What is a Data Subject Access Request? New Privacy Laws

January 11, 2023 | 4 minutes read
What is a Data Subject Access Request? New Privacy Laws

As data protection and personal privacy legislation such as the EU’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CCPA) continues to be enacted in countries around the world, many businesses and organizations are now required to provide consumers with access to the personal data they have collected from said consumers. This being said, Data Subject Access Requests (DSAR) are the primary means by which a business can both maintain transparency with the customers they serve, as well as adhere to the responsibilities that said businesses may have under applicable data privacy laws. To this point, the obligations that businesses have as it pertains to DSARs will undoubtedly be varied.

To illustrate this point further, the EU’s GDPR law explains the rights of data subjects to access their personal data in accordance with DSARs by stating that “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.” Alternatively, California’s CCPA states the following in relation to DSARs “it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: […] (4) The right of Californians to access their personal information.”

What information must be included in a DSAR?

Irrespective of any data privacy or protection laws that have been passed in a jurisdiction where a business or organization serves prospective customers, the vast majority of DSARs will provide said customers with certain forms of basic information. Likewise, common forms of information that can be provided to customers via a DSAR include but are not limited to:

Who is permitted to submit a DSAR to a business?

While DSARs are associated with a customer asking a business to provide them with further information with respect to the data collection and processing practices of the business in conjunction with a data privacy law, DSARs can also be requested under other circumstances. For instance, employees, contractors, and job candidates that submitted their personal data to an organization can also submit a DSAR to access said information. Moreover, an individual may also be permitted to submit a DSAR on behalf of another person, such as a parent or guardian that requests information in relation to one of their children, as well as a data subject that may request assistance from a friend or family member.

When can a business deny a DSAR?

On the other hand, businesses and organizations also retain the right to deny a DSAR under certain conditions. Most notably, an individual that submits a DSAR to a business must exercise their rights appropriately, as a business is not obligated to comply with such a request if a customer intends to use the information they are provided to slander or make unfounded claims about the business or organization. In addition to this, businesses and organizations are also not responsible for replying to a customer that makes excessive requests to access their personal information, such as a customer that makes repeated requests without giving a business enough time to respond to their initial request.

How quickly do businesses have to respond to a DSAR?

While the time period under which a business or organization must respond to a DSAR will be contingent upon the privacy laws that exist within a particular country, as well as the type of industry in which the business operates, businesses are generally advised to respond to such requests as soon as reasonably practicable, but no later than a month after receipt of a DSAR. For example, a business that serves customers within EU member states that fall under the jurisdiction of the GDPR is required to respond to a DSAR within one month, lest they be subject to monetary fines and regulatory punishments.

While Data Subject Acess Requests are by no means a new phenomenon, they have unquestionably become more frequent as businesses and organizations collect a wide range of personal data from their customers on a daily basis. As these businesses and organizations have a duty to protect this information, giving customers the opportunity to access any information a business has collected, processed, or stored relating to said customers is advantageous for all parties involved. In this way, businesses and organizations can hold themselves accountable in terms of their data collection activities and practices.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »