Data subject access requests (DSARs) and data subject requests (DSRs) are among the most prominent user-facing aspects of modern privacy regulations
DSARs and DSRs are related terms, sometimes used interchangeably, to describe requests that end-users can make regarding their privacy rights. DSRs refer to users’ requests to access, erase, or correct their data according to the relevant regulation, such as the EU’s General Data Protection Regulation (GDPR). DSARs specifically refer to access requests. In other words, DSRs form an umbrella category that includes DSARs as well as other requests. This article is a guide on best practices for DSARs and DSRs, and it does not constitute legal counsel. For further information on the regulations, we have included links directly to the regulations in this article.
As companies digitize and conduct more international business, it’s becoming more vital than ever to understand and comply with DSAR and DSR requirements all over the world. To achieve privacy compliance in 2021, one of the most important concepts to understand is extraterritorial scope. In short, a regulation takes extraterritorial scope if it can take effect beyond its own territory. For example, GDPR applies to any company that processes EU residents’ personal data, whether or not that company is located in the EU.
This scope now figures into regulations from California’s CCPA to Brazil’s LGPD, not to mention the wave of proposed regulations across the globe. The upshot for companies handling DSARs and DSRs is this: you must be ready to fulfill DSARs and DSRs in accordance with the laws of wherever your users reside.
Thankfully, the major regulations’ requirements for DSARs and DSRs are closely aligned. They are not identical, but if your privacy ops can comply with one regulation’s requirements, global compliance just takes a few more steps.
Modern regulations set strict timelines for companies to fulfill DSARs and DSRs. The timelines range from 15 days under LGPD to 45 days under CCPA, CPRA, and CDPA. GDPR finds itself in the middle with a 30-day requirement. Some exceptions apply, but only in outstanding circumstances.
While CCPA, CPRA, and CDPA grant users two DSARs per company in a 12-month window, LGPD and GDPR have no such restrictions. However, companies can decide to deny a request or charge payment if the request is considered excessive or unreasonable.
Mismanaging DSRs can spell serious reputational and financial trouble. Under GDPR, non-compliant companies can face up to €20 million (over $24 million). Under LGPD, fines can reach 50 million Brazilian real (over $9 million). Under CCPA, CDPA, and CPRA, each individual violation can cost $7,500, especially if the violation involves children’s information.
On the flip side, a user’s seamless DSR experience is one of the most visible, front-facing ways to earn their trust. Here’s how to make sure you cover your bases and comprehensively fulfill DSARs and other types of DSRs.
A “right to access” allows users to request a copy of all the personal data a company holds on them. Access requests, also called DSARs, are codified in GDPR, CCPA, LGPD, CPRA, and CDPA. However, the regulations have different specifications on how to fulfill such a request.
Additionally, fulfilling a DSAR often entails more than just returning a copy of the personal data.
Under GDPR, a company must return the following information to the EU user who made the request:
To fulfill an access request from a Californian user, a company must provide:
Note that GDPR requirements virtually cover all of these CCPA requirements, the final CCPA requirement on categories of data sold or shared with third parties being the lone exception.
Under CCPA, a company only needs to provide the most recent 12 months of such data in fulfilling a DSAR.
While the data retention schedule – how long the company intends to hold on this data – does not appear in the DSAR requirements under CCPA, teams must still document this schedule. Instead of being part of the DSAR requirements, the CCPA demands that this retention information is provided at or before the time of data collection. The same applies under the upcoming CPRA, discussed below.
A Brazilian user’s DSAR must be fulfilled with the following information:
The terms “controller” and “processor” appear throughout the world’s privacy regulations. It’s important to know the distinction because regulations impose specific responsibilities on each party.
Starting in 2023, a Californian user’s DSAR will require companies to provide the following:
In California’s shift from CCPA to CPRA, one of the most notable changes for DSARs is that the 12-month window extends to an indefinite one. That is, once CPRA goes into effect in 2023, any DSAR fulfilled thereafter must provide access to all categories of information from January 1, 2022, onward.
Starting in 2023, a Virginian user’s access request must be fulfilled with the following:
Each regulation’s DSAR requirements are a variation on a global theme, one that the GDPR established. A copy of the personal data, the documented purposes, and the retention schedule covers much of the heavy lifting with any DSAR worldwide. In general, achieving GDPR compliance will cover most – but not all – of your bases with other regulations.
Erasure requests are also featured across GDPR, CCPA, LGPD, CDPA, and CPRA. While the concept of an erasure request is intuitive across regulatory frameworks, it’s not as simple as pressing “delete” in a database. For reasons related to database management as well as business obligations like taxes, an erasure request requires nuance on the company’s part.
As for correction requests, the CCPA does not provide a right to correct inaccurate information. Californians will receive this right when the CPRA takes effect at the start of 2023. The other four regulations provide this right.
Ethyca simplifies DSAR and DSR processes for teams worldwide. Our platform consolidates requests into a single view and inventories data across systems to fulfill requests on schedule and in line with global regulations.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo