Data Subject Access
Requests (DSAR)

General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR), put into effect in May 2018, was the first comprehensive and extensive data protection and privacy legislation of its kind. It is so all-encompassing and of such sheer magnitude and importance that it has significantly impacted the way data privacy is approached internationally. Numerous data protection acts use the GDPR as a model on how to structure themselves, such as California’s CCPA and Connecticut’s CTDPA.

The GDPR was created to give individuals back the right to assert control over their own data. One of its important sub-categories is a section on the right of access. This allows individuals to retrieve information about the data an organization holds about them, why that entity has that data, how it is used, and other information relating to it.

With the GDPR, the right to access data was expanded upon ​​with new mandatory information that organizations must provide to individuals upon request. It also made it easier for individuals to submit their requests, access their data, and get information.

Understanding DSAR

Before we go into discussing what a DSAR is, we must first understand what a DSR is. A DSR (Data Subject Request) is the process of requesting personal data from a company and includes the individual’s desire to access, modify, or expunge the data that the organization contains of theirs. These requests are becoming more common due to legislation such as the GDPR, CCPA, and CTDPA, among others. Firms must adhere to strict guidelines for honoring data subject requests or face fines and other severe consequences.

Thus, a DSAR (Data Subject Access Request) is a specific type of DSR. Under a DSAR, an individual requests access to all the personal data that an organization has processed about them. The individual is further allowed to regularly maintain access to the information the organization retains to verify the lawfulness of the processing. In addition to giving access to this data, companies must also inform the requester how they use the individual’s personal data. For example, the data subject may request the purpose of processing their data, who their data will be shared with, and how long the company will store it. This personal data might include details such as an individual’s name, address, or email address. If an individual is not satisfied with how a company has responded to a DSAR in the USA, they are free to make a complaint to the Federal Communications Commission (FCC), where individuals can submit consumer complaints.

Additionally, after a DSAR is submitted and your company complies with the request, an individual might decide that they dislike the amount of information you have on file about them. When looking over the data that you maintain on said individual, they may not agree with what you are using that data for, or even what conclusions you’ve made about them based on their data. In this event, that individual might decide to move forward with an ultimate opt-out.

What Happens When You Get the Ultimate Opt-Out?

opt-out

The term opt-out is routinely used to describe unsubscribing or leaving membership from an online group, website, blog, etc. It is typically used by email marketers to remove users from mailing and subscription lists so that they don’t receive further emails or messages from the company or list they were previously on.

From manually to automation

In the case of an ultimate opt-out, the individual is stating that they no longer wish to be involved with the company in any capacity, including any of the lists that they are on that you might have shared with third parties. In this situation, it would be detrimental if the individual received unsolicited messages or product information and could potentially lead to fines per various consumer protection laws. This makes it imperative to move from manually recording individuals who opt-out to having automation in place that transfers them from active lists to inactive or do-not-contact lists.

Email data comparison

Thus, it is vital for your business to have a centralized location where all of the email suppression data exists. Here your internal teams will be able to store and share opt-out lists easily and there will be uniform procedures on how to go about categorizing opt-out members. Furthermore, this will also make it easier for you to share your data lists with third-parties with the most up-to-date information. Likewise, an email data comparison tool offers further support by allowing you to analyze your various lists and compare the data, eliminating duplicates and compiling it all into one list that is up-to-date and easily shareable with your clients.

How DSARs Are Submitted

As of now, there is no required uniform way that data subject access requests must be submitted in the United States. DSARs can be submitted verbally (in person or via telephone) and by writing (through email, letter, online chat, social media, etc.).

It is essential for your company to recognize all DSARs and to have clear instructions on how your customers can send one, both to make it easier for them to contact you and show to CCPA, and the various acts, that you are maintaining accountability, and also to standardize the methods that the DSARs will be received.

