About Data Subject Requests
Data subject requests and DSARs are core functions in modern privacy ops. In this article, we show how to successfully fulfill these requests in compliance with laws like GDPR and CCPA.
Overview
- What is a Data Subject Request (DSR)?
- What is a Data Subject Access Request (DSAR)?
- Understanding the Differences Between DSRs, DSARs, and SARs
- Requirements for DSRs and DSARs
- How to Fulfill DSRs and DSARs
- Automating and Simplifying DSRs and DSARs
What is a Data Subject Request (DSR)?
A data subject request (DSR) is a user’s request to access, modify, or delete the personal data that a company holds on them. A growing number of laws—including the European Union’s GDPR, California’s CCPA, and Connecticut’s CTDPA—grant individuals the legal right to submit these requests. Companies must follow specific guidelines in fulfilling data subject requests or risk fines and other penalties.
What is a Data Subject Access Request (DSAR)?
A data subject access request (DSAR) is a specific type of data subject request: a user’s request to access their personal data that a company has processed. Alongside the data itself, companies often must supply descriptions of how and why the data was processed. Companies’ requirements vary from one law to another, in areas like what personal data categories are included and how promptly a company must respond.
Efficient fulfillment of data subject requests and data subject access requests is also a key way to show users that your data practices are worthy of their trust.
The central goal for teams is to promptly provide accurate and comprehensive responses to data subject requests. It sounds simple enough. But as data systems are becoming more complex, it can become an overwhelming challenge to track down all of a user’s data when they request it be deleted, corrected, or shared with them. However, understanding the basic requirements and procedures for data subject requests can prepare your team for compliance success.
Understanding the Differences Between DSRs, DSARs, and SARs
As their names suggest, both DSARs and subject access requests (SARs) refer to a user’s request to access the personal information that a company holds on them. On the other hand, a DSR is an umbrella term to include users’ requests to access, modify, or delete personal information. In other words, (data) subject access requests are one type of data subject requests.
Requirements for DSRs and DSARs
A Key Component of GDPR Compliance
At their essence, DSRs and DSARs aim to empower users with greater control over how companies use their personal data. Data subject requests rose to global prominence in recent years thanks to the EU’s General Data Protection Regulation (GDPR). Spelled out in detail in GDPR’s Chapter 3, end-users (aka “data subjects”) who reside in the EU are granted a suite of rights. When it comes to data subject requests that users can submit to companies, these include:
- A right to access personal information (GDPR Article 15)
- A right to rectification, or correction, of inaccurate personal information (GDPR Article 16)
- Why does the company collect and process this personal data?
- A right to erasure, sometimes called the right to be forgotten, of personal information (GDPR Article 17)
Importantly, as with GDPR in general, the responsibility to fulfill data subject requests is not just for companies based in the EU. Any company that processes EU users’ personal information is responsible for EU users’ fulfilling data subject requests.
DSRs and DSARs in Regulations Worldwide
GDPR has influenced how data subject requests are codified in data privacy regulations worldwide, Brazil’s Lei Geral de Proteção de Dados (LGPD) also grants the rights of access, erasure, and correction. In the US, both California’s CCPA and Virginia’s CDPA grant users the rights of access and erasure, and the CDPA includes the right to correction. A right to correction is already on its way in California, with the right included in the passed CPRA that goes into effect at the start of 2023.
The CCPA also encodes data subject requests under the “Do Not Sell My Personal Information” feature. In plain terms, a California resident can submit a request to opt-out of a company’s personal data sales.
It is critical to understand that the CCPA takes a broad interpretation of “data sales” to include any exchange of personal information, not just exchanges that involve a monetary transaction.
Zooming out from specific regulations, it is clear that data subject requests are an integral part of global privacy compliance; all of the above regulations went into effect less than five years ago, and a surge of state- and federal-level bills are presently under consideration.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Speak with Us
.png?w=3200&h=2133&auto=format)
.png?w=3200&h=2133&auto=format)