In March 2022, the Romanian data protection authority (DPA) fined the 1,400-strong German supermarket chain, Kaufland, for failing to respond to a data subject access request (DSAR) in violation of the EU General Data Protection Regulation (GDPR). A customer who visited its Romanian store filed a DSAR requesting a copy of all the recordings of the video surveillance system concerning that individual. However, Kaufland failed to respond to the DSAR submitted even if it readily possessed such recordings in its system. The DPA imposed a €2,000 fine on Kaufland and ordered it to submit all the recordings to the individual but to blur out any images that may lead to the identification of other individuals.
Are you ready for DSARs? If you’re a small or medium-sized enterprise (SME), you’ve probably not heard of this term before. But given the EU GDPR, the California Consumer Privacy Act (CCPA), and upcoming US state and international data privacy laws, it’s something you need to be aware of. If your business isn’t compliant with DSARs, you could face some severe penalties.
So what are DSARs, and what challenges should you be prepared to meet to prepare for DSARs? Read on to find out.
What is a DSAR?
A Data Subject Access Requests (DSAR) is a privacy right that allows individuals (or “data subjects”) to request copies of the personal data that organizations hold about them. This includes information identifying an individual, such as their name, address, or date of birth.
DSARs give individuals the right to know what personal data is being collected about them, why it is being collected, and how it is being used. They also allow individuals to request that their personal data be deleted or destroyed if it is no longer needed. DSARs also gives individuals the right to object to using their data for specific purposes, such as direct marketing.
US state and international privacy laws are codifying an individual’s privacy right to file a DSAR. Governments now explicitly recognize that data privacy is a human right, and thus, individuals should have control over their data.
For organizations that fall under the scope of privacy laws that provide DSAR rights, responding to DSARs is not optional. Ignoring DSARs or not responding to them within the statutory deadline will result in fines and penalties, not to mention damaged reputations. Thus, organizations must establish a DSAR process or find an organization that can manage the DSAR process for them.
DSAR Origins: EU GDPR
In the early days of the internet, privacy was not a significant concern for most users. However, privacy concerns have grown as the web has become increasingly interconnected. In response to these concerns, the EU codified the right to file a DSAR in the General Data Protection Regulation (GDPR) in 2018.
Under the GDPR, the DSAR requires organizations to protect the privacy of EU citizens by ensuring that personal data is collected and used lawfully. It also gives individuals the right to access their data and request that it be deleted if they no longer wish to store it. When an organization receives a DSAR, it needs to search through various sources that contain information about the individual. For example, such sources include HR records, emails, physical documents, spreadsheets, recordings, and presentations.
While the DSAR has mainly been successful in protecting privacy rights, some critics argue that it does not go far enough. Others say that it places too much burden on companies and inhibits innovation. Nonetheless, the DSAR remains an integral part of privacy law in the EU.
2022 Trend: DSARs Increasing
In a 2022 DataGrail privacy trends report, ( it was noted that companies are processing nearly double the number of DSARS than they did in 2020 to comply with California’s California Consumer Privacy Act (CCPA).
This is expected to increase as more US States including Virginia, Colorado, and Utah, enact new privacy laws that give individuals new DSAR rights. The report also revealed that the cost of processing DSARs jumped from the US $192,000 per one million individual identities to roughly US $400,000 per one million individual identities year over year. About 27 US states are in the process of enacting privacy laws in their jurisdictions.
Top 5 Challenges of Responding to a DSAR
Privacy laws give individuals the right to privacy and control over their data. But some organizations argue that privacy regulations are proving to be obstacles to their collection and use of data in new and innovative ways to compete in the global economy.
Here are the top 5 challenges that organizations encounter:
1. Understanding the privacy right
Privacy law is complex, and it is not easy to know whether or not the person requesting the information has a privacy right to that information. It is always best to seek professional advice before responding to a DSAR. Remember, if you disclose information the requester does not have a privacy right, you could be liable for breaching privacy laws. So, err on the side of caution and get professional advice if you are unsure whether or not the information the requester has requested is subject to a privacy right.
2. Identifying the data subjects
To comply with a DSAR, you must take reasonable steps to identify the individuals or “data subjects” who filed the requested information. This can be time-consuming, primarily if your data is poorly organized or comes from various sources. To comply with privacy law, you must have a systematic process to authenticate the identity of individuals who filed the DSAR. Identifying data subjects is essential to compliance with privacy law, and organizations should ensure that they have adequate processes and systems in place to do so.
3. Locating the relevant data
Once you have identified the data subjects, you will need to locate all relevant data relating to those individuals. This can be challenging if the data is spread across different systems or storage devices. To make things easier, it’s essential to create a data inventory. Data inventory is the process of collecting and organizing data from different sources. This data inventory can then be aggregated and used to provide insights. By having this information in one place, you’ll be able to quickly and easily locate the data that you need for your DSAR. Moreover, your data inventory will help improve efficiency and collaboration across your organization.
4. Anonymizing or aggregating the data
One of the challenges of responding to a DSAR is anonymizing or aggregating the data. Data anonymization is the process of removing personally identifiable information. Data aggregation is the process of combining data from multiple sources into a single data set. These two processes are often used together to help protect the identities of data subjects. When organizations perform these two processes, it becomes even harder to identify individuals. However, conducting these processes may not always be practical, and you will need to weigh the privacy rights of the data subjects against other legitimate interests.
5. Complying with time limits
Responding to DSARs can be complex and time-consuming. Privacy laws typically require organizations to respond to DSARs within a specific timeframe, usually 30 days. Complying with these time limits can be challenging, especially if the organization does not have a streamlined DSAR response process. In some cases, it may be necessary to hire additional staff or engage an outsourced privacy compliance firm to ensure that all DSARs are responded to promptly and promptly. These steps will help ensure that your organization can effectively respond to DSARs while complying with all applicable privacy laws.
While it is essential to balance privacy rights and organizational needs, privacy should not be sacrificed in the name of innovation. DSARs provides a way for individuals to exercise their privacy rights while still allowing organizations to collect and use data for legitimate purposes. By complying with DSARs, organizations can show that they respect the privacy of their customers and employees and are committed to protecting their personal data.
As you can see, there are many things to consider regarding DSARs and data privacy. But don’t worry, we’re here to help! Our team has put together a DSAR Package to help you comply with DSARs and protect your customers’ data privacy. If you have any questions, please don’t hesitate to contact us. We want to ensure that your business is ready for the new era of DSARs!