Disclaimer: The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.
Data subject rights are an integral part of managing a DP&P program. Enshrined in many DP&P laws, including GDPR, CCPA, and LGPD, data subject access requests (DSARs or sometimes referred to as individual rights) requires an organization to promptly honor a data subject’s request to access, delete, correct, restrict, or port their personal data (depending on the specifics in each individual law).
In theory this sounds straightforward. Organizations collect and process personal data on behalf of the data subject and should always be able to serve their best interests. But in practice, particularly in large, older companies where there are countless systems and business processes, this can be a challenge, especially if you’re just standing up a DSAR process for the first time.
DSARs don’t need to be a nightmare though, and with careful planning and perhaps some level of automation, companies can be confident its ready for pretty much whatever type of request comes its way.
Let’s discuss a bit more.
- To effectively respond to DSARs, organizations should start with reviewing and understanding their data maps or inventory of processing activities as it’s easier to delete or access personal data on behalf of the data subject when you have confidence that you know where it is. When first building a process or system to respond to and manage DSARs, it can start to feel overwhelming, particularly as you realize there are numerous systems processing and storing personal data, but by leveraging the existing documentation relating to personal data you can start to build a comprehensive and defensible DSAR process.
- In a perfect world, all DSARs would be automated whereupon the data subject can enter some specific data elements into an online form that can verify identity and within minutes the request is confirmed and executed. Unfortunately though, very few organizations have the system architecture and resources to enable this type of solution and there will likely be some combination of manual and automatic processing required to support DSARs.
- A hybrid approach to DSAR automation could include a tool that maintains an inventory of all the systems containing personal data along with the system administrator responsible for executing each request. The tool would then automatically notify the system administrators of every request and require confirmation once its complete. The tool would also log and track all requests as a system of record for DSARs, but this approach would still require manual intervention to delete the personal data along with oversight to ensure the process is running properly.
- As organizations begin to build out a DSAR process, decisions will need to be made whether to separate internal and external requests. Internal requests are generally received from employees, former employees, and job candidates where external requests come from customers, suppliers, and other business partners. Oftentimes the systems supporting the different data subjects are in separate parts of the business (such as HR for employees or customer facing products for customers) and it might be easier to develop different DSAR processes for each, but this will be largely dependent on the company’s system architecture and organizational structure.
- While DP&P offices can help build and improve the DSAR process, they may not be the best function to ultimately own it. Ownership and responsibility can sit in many different functions such as customer support for customer requests and HR for employee requests. Like many areas of DP&P, ownership will largely depend on the culture and management of the company, but even where the DP&P office doesn’t have direct responsibility for executing requests, it needs to be available for questions and to maintain visibility to ensure requests are being properly responded to.
- Depending on where the data subject is located, requests must be executed within 30 to 45 days. This might not be an issue where the process is completely automated, but for many companies responding before the deadline may present a challenge. Extensions are permitted for complex requests, but overall, the day-to-day DSAR process should consistently be completed within the required timeframe.
- When responding to a DSAR it’s not just your organization’s systems that are in scope but also data processors that are part of the processing activities. Sometimes this is a moot point, as the processor systems are directly under the control of the company (such as an HRMS or CRM), but other times a request will need to be shared with the processor too (such as a third-party marketing service provider) which could add time and complexity to a request and your DSAR process must account for this.
- CCPA introduced a new concept to DSARs (which has been copied by other US state privacy laws) in that a data subject can opt out of personal data being shared or sold to third parties, where sale is broadly defined as the selling, renting, releasing, disclosing, disseminating, making available, or transferring of personal data. Global DSAR processes originally developed for GDPR had to be updated to support this right and many organizations are still struggling with how to best comply. The most popular method seems to be to incorporate opt out options in cookie banners, but some also allow for manual opt outs through email or webforms which then needs to be executed manually.
