DSAR Process Checklist: Dos and Don'ts for 2023!
The internet is a useful yet dangerous thing.’
As internet users get more aware of their privacy rights, the volume of Data Privacy Access Requests (or DSAR requests) received by companies increases exponentially. The number of people accessing privacy rights under the CCPA has doubled in the past two years.
At the end of 2021, ‘Do not sell’ and ‘do not share’ requests flashed around all kinds of websites and mobile apps. The enforcement of CCPA meant that companies could no longer collect, share or sell an individual’s personal information without prior consent. The law also enforces that a company must always address privacy requests of individuals whose data it collects, shares, or sells.
Maintaining precise records of data subject requests is the best way to guarantee successful audits and privacy compliance. The rise of new and improved data laws meant businesses could no longer find loopholes in the regulatory processes. Therefore, companies need scalable Data privacy management and Regulatory Compliance solutions.
A straightforward process for addressing individual DSARs is crucial for building a long-term relationship with your data subjects.
Read along, and we’ll discuss how you can ensure compliance with evolving data privacy laws.
Know Your DSARs
Individuals who interact with your company’s website (or mobile app) and provide their personal information are your data subjects. Under the protection of various data privacy laws, your data subjects have the right to seek information on (or object) the collection, sharing, and selling of their data. A DSAR is, therefore, a feasible way of seeking privacy rights on personal data.
Your data subjects are free to send written or verbal (or otherwise indicated) DSARs, preventing you from collecting, accessing, sharing, or selling their personal data. A business is responsible for fulfilling any DSAR requests they receive from a person who has shared their personal information on the company website(s) or mobile app(s).
The Laws Against Data Privacy Breaches are getting more Stringent. Get Ready for a Change!
The 2018 enforcement of the California Consumer Privacy Act (CCPA) was an essential step in solidifying data protection laws. The law prevented businesses from breaching individual data privacy rights by ensuring compliance. However, there have been instances where big companies were caught tricking the law for personal benefits.
In the past two years, Big-tech companies like Meta, Amazon, and H&M have been guilty of trespassing privacy laws several times. In total, privacy breaches have cost these companies financial fines of over $1.45 billion. While big companies can manage the financial penalties of a lawsuit, the reputational damages stay for a long time.
In the aftermath of unforgiving fines and penalties, the big companies have made significant amends in their data privacy management processes.
CCPA and CPRA: the laws you must not trespass!
The CCPA places obligations on businesses to address individual DSARs regarding:
the personal information they collect about an individual (data subject)
data deletion
opting out of the sale of personal/ sensitive data
correction of inaccurate information
setting preferences (or limits) on the use or sharing of personal information
Under the CCPA, privacy violations against minors (children under the age of 16) are subject to hefty fines and severe penalties.
California Privacy Rights Act (CPRA) is an amendment to CCPA. The law adds to the regulatory ‘safety net’ data subjects can rely upon. It enables extended data privacy by:
Expanding the definition of personal identification information (PII) to sensitive individual data including, but not limited to,
Healthcare records
Bank account and financial details
Genetic data
Religious or philosophical beliefs
Racial or ethnic origins, and
Personal chats (on messaging and emailing platforms like WhatsApp and Gmail)
Tripling the fines relating to the violation of children’s data protection rights.
Enabling consumers to hold businesses accountable for failing to protect their most sensitive personal information from hackers and security breaches.
Ensuring that, like any internet user, employees and independent contractors can avail data subject rights.
Equal (and brutal) Penalty for lawbreakers
Together, CCPA and CPRA regulations place obligations on for-profit businesses that have a presence in California and:
Have a gross annual revenue of over $25 million,
Collect, buy, sell, or share personal information of more than 100,000 California residents, households, or devices; or
Generate 50% or more of their annual revenue from buying, selling, and sharing an individual’s data.
Don’t Bypass the Law
The CPRA amendment has helped eradicate the weaknesses of CCPA and empower data privacy rights in California. The laws are the benchmark of data privacy in America, and other states are deploying (or working on) similar laws.
