Governance Risk and Compliance

Data Subject Access Requests: What They Are and How to Respond to Them

[Cloud Compliance, Advanced, 9 minute read, Governance Risk and Compliance]

Enterprise IT is currently facing a practically endless cycle of data privacy challenges in the wake of new data protection laws, such as the General Data Protection Act (GDPR) and California Consumer Privacy Act (CCPA). One of these challenges that is proving particularly problematic is how to deal with data subject access requests (DSARs).

As a data controller, DPO, or CPO, you'll need to understand the more detailed, more explicit and more enhanced legal rights of citizens to access the personal data you hold about them. And, in an era of complex cloud-based infrastructure and unstructured storage systems, your IT teams will also need to establish a quick, efficient and foolproof method of retrieving their information.

This post answers many of the questions data privacy professionals will have about data subject access requests. It explains the key requirements for handling requests, technical challenges to meeting them and potential consequences of failing to meet statutory DSAR obligations. We’ll also see how NetApp Cloud Compliance can help automatically respond to DSARs quickly and accurately.

First let's take a closer look at what a DSAR actually is.

What Is a DSAR?

A data subject access request (DSAR) is a request from a member of the public for a copy of the information you hold about them. The right to make data subject access requests is a core feature of new privacy laws, as it is fundamental to transparency, helping individuals to understand how and why you are using their personal data.

Under the GDPR, a data subject is free to choose how they make a request, either verbally or in writing, as the law provides only general detail in relation to methods for submitting DSAR. Requests made following the dictates of the CCPA, on the other hand, are more specific. With CCPA you must offer at least two ways of submitting a request—one of which should be a toll-free telephone number.

In both cases, CCPA and GDPR, data subject access request responses should cover the data subject's rights in your privacy policy, clearly explaining how they can make a request. In addition to their right to access, individuals can also request you delete their personal data or change it if it's incorrect.

DSAR Responses

First, you must have a procedure in place to verify the identity of any individual making a request. You should also explain your identification methods in the right-to-access section of your privacy policy.

Secondly, you should be prepared for cases where a third party makes a request on behalf of an individual, such as a child or someone with learning difficulties, as these may require special attention in order to maintain the legal rights of the data subject. Special rules may also apply in other circumstances, such as where meeting a request would involve disclosing information about another individual.

In addition, you'll need an effective mechanism for processing a valid request. For example, it should include a system for recording the details of the DSAR and a chain of responsibility for handling it.

When you provide the information the data subject has requested, it should be concise, transparent and in clear and simple language.

Full requirements for the contents of your response vary between different regulatory frameworks. For example, a GDPR-compliant response must include details of your data retention period, whereas these aren't required by the CCPA.

However, in most cases, you'd be expected to include the following:

  • A copy of the personal data you process.
  • The reason for processing it.
  • Details of any third parties involved in processing the data, including any safeguards to protect it.
  • The source of the data, where not collected directly from the individual.

Much of this detail helps to reinforce the same information you already publish in your privacy policy.

Time Limits for Responses

You must respond to a DSAR without undue delay and within strict legal time limits.

Under normal circumstances, you need to provide the requested information within one month or 45 days to comply with the GDPR or CCPA respectively.

Both laws allow you to extend this period if you have reasonable grounds to do so—typically where meeting a request is a complex undertaking.

Administration Fees

Your organization should NOT charge individuals for fulfilling a DSAR. But, broadly speaking, you are permitted to charge a fee if the same person asks for further copies or makes unreasonable requests.

In such a case, your charge should be reasonable and in line with the administrative cost of handling the request.

Declining a Request

You can decline a DSAR if, for example, you process personal data for the purpose of law enforcement or safeguarding national security.

You may also be able to do so in exceptional circumstances. For instance, where a data subject makes repeated requests in a clear and deliberate attempt to cause disruption.

Challenges to Fulfilling DSARs

Provided your IT infrastructure is relatively simple and you collect only a limited amount of personal data about each individual, the process of meeting a DSAR should be fairly straightforward. But, in a large-scale enterprise setting, this can be an altogether different challenge.

Enterprise data storage is often distributed across a multitude of live, backup, archival and big data systems in different public cloud and on-premises environments. This makes it especially difficult to determine exactly what information you're storing about a particular individual. Moreover, the complex array of different storage addressing systems and data formats make it equally difficult to quickly and efficiently retrieve it.

