Data subject access requests (DSARs) and data subject requests (DSRs) are among the most prominent user-facing aspects of modern privacy regulations
DSARs and DSRs are related terms, sometimes used interchangeably, to describe requests that end-users can make regarding their privacy rights. DSRs refer to users’ requests to access, erase, or correct their data according to the relevant regulation, such as the EU’s General Data Protection Regulation (GDPR). DSARs specifically refer to access requests. In other words, DSRs form an umbrella category that includes DSARs as well as other requests. This article is a guide on best practices for DSARs and DSRs, and it does not constitute legal counsel. For further information on the regulations, we have included links directly to the regulations in this article.
As companies digitize and conduct more international business, it’s becoming more vital than ever to understand and comply with DSAR and DSR requirements all over the world. To achieve privacy compliance in 2021, one of the most important concepts to understand is extraterritorial scope. In short, a regulation takes extraterritorial scope if it can take effect beyond its own territory. For example, GDPR applies to any company that processes EU residents’ personal data, whether or not that company is located in the EU.
This scope now figures into regulations from California’s CCPA to Brazil’s LGPD, not to mention the wave of proposed regulations across the globe. The upshot for companies handling DSARs and DSRs is this: you must be ready to fulfill DSARs and DSRs in accordance with the laws of wherever your users reside.
Thankfully, the major regulations’ requirements for DSARs and DSRs are closely aligned. They are not identical, but if your privacy ops can comply with one regulation’s requirements, global compliance just takes a few more steps.
Modern regulations set strict timelines for companies to fulfill DSARs and DSRs. The timelines range from 15 days under LGPD to 45 days under CCPA, CPRA, and CDPA. GDPR finds itself in the middle with a 30-day requirement. Some exceptions apply, but only in outstanding circumstances.
While CCPA, CPRA, and CDPA grant users two DSARs per company in a 12-month window, LGPD and GDPR have no such restrictions. However, companies can decide to deny a request or charge payment if the request is considered excessive or unreasonable.
Mismanaging DSRs can spell serious reputational and financial trouble. Under GDPR, non-compliant companies can face up to €20 million (over $24 million). Under LGPD, fines can reach 50 million Brazilian real (over $9 million). Under CCPA, CDPA, and CPRA, each individual violation can cost $7,500, especially if the violation involves children’s information.
On the flip side, a user’s seamless DSR experience is one of the most visible, front-facing ways to earn their trust. Here’s how to make sure you cover your bases and comprehensively fulfill DSARs and other types of DSRs.
A “right to access” allows users to request a copy of all the personal data a company holds on them. Access requests, also called DSARs, are codified in GDPR, CCPA, LGPD, CPRA, and CDPA. However, the regulations have different specifications on how to fulfill such a request.
Additionally, fulfilling a DSAR often entails more than just returning a copy of the personal data.
Under GDPR, a company must return the following information to the EU user who made the request:
To fulfill an access request from a Californian user, a company must provide:
Note that GDPR requirements virtually cover all of these CCPA requirements, the final CCPA requirement on categories of data sold or shared with third parties being the lone exception.
Under CCPA, a company only needs to provide the most recent 12 months of such data in fulfilling a DSAR.
While the data retention schedule – how long the company intends to hold on this data – does not appear in the DSAR requirements under CCPA, teams must still document this schedule. Instead of being part of the DSAR requirements, the CCPA demands that this retention information is provided at or before the time of data collection. The same applies under the upcoming CPRA, discussed below.
A Brazilian user’s DSAR must be fulfilled with the following information:
The terms “controller” and “processor” appear throughout the world’s privacy regulations. It’s important to know the distinction because regulations impose specific responsibilities on each party.
Starting in 2023, a Californian user’s DSAR will require companies to provide the following:
In California’s shift from CCPA to CPRA, one of the most notable changes for DSARs is that the 12-month window extends to an indefinite one. That is, once CPRA goes into effect in 2023, any DSAR fulfilled thereafter must provide access to all categories of information from January 1, 2022, onward.
Starting in 2023, a Virginian user’s access request must be fulfilled with the following:
Each regulation’s DSAR requirements are a variation on a global theme, one that the GDPR established. A copy of the personal data, the documented purposes, and the retention schedule covers much of the heavy lifting with any DSAR worldwide. In general, achieving GDPR compliance will cover most – but not all – of your bases with other regulations.
Erasure requests are also featured across GDPR, CCPA, LGPD, CDPA, and CPRA. While the concept of an erasure request is intuitive across regulatory frameworks, it’s not as simple as pressing “delete” in a database. For reasons related to database management as well as business obligations like taxes, an erasure request requires nuance on the company’s part.
As for correction requests, the CCPA does not provide a right to correct inaccurate information. Californians will receive this right when the CPRA takes effect at the start of 2023. The other four regulations provide this right.
Ethyca simplifies DSAR and DSR processes for teams worldwide. Our platform consolidates requests into a single view and inventories data across systems to fulfill requests on schedule and in line with global regulations.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo