A data subject access request (DSAR) is a legal document sent from a regulator or law enforcement agency requesting information about individuals who have provided their personal data to a company.
The purpose of these data subject requests is to ensure that companies comply with privacy laws and regulations. DSARs are often sent after a breach has occurred, such as a hack or leak of sensitive customer data. They also come at times when regulators want to investigate whether a company is complying with its obligations under GDPR. Companies should respond to DSARs within 30 days unless they have a good reason to delay. If you receive a DSAR, you’ll likely be asked for certain documents, such as copies of contracts between you and third parties and records showing where your customers’ data was stored.
Companies that fail to respond to DSAR risk fines and penalties. In addition, failing to respond to a DSAC may result in a fine of up to £500,000 per incident. If you receive a DSAR, you should contact your data protection authority immediately.
A step-by-step guide to responding to a DSAR request
In 2018, the European Union passed the General Data Protection Regulation (GDPR), which requires organizations to comply with strict rules regarding personal information. These rules apply to all EU citizens regardless of nationality.
This regulation applies to businesses operating within the EU, including US companies doing business in Europe. As a result, companies must now respond to requests for access to personal information made under GDPR. Here’s a step-by-step guide to responding to a DSAR request:
Identify the information being requested
Before you begin responding to a DSAR, make sure you understand exactly what information is being requested. For example, does the requester only want to view your contact details or also want to see your tax returns? Does he/she want to see your entire company records or just certain documents?
Determine whether the request is legitimate
Once you’ve identified the information being requested, you’ll need to decide whether the request is legitimate. Legitimacy depends on several things, including:
– Who is making the request?
– What is the purpose of the request?
– How much time is left before the deadline expires?
– Are there any exceptions to the request?
Contact the person making the request
You may find yourself in a situation where you’re unable to provide the information directly. For example, maybe the individual requesting the information doesn’t exist anymore, or perhaps the organization was acquired by another entity. In these cases, you may need to forward the request to the appropriate department or division.
Quick overview of the different kinds of DSARs
In the United States, the federal government requires businesses to provide certain information about themselves when they apply for a license or permit. These requests are called “data subject access requests” (DSAR), and they come in several different forms. Here’s a quick overview of the different kinds of DSARs:
Business license application
This type of DSAR is required when applying for a business license. It asks for basic contact information, including name, address, phone number, email address, and so forth.
Permit application
This type of request is used when applying for a state or local permit. It also asks for basic contact information.
Environmental impact statement
An environmental impact statement is required before construction projects can begin. It asks for basic information about the project, including its purpose, location, size, and so on.
Public records act request
This type of request allows requesters to obtain public records, like tax returns, employment records, and so on. It doesn’t require a specific reason for requesting the documents.
Criminal background check
Criminal background checks are usually requested by employers looking to hire employees. They ask for basic personal information, including name, date of birth, Social Security Number, driver’s license number, and so on. Employers may also ask for criminal convictions.
Consumer reporting agencies
Consumer reporting agencies collect information about consumers and sell it to third parties. For example, consumer reporting agencies may collect information about your income, assets, debt, and so on. They may also share that information with others.
National security letter
A national security letter is issued under the Patriot Act. It gives law enforcement officials broad powers to demand customer records from service providers.