DSAR Guide: Ways to build customer loyalty in 2023 & beyond
Every time we marketers sit for work with full enthusiasm, "No matter what happens today, I am gonna get a hell of a lot of user data from these cookies," a DSAR request pops up from our users asking for their personal information back.
But it is what it is. Privacy laws worldwide dare us to decline DSAR requests, but seriously people, that's the last thing you want to do.
Ever since the growing number of privacy breaches by companies and even some governments worldwide have leaked millions of sensitive personal information, data privacy regulators have become cautious.
So, what are these DSARs, and why should businesses take them seriously?
A Data Subject Access Request (DSAR) is an inquiry made by a data subject to a company regarding how the data subject's personal information has been collected, processed, and used. Anyone who is a data subject can submit a request.
The Data subject here is a natural person or an individual who has consented to you collecting their personal information. But that doesn't give you ownership of the data. The data ultimately belongs to the user or data subject.
Hence, they can make DSAR request to access and know what and how their information is collected and used. They also have the right to change their data or ask the business owner to delete it.
GDPR, the first and most stringent data privacy in the world, defines DSARs as,
A data subject has the right to access personal data that has been collected concerning them and to exercise that right easily and at reasonable intervals to be aware of and verify the lawfulness of the processing.
Under the GDPR, businesses need to respond within 30 days to a DSAR request (With an extension of 30 days under exceptional circumstances). There is no format to DSAR request—if a consumer calls your helpline requesting access to their data, you must oblige. Check out our GDPR guide to make your business compliant with the strictest privacy law in the world.
What are Data subject Access rights?
Under DSARs, the data subject has certain rights. Let's understand them so you can respond intelligently to the data subjects concerned.
Right to information regarding the collection of personal data: As a company, if you have collected any personal data from the user, you must notify the data subject concerned.
The right to access personal data and its processing are what DSAR is known for. A data subject can access and see how their data is processed.
Right to rectify incorrect or incomplete personal data: you have one month to comply, If an individual requests rectification (verbally or in writing),
Right to remove data: Also known as the right to be forgotten, this rule gives data subjects the freedom to erase their data within 30 days when requested.
Right to restrict personal data processing: If the data subject requests you to stop further processing their personal data, you'll have to comply with it. However, you can still store it.
Right to data portability: This rule gives data subjects the authority to take their personal information from one platform to another quickly, safely, and securely.
Right to object: If the data subject doesn't agree with how their personal information is used for marketing, sales, or non-service-related purposes, then this rule gives the right to object.
Right to no to automated decision-making and profiling. This rule gives Data subjects the right to say no to automated decisions—including profiling—being made about the data that can have a legal or similarly significant effect on them.
So, these rights under DSAR give power to the data subject or your customers to access, object, change or erase the personal information they had previously provided you, with their consent. As a responsible business entity, you must respond to these data subjects' DSAR requests. Let me show you how it's done.
When a data subject makes a DSAR request, your data protection officer (DPO) or any other person handling data processing in your business organization must respond with a list of all the information you have regarding the concerned data subject. They might also request specific information in some cases. You are obligated to meet whatever information the data subject requests.
Subjects can request the following:
Confirmation that you process their data.
Access to their personal information.
Your legal basis for the processing of data.
The timeline for the storage of their data
Relevant information on the method of obtaining the data.
Any relevant information about automated decision-making and profiling.
Names of third parties you share their information with.
Different data subjects will have different requirements and listing out every permutation combination will make this discussion endless. The above list is a good starter, but it's always a nice idea to review your relevant law and see what you need to provide.
Also known as the right to erasure or to be forgotten, a data subject can request the companies to delete or erase their personal information that shouldn't stay with them.
Some data subjects don't object to you having to store their personal information. But they may notice some error in the data, which is irrelevant. So, they can make a DSAR request for you to correct their data.
Though most data privacy laws worldwide do not stop any consumer from submitting DSARs, some rules exclude employees, commercial partners, and job candidates. But that isn't the case with CCPA/CPRA/GDPR. According to these laws, even employees can exercise DSAR requests.
In exceptional cases, an individual too can submit a DSAR on behalf of another person. Well, there are certain conditions to that:
A parent or guardian requesting information on a child.
A court-appointed official is handling someone's case.
Someone requesting their client's or employer's information
The data subject requests help from a friend or relative.
As a responsible business entity, you must thoroughly check whether the request made by another person on behalf of the data subject is proper. In such cases, you can ask for evidence of the relationship, like birth certificates that acknowledge the parents' names, guardianship paperwork, or power of attorney documentation.
An employee making a DSAR request can be sensitive, so it makes more sense for a business entity to take this particular DSAR a little more seriously.
Companies have crucial information about their employees like social security numbers, ethnicity, sexual orientation, PAN number, and much more. Also, employee DSAR is perceived as wrong by default. They might ask DSAR why their promotions are put on hold or why they've been put on the performance improvement plan. If proven guilty of favoritism, nepotism or any unlawful reason, a business can put its reputation in danger. Or worse–they can be sued by the employee making DSAR.
Can I refuse to respond to a DSAR?
It is essential to respond to most DSARs, but there can be a few exceptions:
The request is either of malicious intent to destroy the reputation of the company/business, or there is an excessive number of requests overlapping the recently submitted request.
But frankly, it is difficult to prove these points to refuse to respond to the DSAR request. A company must be cautious and should do extensive research before refusing to respond to a DSAR request.
Do I have to provide everything?
Not necessarily. You only need to give them the information that's considered personal data. Businesses don't need to include everything related to the data subject. For example, you don't need to provide internal memos or notes to the data subject
How quickly do I need to respond to a DSAR?
Most data privacy laws require you to respond within 30 days to a DSAR. However, The CCPA/CPRA allows for a 45-day response time.
Conclusion: Be empathetic to your customers
Just having data privacy compliance in your business isn't enough. It should be practiced as well. A DSAR is an excellent way for companies to show authenticity and transparency. Understanding their pain points and providing a relevant solution will take your business to new heights. 2023 and beyond will be about building a genuine and long-lasting connection between you and your customers.