Picture this: you’re a busy privacy professional who has been pulled in multiple directions over the last few weeks.
You’re finally sitting down to clear some of the backlog on your desk when you see an email from a customer with the subject line “DSAR.”
Your heart sinks as you think to yourself, ” not another one.”
Data subject access requests (DSAR) can be time-consuming and resource-intensive for organizations of all sizes.
They can also be a headache for privacy professionals who have to manage them.
However, there are some things you can do to make the process go more smoothly. In this article, we’ll share five tips on how to deal with DSARs.
What is a DSAR?
A DSAR is a request from an individual for information about themselves that an organization holds.
Under the EU General Data Protection Regulation (GDPR), individuals have the right to access their personal data, as well as the right to have that data erased or corrected.
Organizations must respond to DSARs within one month, unless they have a good reason to extend the timeline.
DSARs can be submitted in writing or orally, and they don’t have to include the term “DSAR.”
They can be submitted to any part of the organization, not just the privacy team.
Receiving a DSAR
The first thing you should do when you receive a DSAR is to confirm that the individual is who they say they are.
This can be done by asking for a copy of their ID or by using an identity verification service.
Once you’ve verified the individual’s identity, you’ll need to gather all of the information that they’re requesting.
This may require working with other teams in your organization, such as IT or HR.
It’s important to note that individuals can request any data that an organization holds about them, including data that is not related to their personal data.
For example, an individual could request information about how their data is being used, where it came from, or who it has been shared with.
They could also request information about an organization’s data retention policy or its procedures for handling data breaches.
Responding to a DSAR
Once you have all of the information that the individual has requested, you’ll need to put it together in a format that is easy to understand.
Remember, individuals have the right to receive their data in a “commonly used and machine-readable format.”
If you’re not sure how to do this, you can always ask for help from your IT team.
Once you’ve compiled all of the information, you’ll need to send it to the individual within one month.
If you can’t do this, you’ll need to provide a reason for the delay and let them know when they can expect to receive the information.
Dealing with DSARs can be time-consuming and resource-intensive.
To make the process go more smoothly, it’s important to have a plan in place for dealing with them.
Here are a few things to keep in mind:
- Establish a process for receiving and responding to DSARs.
- Train your team on how to handle DSARs.
- Keep track of all DSARs so you can identify patterns and trends.
- Use data from DSARs to improve your privacy program.
By following these tips, you can make the DSAR process less of a headache and more of an opportunity to improve your privacy program.
Five Tips for Dealing with DSARs
1. Get organized
The first step is to get organized.
Create a system for tracking and managing DSARs so you can keep track of which ones are still open, which ones are in progress, and which ones have been resolved.
This will help you avoid duplicating work and ensure that all DSARs are addressed in a timely manner.
2. Train your team
DSARs can be submitted to any part of the organization, so it’s important to train all team members on how to handle them.
This includes knowing who to forward the request to, how to collect the necessary information, and how to format the data for delivery.
3. Keep it confidential
DSARs are confidential by nature, so it’s important to keep all information related to them secure.
This includes both the data itself and any internal communications about the DSAR.
4. Take your time
Don’t rush through the process.
Organizations must respond to DSARs within one month, but that doesn’t mean you should wait until the last minute to start working on them.
If possible, start gathering information as soon as you receive the request so you can avoid delays later on.
5. Use it as an opportunity to improve
DSARs can be time-consuming and resource-intensive, but they can also be an opportunity to improve your privacy program.
Use the data from DSARs to identify gaps in your processes and make changes to improve the way you handle personal data.
DSARs may be a headache, but they help customers express their rights under GDPR. Data security and privacy is a top concern for customers, so it’s important to take DSARs seriously. Hopefully, if you follow these tips, you can make the DSAR process less of a hassle, and manage to comply with GDPR at the same time.