A term popularized by the EU’s General Data Protection Regulation (GDPR), a Data Subject Access Request, also known as a DSAR, is an individual’s right to request information on personally identifiable information (PII) an organization has gathered about them, how that organization is using that data, and who that data has been shared with. PII includes names, social security numbers, phone numbers, behavioral data, and more; pretty much anything that can be used to identify a specific individual.
For companies that fall under GDPR, as well as similar regulations like the California Consumer Protection Act (CCPA), DSARs are not optional and will result in fines if ignored or not responded to within a certain period (ex. 45-days, 60-days, etc). This makes knowledge of DSARs and how to react to them essential for any organization that falls under regulations that include them.
To make this easier, let’s outline the steps that will prepare an organization to receive DSARs and respond to them.
Determine Which Data Privacy Regulations Apply to Your Organization
While the steps outlined here are good preparation for any DSAR request, it’s important to know which data privacy regulations apply to your organization. This will allow you to understand the exact responsibilities expected during the DSAR process.
Data privacy regulations that require a DSAR workflow include the following, although this list will grow as data privacy regulations expand and become the norm.
- General Data Protection Regulation (GDPR, EU)
- California Consumer Protection Act (CCPA, California, U.S.)
- Lei Geral de Proteção de Dados (LGPD, Brazil)
Gartner has predicted that “by 2022, half of the planet’s population will have its personal information covered under local privacy regulations in line with the General Data Protection Regulation (GDPR), up from one-tenth today”. So even organizations that don’t fall under specific data privacy regulations should start preparing.
Create an Intake Workflow for Consumers to Submit DSARs
This is typically done via an online form or email but can be by other means depending on the specific regulation. For most organizations with an online presence, an online form will be the easiest method and most secure when implemented properly. This allows companies to encrypt data in transmission, require certain form fields, and associate requesters with existing website accounts.
It’s also important to note that DSARs aren’t always just consumer requests for copies of their data. DSARs can include consumer requests for:
- A copy of their personal information
- Deletion of their personal information
- Preparation for transport of their personal information (known as data portability)
- Information on third parties their personal information has been shared with or sold to
- Opt-out of the collection and/or sharing of their personal information
- An explanation of how their personal information is being used
- Why their personal information is being stored
- Proof their personal information is secure
With all these different variations of a DSAR, having an automated intake process will help get the request to the proper channel within your organization, as well as narrow down the scope of the request and potential response.
Assign a DSAR Point Person
This is typically a Data Protection Officer (DPO) but depending on your specific regulation it may be another member of your organization. This person receives DSARs and ensures they’re responded to in a timely manner.
There are also scenarios in which a DSAR may be denied, although it’s uncommon. It will be up to your point person to determine when to handle the situation this way per your specific regulation.
Ultimately you need to make sure someone is seeing incoming DSARs and responding to them, and that this person has a backup in case they’re on vacation, sick, or otherwise unavailable. If DSARs pile up without a reply, then the fines can add up quickly.
Locate a Subject’s Personal Information
Whether the requester wants to see their personal information, have it deleted, or move it somewhere else, you’ll need to have a workflow in place for tracking down all relevant data.
This is easily the most difficult part of responding to a DSAR, and if your organization doesn’t have a form of data discovery and audit software in place then it will be a long and arduous process. On short notice, you need to be able to take a subject’s information (name, email, etc.) and quickly retrieve all personal information your organization has stored about them.
Personal information will likely be stored on more than just file servers, and maybe in the cloud in addition to on-prem. Examples include, but are not limited to:
- CRM software, such as Salesforce and HubSpot
- Support ticketing software, such as Zendesk and Jira
- ePHI and medical software, such as Epic
- HR software, such as Paycom and Workday
- ERP software, such as Microsoft Dynamics
It’s critical to not wait until a DSAR is received to figure out how this process should play out, as you’ll quickly fall behind if you don’t already have workflows in place for locating data and classifying it. It should not be a manual process either, as there is software specifically designed to assist with this.
Typically, only personal information is required, however, supplementary information may be required per your specific regulation. In certain circumstances regarding deletion requests, you may also need to request the deletion of data from third parties you previously shared the data with.
Act on the Subject’s Personal Information
This is typically the last stop in the DSAR process, and if you’ve navigated all these steps without too much difficulty then you’re in a good position to handle requests. This includes providing a copy of a requester’s data, deleting that data, preparing that data for transport, and more per the points outlined earlier and the nature of the specific request.
Between gathering data and acting on it, software automation is the clear path forward.
How Stealthbits Helps You Respond to a DSAR
Knowing where sensitive data is stored, how long it’s stored for, when it’s considered stale, who has access to that data, and what users are doing with that data gives you a big advantage. Without this knowledge, you’ll be scouring your servers and cloud repositories each time a DSAR is received and may miss important data that can later result in fines or penalties.
Remediating stale data is also important, which can be deletion per a DSAR request or standard archive/deletion of data no longer needed for business or regulatory reasons. While data is king, you want to avoid storing unnecessary personal information as it can lead to much larger issues in the event of a data breach.
DSARs are not a one-time process, so you need to be continuously ready to handle them and modify your workflow as regulations change. Stealthbits’ Data Access Governance solution helps with this automation and answers the most difficult questions you’ll face when managing data, users, security, and regulatory requirements.
Discover Data: StealthAUDIT automatically discovers where data is stored within your organization and classifies it.
Govern Access: StealthAUDIT shows you which users have access to discovered data, and automatically remediates overprovisioned access. Users with too much access can wreak havoc on the structure of your data and increases your data breach attack surface.
Monitor Activity: StealthAUDIT and Stealthbits Activity Monitor track and report user activity with data, and can reveal inappropriate behavior related to the handling of sensitive data. Proactively track down and remediate situations that can lead to exposed data, or that can result in data being stored in unexpected places.
Report Findings: StealthAUDIT provides multiple ways to interact with your collected and analyzed data, including report generation and distribution to the appropriate parties in your organization.
Learn more about how Stealthbits can help with DSARs and Data Access Governance here.
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in StealthAUDIT. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, data storage, and automation. He has a Bachelor’s degree from Bryant University, and outside of tech he enjoys running, tennis, and snowboarding.