Data subject access requests (DSARs) and data subject requests (DSRs) are among the most prominent user-facing aspects of modern privacy regulations
DSARs and DSRs are related terms, sometimes used interchangeably, to describe requests that end-users can make regarding their privacy rights. DSRs refer to users’ requests to access, erase, or correct their data according to the relevant regulation, such as the EU’s General Data Protection Regulation (GDPR). DSARs specifically refer to access requests. In other words, DSRs form an umbrella category that includes DSARs as well as other requests. This article is a guide on best practices for DSARs and DSRs, and it does not constitute legal counsel. For further information on the regulations, we have included links directly to the regulations in this article.
As companies digitize and conduct more international business, it’s becoming more vital than ever to understand and comply with DSAR and DSR requirements all over the world. To achieve privacy compliance in 2021, one of the most important concepts to understand is extraterritorial scope. In short, a regulation takes extraterritorial scope if it can take effect beyond its own territory. For example, GDPR applies to any company that processes EU residents’ personal data, whether or not that company is located in the EU.
This scope now figures into regulations from California’s CCPA to Brazil’s LGPD, not to mention the wave of proposed regulations across the globe. The upshot for companies handling DSARs and DSRs is this: you must be ready to fulfill DSARs and DSRs in accordance with the laws of wherever your users reside.
Thankfully, the major regulations’ requirements for DSARs and DSRs are closely aligned. They are not identical, but if your privacy ops can comply with one regulation’s requirements, global compliance just takes a few more steps.
Here, we compare requirements across GDPR, CCPA, and LGPD, as well as the upcoming CPRA and CDPA.
Modern regulations set strict timelines for companies to fulfill DSARs and DSRs. The timelines range from 15 days under LGPD to 45 days under CCPA, CPRA, and CDPA. GDPR finds itself in the middle with a 30-day requirement. Some exceptions apply, but only in outstanding circumstances.
While CCPA, CPRA, and CDPA grant users two DSARs per company in a 12-month window, LGPD and GDPR have no such restrictions. However, companies can decide to deny a request or charge payment if the request is considered excessive or unreasonable.
Mismanaging DSRs can spell serious reputational and financial trouble. Under GDPR, non-compliant companies can face up to €20 million (over $24 million). Under LGPD, fines can reach 50 million Brazilian real (over $9 million). Under CCPA, CDPA, and CPRA, each individual violation can cost $7,500, especially if the violation involves children’s information.
On the flip side, a user’s seamless DSR experience is one of the most visible, front-facing ways to earn their trust. Here’s how to make sure you cover your bases and comprehensively fulfill DSARs and other types of DSRs.
A “right to access” allows users to request a copy of all the personal data a company holds on them. Access requests, also called DSARs, are codified in GDPR, CCPA, LGPD, CPRA, and CDPA. However, the regulations have different specifications on how to fulfill such a request.
Additionally, fulfilling a DSAR often entails more than just returning a copy of the personal data.
Under GDPR, a company must return the following information to the EU user who made the request:
To fulfill an access request from a Californian user, a company must provide:
Note that GDPR requirements virtually cover all of these CCPA requirements, the final CCPA requirement on categories of data sold or shared with third parties being the lone exception.
Under CCPA, a company only needs to provide the most recent 12 months of such data in fulfilling a DSAR.
While the data retention schedule – how long the company intends to hold on this data – does not appear in the DSAR requirements under CCPA, teams must still document this schedule. Instead of being part of the DSAR requirements, the CCPA demands that this retention information is provided at or before the time of data collection. The same applies under the upcoming CPRA, discussed below.
A Brazilian user’s DSAR must be fulfilled with the following information:
The terms “controller” and “processor” appear throughout the world’s privacy regulations. It’s important to know the distinction because regulations impose specific responsibilities on each party.
Starting in 2023, a Californian user’s DSAR will require companies to provide the following:
In California’s shift from CCPA to CPRA, one of the most notable changes for DSARs is that the 12-month window extends to an indefinite one. That is, once CPRA goes into effect in 2023, any DSAR fulfilled thereafter must provide access to all categories of information from January 1, 2022, onward.
Starting in 2023, a Virginian user’s access request must be fulfilled with the following:
Each regulation’s DSAR requirements are a variation on a global theme, one that the GDPR established. A copy of the personal data, the documented purposes, and the retention schedule covers much of the heavy lifting with any DSAR worldwide. In general, achieving GDPR compliance will cover most – but not all – of your bases with other regulations.
Erasure requests are also featured across GDPR, CCPA, LGPD, CDPA, and CPRA. While the concept of an erasure request is intuitive across regulatory frameworks, it’s not as simple as pressing “delete” in a database. For reasons related to database management as well as business obligations like taxes, an erasure request requires nuance on the company’s part.
As for correction requests, the CCPA does not provide a right to correct inaccurate information. Californians will receive this right when the CPRA takes effect at the start of 2023. The other four regulations provide this right.
Ethyca simplifies DSAR and DSR processes for teams worldwide. Our platform consolidates requests into a single view and inventories data across systems to fulfill requests on schedule and in line with global regulations.
Ethyca announces fundraise, doubles annual revenue with new enterprise clients, and reveals new brand.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Speak with UsStay informed with the latest in privacy compliance. Get expert insights, updates on evolving regulations, and tips on automating data protection with Ethyca’s trusted solutions.