For example, if you have a toll-free number that individuals can call to submit their data subject access requests or state on your website’s FAQ that all customers can contact support via email, you will have most of your DSARs coming in through phone or email, with perhaps the odd request coming through from elsewhere. However, when you don’t have clear options available for your customers, they will probably choose what is easiest for them when submitting their DSAR. This will make bookkeeping and keeping track of all requests unnecessarily complicated for your company and take up more of your time.

Get Ahead of Your Organization’s Compliance

Download our free compliance handbook to understand why companies are getting fined thounsands of dollars and see how you can start improving your company’s email compliance

DOWNLOAD

Responding to Data Subject Access Requests

Before completing a data subject access request, your company must register the request, then log the request into a record tracking system that can verify the user. Keeping paperwork of the submissions will help build your accountability and authenticate the user as someone on your data lists so you can save time before you go into working on their DSAR fulfillment.

1

register the request

2

log the request

3

verify the user

Additionally, when you are pulling out personal data for the report, it helps if your data organization system is easy to understand and very clear on where all of the personal information is stored. Centralizing your data will help keep the time down for how long it takes to answer and complete data requests since managing deadlines is crucial to fulfilling DSARs. Furthermore, having an organized system will help you from missing critical data on your reports or erasing them in the event of opt-outs.

When it comes to what you should include in a DSAR response, you should always have the confirmation that the requestor’s personal data has been processed at the beginning. You should also include the details pertaining to the access of the data, clearly state the legality of processing the data, mention the criteria for the data collection and storage, all relevant information about how their data has been acquired, pertinent information about how the data was automatically profiled or categorized, and lastly, all of the third parties this data was shared with.

Once your response is complete, it is critical that you review it before ever sending it out to the recipient. This is necessary for several reasons. Firstly, you want to make sure it meets DSAR requirements and, secondly, you do not want to have the personal information of any other individuals on that report except for the requester. If by any chance you give this data to the wrong person or give someone else’s data to the requester, the damages can be catastrophic since your data records might include very private information such as passwords, addresses, or payment information.

When you deliver this personal data report to the individual, you will want to send it in a way where the information is encrypted. It is very costly for you as a business owner every time there is a data breach. The fines for breaches have been going up exponentially every year since lawmakers want organizations to take the seriousness of protecting consumers’ data with the utmost severity.

Summarizing the DSAR Compliance Process

All Data Subject Access Requests can be broken down into a fairly simple process that follows the same steps every single time and thus are relatively straightforward to automate with the help of companies such as OneTrust and Ketch which have many data mapping and consolidation tools available. These companies make it easy to extricate the subject’s data from various sources and gather them all in one place.

When you receive a DSAR from a
subject you will want to:
Identify and centralize the
subject’s data
Clarify the nature of the
request
Review the data that
you have compiled
Collect and package that
data in an easily
understandable format
Ensure that you are
informing the subject of
their rights in the report
Sending the requested
data to the subject in
an encrypted file

After the subject receives the data, you will want to wait for further communication from them to see what additional steps you should take.

How UnsubCentral Helps After the DSAR

At this point, you’ve received a DSAR request, taken all the necessary measures to respond to said request, and gotten an ultimate opt-out from an individual, but now what? Well, you don’t simply delete the data at this point. Per the letter of the law, these individuals would become unsubscribes. This means that rather than not having any record of them at all, you would apply a unique identifier to their record, signifying them as “unmarketable” or a non-marketable person. This signifier is crucial as it must be honored throughout your entire marketing and sales ecosystem.

That’s where UnSubCentral comes in with our scrubbing and data comparison tools. We take the headache out of managing multiple lists on multiple platforms by providing a centralized location where all your email suppression data and opt-out individuals exist, ensuring that your employees have a place to share and uniformly categorize opt-out members. This also guarantees that those opt-out members do not receive any type of marketing or sales communication by mistake.

Ready to Get
Compliant?

Request a demo with our team to see how our customizable solutions can generate more revenue from your outbound marketing efforts.