top of page
  • Writer's pictureSimon Wynn

Get your DSAR process under control… Please!

Core to many global privacy regulations is the requirement for your users to be able to access their data, and to make other requests related to their data subject rights. The most common right users exercise is the ‘right to deletion’. These requests are commonly called ‘DSARs’, and although DSARs strictly only refer to the ‘right to access’ a user’s data, the term DSAR is commonly used to cover both ‘access’ and other data subject rights (DSRs).

Implementing even a basic process is super-important. Firstly, this is your company’s ‘Privacy Front Office’. Whilst you have a privacy notice, cookie banner, and a whole host of internal controls in place (we hope…), how you react to DSARs is critical, and can immediately expose gaps in your privacy processes. It can go two ways: 1) You have a robust process to respond to requests, or 2) who have no process in place, and therefore it undermines the credibility of your entire privacy program. At worst, of course, this opens you up to potential enforcement actions by regulators.

Users do submit DSARs - I do it all of the time. I recently left a company as part of the current mass tech layoffs, and I signed up for career services because it might lead to more consulting work. A few weeks later, I started getting emails from a multi-billion dollar temp agency welcoming me to my new account for which I had never signed for. Weird. So, I sent an email to their ‘privacy’ email asking where they got my information under my rights as a California consumer. Here is the paraphrased exchange:

Me: Where did you get my information from? I never signed up.

Company: We have no idea - we get data from everywhere and don’t keep track of it.

Me: That’s weird.. Really?

Company: Would you like us to delete your data?

Me: No, I just want to exercise my ‘right to know’

Company: So you want to stop receiving emails?

Me: No, you are confusing the CCPA with CAN-SPAM

Company: Uh?

Me: Ok, I just read the privacy notice for the company that shared data with you. It’s all good and permissible, so you can ignore this request

Company: So you want to stop receiving emails?

Me: No! But you should probably share this thread with your privacy legal team and do a better job next time….

So, not a great response from a team member that was not qualified or trained to respond. Their title was ‘HR Business partner’. Do better!

This isn’t the worst, though. I’ve had companies respond with ‘we don’t do the GDPR’, or get back to me many months later with vague responses.

Even if you are the smallest company, there are some easy steps you can take to ensure you have DSARs under control:

  • Make sure someone owns this process, and understands the requirements

  • Make sure you have a dedicated entry point for requests, for example a ‘privacy@’ email address. (of course the CCPA requires at least two methods of contact, but you get it…)

  • If you have a CRM system for customer support, hook up these entry points into that system

  • Draft a lightweight process that includes:

    • Who is responsible for responding;

    • How to handle each type of request;

    • Documenting who the data owners are;

    • A way of authenticating who the user is;

    • Simple response templates, so you have consistent and non-alarming responses ready to go;

    • A way to record details about each DSAR in a privacy-preserving manner;

    • A way to ensure the required response times are met.

With a written process, you ensure that the data subject gets the information they requested, and can exercise the privacy rights they requested, and that the request doesn’t escalate further. A large percentage of requests come from people knowledgeable about privacy, or worse, they come from privacy activists who likely have an agenda.

Lastly, if you are a data processor or service provider, make sure you understand your obligations to respond to DSARs.

35 views0 comments


bottom of page