What to Do When a Customer Submits a DSAR

Picture this: you’re a busy privacy professional who has been pulled in multiple directions over the last few weeks.

You’re finally sitting down to clear some of the backlog on your desk when you see an email from a customer with the subject line “DSAR.”

Your heart sinks as you think to yourself, ” not another one.”

Data subject access requests (DSAR) can be time-consuming and resource-intensive for organizations of all sizes.

They can also be a headache for privacy professionals who have to manage them.

However, there are some things you can do to make the process go more smoothly. In this article, we’ll share five tips on how to deal with DSARs.

What is a DSAR?

A DSAR is a request from an individual for information about themselves that an organization holds.

Under the EU General Data Protection Regulation (GDPR), individuals have the right to access their personal data, as well as the right to have that data erased or corrected.

Organizations must respond to DSARs within one month, unless they have a good reason to extend the timeline.

DSARs can be submitted in writing or orally, and they don’t have to include the term “DSAR.”

They can be submitted to any part of the organization, not just the privacy team.

Receiving a DSAR

The first thing you should do when you receive a DSAR is to confirm that the individual is who they say they are.

This can be done by asking for a copy of their ID or by using an identity verification service.

Once you’ve verified the individual’s identity, you’ll need to gather all of the information that they’re requesting.

This may require working with other teams in your organization, such as IT or HR.

It’s important to note that individuals can request any data that an organization holds about them, including data that is not related to their personal data.

For example, an individual could request information about how their data is being used, where it came from, or who it has been shared with.

They could also request information about an organization’s data retention policy or its procedures for handling data breaches.

Responding to a DSAR

Once you have all of the information that the individual has requested, you’ll need to put it together in a format that is easy to understand.

Remember, individuals have the right to receive their data in a “commonly used and machine-readable format.”

If you’re not sure how to do this, you can always ask for help from your IT team.

Once you’ve compiled all of the information, you’ll need to send it to the individual within one month.

If you can’t do this, you’ll need to provide a reason for the delay and let them know when they can expect to receive the information.

Managing DSARs

Dealing with DSARs can be time-consuming and resource-intensive.

To make the process go more smoothly, it’s important to have a plan in place for dealing with them.

Here are a few things to keep in mind:

  • Establish a process for receiving and responding to DSARs.
  • Train your team on how to handle DSARs.
  • Keep track of all DSARs so you can identify patterns and trends.
  • Use data from DSARs to improve your privacy program.

By following these tips, you can make the DSAR process less of a headache and more of an opportunity to improve your privacy program.

Five Tips for Dealing with DSARs

1. Get organized

The first step is to get organized.

Create a system for tracking and managing DSARs so you can keep track of which ones are still open, which ones are in progress, and which ones have been resolved.

This will help you avoid duplicating work and ensure that all DSARs are addressed in a timely manner.

2. Train your team

DSARs can be submitted to any part of the organization, so it’s important to train all team members on how to handle them.

This includes knowing who to forward the request to, how to collect the necessary information, and how to format the data for delivery.

3. Keep it confidential

DSARs are confidential by nature, so it’s important to keep all information related to them secure.

This includes both the data itself and any internal communications about the DSAR.

4. Take your time

Don’t rush through the process.

Organizations must respond to DSARs within one month, but that doesn’t mean you should wait until the last minute to start working on them.

If possible, start gathering information as soon as you receive the request so you can avoid delays later on.

5. Use it as an opportunity to improve

DSARs can be time-consuming and resource-intensive, but they can also be an opportunity to improve your privacy program.

Use the data from DSARs to identify gaps in your processes and make changes to improve the way you handle personal data.


DSARs may be a headache, but they help customers express their rights under GDPR. Data security and privacy is a top concern for customers, so it’s important to take DSARs seriously. Hopefully, if you follow these tips, you can make the DSAR process less of a hassle, and manage to comply with GDPR at the same time.

How does CIAM Protect Customer Data?

Companies are gathering more data about their consumers than ever before. With this in mind, companies are looking for ways to keep their customers’ information safe. Customer Identity and Access Management (CIAM) can help protect consumer data by allowing one username and password to be used across all the services they use, while maintaining confidentiality of passwords and other sensitive information that might be needed at login.

The right CIAM solution can help reduce the risks of customer data being compromised by hackers or lost because of system failures.

CIAM helps reduce the risk of loss of confidentiality for one’s customers, which may lead to more customers trusting your company with their business. Think about how even one security breach could affect that relationship if they are not allowed to use a single login for all their needs?

For this reason, CIAM (customer identity and access management) is becoming a critical part of cloud infrastructure.

Being easy to use and adaptable enough to work with any service, the best CIAM solutions allow your customers to login using one username and password that will then enable them to access all of their other accounts and programs.

CIAM and the GDPR

The two are not directly related, but they are both aimed at protecting your customers’ data. The GDPR is a European Union regulation that came into effect on the 25th of May, 2018, and it protects EU citizens’ personally identifiable information (PII).

The GDPR causes companies to rethink how they store customer personal data, and this is why a company’s CIAM solution should be able to provide enough security and transparency to allow them to comply with the GDPR, which can mean that changes need to be made.

Enabling Customers to Take Control of Their Data

The GDPR also gives customers more control over what information they share with companies. Customers can now easily view what information a company holds about them, and they also have the right to be forgotten. This means that companies must ensure that they protect both their own and their customers’ data by encrypting it on their own servers and any third-party vendors who might have access.

How customer data is used by businesses

This has always been a concern, and although many people may feel uncomfortable about exposing their data to businesses, it is often necessary for them to do so in order to be able to fully enjoy the services that they want.

CIAM can make customers’ lives easier by allowing them to use single sign-on (SSO) when accessing different websites and apps. It allows businesses to provide users with a convenient way to log onto different platforms using one set of login details, rather than requiring them to use the same password every time.

Customers are still in control

Even though CIAM helps make customers’ lives easier by allowing them to browse the internet more securely, it also makes sure that their personal details are kept safe by allowing them to choose exactly how much they want to share with a business.

This means that, even if a customer has signed up for an account on a service which uses CIAM, there will be no risk of their data being stolen if the business’ servers are hacked. This does not mean that they should not take care when entering their details on such sites.

The benefits of using a CIAM platform to protect customer data

On one hand, customers feel as though they are finally in control of their own data and how it is handled by businesses using CIAM platforms. This means that those companies which do not yet use CIAM will be forced to change their practices if they want to keep attracting new customers and keeping old ones.

On the other hand, those companies who already use CIAM will benefit from a boost in customer trust and security. This means that they can build a more solid relationship with their customers and be able to establish themselves as one of the most trustworthy internet entities around.

How to choose a CIAM provider that meets your needs?

A key factor to consider when looking for a CIAM provider is whether they can provide you with access to an API. APIs are how websites allow your chosen tools and applications to connect with them.

This means that if you already use another company’s proprietary software, chances are there will be an API for it so that the data can be sent to your CIAM tool. It’s important that you find a CIAM company that provides such an API as it gives you greater control over your data and how it is presented, enabling you to create the report exactly how you want it rather than having them do all the hard work for you.

GDPR’s effects on Startups

A new ruling, General Data Protection Regulation (GDPR), taking effect in May 2018 will have a worldwide impact on firms including those in the USA who have interests, holdings, customers and other touch points on European soil. How will GDPR effect the startup tech community? Will this stifle the idea of work fast and break things? Will this cause an increase in costs for startups? Will startups be reticent to enter EU markets?

Looking for opinions and quotes from policy and legal experts on how GDPR will effect startups in the US.

Exit mobile version