Here’s more information on Countrywide data privacy laws.
Data privacy regulations not only affect big businesses but can also impact small to medium-scale companies.
As of yet, we hear news about sanctions and penalties on big businesses. Soon, the regulatory bodies may start auditing other (high-risk, small to medium-scale) companies for privacy compliance. Failure to prove compliance can lead to severe financial and reputational damages that growing businesses can’t afford!
The CPRA levies a minimum fine of up to $750 on companies that violates individual data subject rights.
That’s a small amount for failing one DSAR request. However, by the end of 2024, 75% of the world’s population will be protected by effective data protection laws. Widespread awareness will be a propelling factor for increased numbers of data deletion and preference management requests.
Upon receiving a privacy request, businesses must respond proactively once the CPRA comes into full effect in July 2023.
Prepare and Protect
Under the worst circumstances, regulatory agencies may impose privacy audits on a business, which must pass by producing a record of all customer data collected since 1 January 2022.
Since you cannot control or avoid the privacy requests sent by your data subjects, you must ensure compliance and always be ready for audits.
No Discrimination, seriously!
Data privacy laws are non-discriminatory and provide equal rights to customers, employees, and independent contractors. Therefore you cannot make the mistake of addressing a customer’s privacy request and ignoring that of an employee.
The protection of employee data privacy is as crucial as safeguarding consumer rights. Therefore, you must implement comprehensive data management and privacy request practices and handle employee DSARs.
Upon receiving a data request from an employee (or contractor, job applicants, etc.), you must oblige and acknowledge the requirements for the same.
Exclusive Management of Employee PII and DSARs
Managing employee data and addressing privacy requests can be tedious. However, just like your customers, employees can access the right to know what happens with their personal information. Therefore, you should consider the following:
Keeping track of Employee Data
Your employee’s data can be scattered around various channels like emails and personal chats (on skype, slack, Asana, and other workspaces). As a company, you will receive information on employee health, family affairs, and financial statuses at some point.
It is your responsibility to safeguard sensitive personal information against theft or misuse. Therefore, you must ensure keeping track of employee data across all channels (including handwritten communications).
Not collecting excessive employee data.
You can not hoard an employee’s sensitive personal data without prior consent. Employees can object to collecting nonessential personal data, and you can’t oppose it.
Using automated data centralization
Maintaining clear and accessible records of employee data is a cumbersome task as the information does not come from a single source/platform. Therefore, you should consider automating the data management process and saving time and effort.
Deploying a data subject request tool
Managing privacy requests is easier with automated DSAR tools. Software integration allows addressing individual DSARs without the chance of missing deadlines.
What happens if you send a privacy request fulfillment mail to the wrong email address? Accidentally, you will share the personal information of an individual with another. You will end up sharing personal information without prior consent and creating another (potential) lawsuit for your business.
Automating the employee and Consumer data access request fulfillment helps avoid confusion.
Read this article to set up your DSAR flow.
Adzapier DSAR Manager: A Seamless Software Integration for your Business
‘Let’s make the internet safer for your customers and employees.’
Managing customer and employee DSAR is essential for compliance with data laws. The Adzapier manager is a data subject request tool that offers seamless integration with the website(s) and mobile app(s). Uploading a simple ‘code’ on your website’s (or app’s) backend is all you’ll have to do to unlock useful features like ‘DSAR workflows’ and ‘Email integration.’
The pre-set ‘workflows’ allow for streamlining the DSAR management process. Implementing the pre-set workflows will enable you to track the progress of individual data subject requests. An email integration will allow you to respond to consumer DSARs without leaving the platform. You can simply choose an email template from the user portal, customize, and send it to the ‘right’ person.
Adzapier’s DSAR manager will set you free by ensuring compliance with the changing data privacy laws. Take our 14-day free trial and see how you can transform your DSAR process flows with a ‘tiny code’!












