(DSR) Data subject requests are inquiries made to a company about the information collected and used. But only the data subject can make these requests.
For example, if a customer provides personal information to a business, he/she can later demand to know what data was collected, where it was stored, and how it was used. They can even demand the removal of this data (right to erasure). Also, employees often use DSAR (data subject access requests) for tactical objectives in their disputes with employers.
This data privacy law was introduced under GDPR and several others, like Privacy by Design. The motive behind this is simple; increased security and protection of consumer data.
However, although it has been in effect since 2018, there are still some confusion and misconceptions present. So, in today’s post, let’s debunk 5-common DSAR myths!
1. There Needs to Be a Formal Procedure for DSAR.
GDPR doesn’t specify any formal procedure or requirements for the data subject request to be made. A person can make the request directly to the company. There is no need for documentation or investigations.
It also doesn’t matter if the person has submitted the request to a random staff member of the company. It’s not the data subject’s responsibility to find the relevant authorities to make the request (though in most cases, people do it).
The mere thing that matters is that the customer or stakeholder has requested data access. It’s their right, so the business must respond immediately.
2. Written Requests Are Mandatory.
Many businesses try to regulate and streamline the DSAR procedure through written requests. But this does not mean they are mandatory.
No person is legally bound to produce a written document to ensure the validity of a data access request. It can be made verbally at any time. Your customer or employee can even make it over the phone!
However, when this happens, it’s best for the company to record the details somewhere. This will serve as your evidence of request processing and completion.
3. A Valid Proof of ID Is Required Before Processing Information.
This myth is much similar to the previous ones.
Since DSAR is spontaneous and random, all businesses have been struggling to respond to it in the best way possible. A few businesses created online forms, whereas some set requirements like valid ID cards. But none of this is necessary.
If you haven’t communicated and mutually agreed with your stakeholders about a specific DSAR procedure, you can’t demand things to process it.
That said, you can put this restriction if there’s serious doubt about the individual’s identity. Or when a lot of sensitive data is being shared with the data subject.
4. You Only Have One Month to Fulfill the Request.
GDPR requires you to respond to a data subject request as soon as possible. The maximum time allowed to complete the request is 1-month. But there are exceptions.
In some cases, obtaining the information is technically complex. The data may have been archived and may require specialist work. Similarly, at times, the disclosure of sensitive data triggers other issues and needs legal advice.
Both of these cases demand time. And so, the deadline to fulfill DSAR can be extended to 3-months. However, the business must communicate this extension with the data subject.
5. All Data Must Be Provided.
This is not true at all. As a business, you are only obliged to provide access and disclosure to information that is relevant to the data subject. You should let them have their personal information.
There’s no requirement to share data regarding business or other sensitive matters. This applies even when the subject’s information was stored in the same place as others.