPR VS. CCPA Overview
Use this table to help you understand the nuances of leading legislation like the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
| Jurisdiction | Individuals within the European Union |
| Personal Data | Defined as any information relating to a data subject; does not apply to anonymized data |
| Right to Deletion | Applies to all data concerning a data subject |
| Right to Access | Data subjects have the right to request access to their personal data; they must be informed of their rights at the point of data collection |
| Portability Requirement | Share data electronically unless a data subject requests otherwise |
| GDPR | CCPA | |
|---|---|---|
| Jurisdiction | Individuals within the European Union | Residents of California, including households |
| Personal Data | Defined as any information relating to a data subject; does not apply to anonymized data | Addresses information relating to, described as, capable of being associated with, or reasonably linked either directly or indirectly with a consumer or household; does not apply to de-identified or aggregate data |
| Right to Deletion | Applies to all data concerning a data subject | Applies only to data collected from the user; not to data about the consumer collected from third parties |
| Right to Access | Data subjects have the right to request access to their personal data; they must be informed of their rights at the point of data collection | Data subjects have the right to request information about what personal information is collected, how it is processed, for what purposes, and with whom it is shared; they must be informed of the categories of PI to be collected and the purposes for which it will be used at or before the point of collection |
| Portability Requirement | Share data electronically unless a data subject requests otherwise | Disclosure must be delivered electronically or via mail |
According to leading regulations...
Data subjects can request:
- Confirmation that their personal data has been processed
- Access to their personal information
- The lawful basis for processing their data
- The period for which their data will be stored
- Any relevant information concerning automated decision-making and profiling
- The names of any third parties you share their information with
Companies are legally required to fulfill these requests. Adhering to the strictest and most common requirements can help you stay ahead and comply with most data privacy laws. Use this evaluation to see if you're on the right track.
Is submitting a DSAR clear, simple, and free for your users?
Do you verify user identity before they submit their request?
Do you include all of the user's personal data in their response?
Does your response maintain the privacy of other users?
Do you respond to requests within 30 days or less?
If you answered “No” to any of these questions, you have more work to do. Identify which questions you responded “No” to, then assess and align your stakeholders to address these gaps.
Once you understand what your data subjects are entitled to and whether or not you're respecting those rights, you're ready to respond to DSARs. Use this step-by-step DSAR Guide to help you define an ideal plan for processing, fulfilling, and scaling data requests at your organization:
| Step 1 | Establish a reasonable cadence for how often users can submit a request |
| Step 2 | Design a submission feature that is free, easy to find, and easy to use |
| Step 3 | Build a mechanism to verify user identity |
| Step 4 | Map user identities for accurate data collection |
| Step 5 | Design functionality to register and log DSARs |
| Step 6 | Consider exceptions to fulfilling DSARs |
| SIX STEPS FOR PROCESSING: How to process DSARs | FIVE STEPS FOR FULFILLING: How to fulfill DSARs | SIX STEPS FOR SCALING: What your tools must do to scale DSARs | |
|---|---|---|---|
| Step 1 | Establish a reasonable cadence for how often users can submit a request | Locate all of the personal data necessary to respond to the DSAR | Enable a centralized intake process |
| Step 2 | Design a submission feature that is free, easy to find, and easy to use | Assemble data for delivery | Implement a complete data discovery of everywhere user data might reside |
| Step 3 | Build a mechanism to verify user identity | Review and approve the response | Funnel all discovered data into a centralized and secure location |
| Step 4 | Map user identities for accurate data collection | Safely deliver customer information within the required time frames | Review the data |
| Step 5 | Design functionality to register and log DSARs | Delete data provided in your response after a specified retention period | Securely deliver the response |
| Step 6 | Consider exceptions to fulfilling DSARs | Maintain an audit trail |
For more on this topic, take the Courses:
DSAR Fundamentals
This short code walks you through five requirements to help you comply with the evolving legislative landscape and respond to Data Subject Access Requests.
Get Started
Processing DSARs
This course walks you through creating an efficient processing workflow that will enable scale.
Get Started
