Global Comparison Of DSARs And Data Subject Requests

Defining DSARs and DSRs

DSARs and DSRs are related terms, sometimes used interchangeably, to describe requests that end-users can make regarding their privacy rights. DSRs refer to users’ requests to access, erase, or correct their data according to the relevant regulation, such as the EU’s General Data Protection Regulation (GDPR). DSARs specifically refer to access requests. In other words, DSRs form an umbrella category that includes DSARs as well as other requests. This article is a guide on best practices for DSARs and DSRs, and it does not constitute legal counsel. For further information on the regulations, we have included links directly to the regulations in this article.

DSARs and DSRs on the Global Stage

As companies digitize and conduct more international business, it’s becoming more vital than ever to understand and comply with DSAR and DSR requirements all over the world. To achieve privacy compliance in 2021, one of the most important concepts to understand is extraterritorial scope. In short, a regulation takes extraterritorial scope if it can take effect beyond its own territory. For example, GDPR applies to any company that processes EU residents’ personal data, whether or not that company is located in the EU.

This scope now figures into regulations from California’s CCPA to Brazil’s LGPD, not to mention the wave of proposed regulations across the globe. The upshot for companies handling DSARs and DSRs is this: you must be ready to fulfill DSARs and DSRs in accordance with the laws of wherever your users reside.

Thankfully, the major regulations’ requirements for DSARs and DSRs are closely aligned. They are not identical, but if your privacy ops can comply with one regulation’s requirements, global compliance just takes a few more steps.

Here, we compare requirements across GDPR, CCPA, and LGPD, as well as the upcoming CPRA and CDPA.

Timelines, Costs, and Fines

Modern regulations set strict timelines for companies to fulfill DSARs and DSRs. The timelines range from 15 days under LGPD to 45 days under CCPA, CPRA, and CDPA. GDPR finds itself in the middle with a 30-day requirement. Some exceptions apply, but only in outstanding circumstances.

While CCPA, CPRA, and CDPA grant users two DSARs per company in a 12-month window, LGPD and GDPR have no such restrictions. However, companies can decide to deny a request or charge payment if the request is considered excessive or unreasonable.

Mismanaging DSRs can spell serious reputational and financial trouble. Under GDPR, non-compliant companies can face up to €20 million (over $24 million). Under LGPD, fines can reach 50 million Brazilian real (over $9 million). Under CCPA, CDPA, and CPRA, each individual violation can cost $7,500, especially if the violation involves children’s information.

On the flip side, a user’s seamless DSR experience is one of the most visible, front-facing ways to earn their trust. Here’s how to make sure you cover your bases and comprehensively fulfill DSARs and other types of DSRs.

Your Global Guide to DSARs

A “right to access” allows users to request a copy of all the personal data a company holds on them. Access requests, also called DSARs, are codified in GDPR, CCPA, LGPD, CPRA, and CDPA. However, the regulations have different specifications on how to fulfill such a request.

Additionally, fulfilling a DSAR often entails more than just returning a copy of the personal data.

DSARs Under GDPR

Under GDPR, a company must return the following information to the EU user who made the request:

• A copy of the user’s personal data in the company’s data systems
• The documented purposes for collecting and processing this data (e.g. Customer Service)
• The categories of personal data collected (e.g. Address)
• The recipients or categories of recipient that this data is disclosed to (e.g. company-internal recipients)
• How long the company expects to store this data
• An affirmation of the user’s other GDPR rights, including the rights to correct, erase, restrict, and object to processing
• The user’s right to file a complaint with the appropriate GDPR supervisory authority
• Information on where the company gathered this data, if not directly from the user
• An indication of whether the company used automated decision-making on this data and if so, a basic description of the logic involved and any consequences of that decision-making for the user

DSARs Under CCPA

To fulfill an access request from a Californian user, a company must provide:

• A copy of the user’s personal data in the company’s data systems
• The categories of personal data collected
• The categories of sources where the company collected this data
• The documented purposes for collecting and processing this data
• The categories of third-party recipient that this data is disclosed to (e.g. credit agencies)
• The categories of data that the company sells or shares with third parties

Note that GDPR requirements virtually cover all of these CCPA requirements, the final CCPA requirement on categories of data sold or shared with third parties being the lone exception.

Under CCPA, a company only needs to provide the most recent 12 months of such data in fulfilling a DSAR.

While the data retention schedule – how long the company intends to hold on this data – does not appear in the DSAR requirements under CCPA, teams must still document this schedule. Instead of being part of the DSAR requirements, the CCPA demands that this retention information is provided at or before the time of data collection. The same applies under the upcoming CPRA, discussed below.

DSARs Under LGPD

A Brazilian user’s DSAR must be fulfilled with the following information:

• A copy of the user’s personal data in the company’s data systems
• The documented purposes for collecting and processing this data
• How long the company expects to store this data
• The identity and contact information of the controller (the company
• Description of any shared use of this data and the purpose of such sharing
• Duties of the controller and any processors involved
• A statement of the user’s data rights under the LGPD

The terms “controller” and “processor” appear throughout the world’s privacy regulations. It’s important to know the distinction because regulations impose specific responsibilities on each party.

DSARs Under CPRA

Starting in 2023, a Californian user’s DSAR will require companies to provide the following:

• A copy of the user’s personal data in the company’s data systems
• The categories of personal data collected
• The categories of sources that provided this data
• The documented purposes for collecting and processing this data
• The categories of third parties that this information is disclosed to

In California’s shift from CCPA to CPRA, one of the most notable changes for DSARs is that the 12-month window extends to an indefinite one. That is, once CPRA goes into effect in 2023, any DSAR fulfilled thereafter must provide access to all categories of information from January 1, 2022, onward.

DSARs Under CDPA

Starting in 2023, a Virginian user’s access request must be fulfilled with the following:

• A copy of the user’s personal data in the company’s data systems
• The categories of personal data collected
• The documented purposes for collecting and processing this data
• A statement of the user’s data rights under the CDPA
• The categories of data that the company sells or shares with third parties
• The categories of third-party recipient that this data is disclosed to

Summary of Global DSAR Compliance

Each regulation’s DSAR requirements are a variation on a global theme, one that the GDPR established. A copy of the personal data, the documented purposes, and the retention schedule covers much of the heavy lifting with any DSAR worldwide. In general, achieving GDPR compliance will cover most – but not all – of your bases with other regulations.

Erasure and Correction Requests

Erasure requests are also featured across GDPR, CCPA, LGPD, CDPA, and CPRA. While the concept of an erasure request is intuitive across regulatory frameworks, it’s not as simple as pressing “delete” in a database. For reasons related to database management as well as business obligations like taxes, an erasure request requires nuance on the company’s part.

As for correction requests, the CCPA does not provide a right to correct inaccurate information. Californians will receive this right when the CPRA takes effect at the start of 2023. The other four regulations provide this right.

Syncing DSAR and DSR Requirements

Ethyca simplifies DSAR and DSR processes for teams worldwide. Our platform consolidates requests into a single view and inventories data across systems to fulfill requests on schedule and in line with global regulations.