- While DSARs are included in many DP&P laws, the rights are not universal and DP&P leaders need to decide if the organization will extend the rights to all data subjects regardless of location or just those covered by a legal requirement. There are arguments that can be made on both sides, but from a consumer brand standpoint, it’s hard to take a position that you will only respect requests from some customers and not others based upon geographic location.
- Data subject rights are not absolute, and most laws allow for some limits including when the requests are excessive or if it infringes other’s rights. It’s not always easy to determine what’s excessive, and it’s best to not reach this conclusion in a vacuum. When a request appears excessive the DP&P office should consult with internal or external legal counsel and the system owners to document why a request is deemed excessive. You should also allow the data subject an opportunity to revise the request before outright rejecting it.
- DP&P offices need to be careful of the weaponized DSAR, particularly by disgruntled employees, former employees, or rejected job applicants. While companies certainly can have unhappy customers request a DSAR, there is a certain sensitivity that comes from the employment side. When this occurs, there should be a process for engaging with internal or external employment counsel to determine the appropriate response as there is often another issue besides a DSAR.
- Like other areas of DP&P, it’s important to keep a record of all completed DSARs for compliance and audit purposes. It’s somewhat counterintuitive, but you will need to keep at least a small amount of personal data to prove the request has been executed. Then, after a reasonable amount of time, those records too can be deleted.
- Data minimization and data deletion are two key DP&P principles that can make DSARs easier to execute. With less personal data collected on a data subject, the less the organization must find to delete. Further, if personal data is proactively deleted when it is no longer needed, the DSAR process doesn’t have to go back into years of records when a request is received.
- Even if the DP&P office doesn’t actively manage DSARs, it should receive monthly reports on the number and types of requests and include this metric in its monthly scorecard. While not entirely indicative of the DP&P office’s effectiveness as a function, it does provide visibility as to how many requests the organization is receiving and if its current resource model and process is adequate.
- As new systems that process personal data are introduced into the organization it is important that they are integrated into the DSAR process. The DP&P office can include a hook in its privacy by design process or ensure that before any system goes into production it has registered its processing activities in the appropriate places for supporting DSARs.
- It would be wise to review and update the DSAR process on an annual basis. While all organizations endeavor to have a comprehensive DSAR process there may be gaps that can impact a request’s completeness. By taking a moment to review the existing process all invested parties can work to ensure continual improvement and the best possible outcomes for data subjects and the organization.
SEO Executive | Digital Marketing | Keyword Research | Competitor Analysis | Ahref | Link Building
7moThanks for this informative post on DSARs! Especially helpful was the breakdown of the process for organizations with limited automation. The point about "weaponized DSARs" is also insightful - considering these scenarios in advance is important for any DP&P office.
Partner at Cadence Privacy Consulting
7moExcellent and thorough summation, particularly the attention to internal requests (something organizations often don't give as much focus to) and the ability to produce some form of record to demonstrate for compliance purposes that the DSR was executed. This series is fantastic and I love the details you are including, it is extremely educational for any organization wanting to learn more about privacy. Thank you for sharing!
Sr. Lawyer at Kansas City Southern de México
7moI love your newsletter! I learn a lot !! Thanks for this initiative and for sharing your knowledge !!
LL.M IP & IT Law │ FIP │ CIPP/E │ CIPM │ CIPT │ CDPO/BR │ AIGP │ ECPC-B │ Privacy and Data Protection Specialist │ Responsible AI │ EU Legal Counsel │ Public Speaker
7moHi Aaron, thank you for the article 😀 I really love this series, congrats! I have a small note thought, you mentioned "data subject access requests" and then DSARs to refer to all types of requests coming from data subjects. However, this sounds a bit confusing, after all, DSARs are only one of the possible request types. Instead, I often use "data subject requests" and DSRs as the acronym.
Executive Coach & Leadership expert HARVARD trained 🇪🇸 🇧🇷 🇺🇸 | MBA Leadership Professor | MTB 🚴🏼 Magician 🎩
7moData subject rights are crucial in DP&P programs, requiring prompt response to requests. Aaron Mendelsohn