Visibility and Control

Good data inventory management is fundamental to maintaining visibility and control over your data, ensuring you have a clear picture of what information you store about your data subjects. In other words, a full inventory of all your data will help ensure the information you provide to an individual is complete—covering all the data you have collected about them.

At the same time, you should map the flow of data through your applications. That way, you'll have complete insight into how you process information about individuals, helping to provide accurate DSAR responses about why and how you use their data.

Long-Term Archival Storage

Information archived to outmoded tape storage systems may present challenges to serving DSARs under new data privacy laws. In view of potential delays in retrieval, data controllers should consider moving archival data to alternative systems, such as low-cost cloud-based cold storage.

Cloud-Based Productivity Tools

Organizations are increasingly using cloud-based productivity tools and file-sharing services, such as Office 365, Google Drive and Evernote, to store personal information about data subjects.

This could be everyday personally identifiable information (PII), such as names and addresses, or financial details, such as mortgage documentation and copies of bank statements—stored in text-based formats, such as MS Word, MS Excel and Adobe PDF. This form of shadow IT could prove particularly challenging to meeting DSARs, as data is stored outside the confines of traditional enterprise applications and database management systems.

With no easy way of keeping track such data, you may need to implement some form of stewardship over the use of these applications so you can locate information more effectively whenever an individual requests it.

However, this could prove impractical for organizations that use an unmanageable number of different tools. So, to address the problem, you'll need to leverage new types of technology that can identify, understand and retrieve personal data regardless of where or how it's stored.

Penalties for Non-Compliance

Under the GDPR, breaches of data subject rights are subject to fines of up to €20 million or 4% of annual global turnover—where each fine is decided on a case-by-case basis.

CCPA fines are also significant. The state of California has the power to impose fines of up to $7,500 for an intentional violation of the CCPA. However, the law has only recently come into force, so it may take several months before the Attorney General issues any penalties for DSAR infringements.

Moreover, not every contravention will necessarily lead to a fine.

For example, a regulatory authority may decide a warning is sufficient or, more seriously, impose a ban on data processing activity. And, in the case of the CCPA, you'll be given 30 days to put things right first—although it's not yet clear how this cure period will be interpreted in relation to DSARs.

But, whatever the financial penalties, the cost of non-compliance is likely to be considerably higher in terms of reputational damage and the resulting loss of business.

List of GDPR Fines for DSAR Infringements
Source: GDPR Enforcement Tracker
Authority Date Fine (€)

Controller/Processor

Summary

Belgian Data Protection Authority (APD)

2019-12-17

2,000

Nursing Care Organization

The company failed to act on requests from the data subject to get access to his data and to have his data erased.

Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

2019-11-29

2,500

Royal President S.R.L.

Royal President refused a request for access to personal data and disclosed personal data without the consent of the data subjects.

Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

2019-11-18

90

Hospital

A patient's right to access data was violated and a copying fee was unlawfully charged.

Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

2019-04-05

1,900

Unknown

The data controller did not fulfil the data subject's access request.

Bulgarian Commission for Personal Data Protection (KZLD)

2019-02-22

500

Employer

An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way.

Portuguese Data Protection Authority (CNPD)

2019-02-05

20,000

Unknown

Denial of the right to access recorded phone calls by the data subject.

Cyprian Data Protection Commissioner

2019

5,000

State Hospital

A patient request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located.

Stress-Free DSAR Compliance

Enterprises store and process personal data across a diverse range of information systems serving a multitude of different business functions. This can bring significant complexity to serving a DSAR, requiring a coordinated effort across a number of different departments or business units.

But new technologies can reduce the burden of locating and retrieving the information you store about data subjects—through AI capabilities that can recognize and interpret personal data in any type of storage environment. One such technology from NetApp is Cloud Compliance.

Cloud Compliance helps make it easy to fulfill your data subject access requests by automatically mapping and reporting on the sensitive private data you store in the cloud using Azure NetApp Files, Cloud Volumes ONTAP, or Amazon S3 buckets. This AI-driven technology not only streamlines the process of fulfilling requests, saving your business precious time and money, it can also provide a complete picture of all the data you store about an individual.

But, above all, they make the task of meeting requests incredibly simple. So you don't have to worry about meeting your DSAR compliance obligations. If you’re storing unstructured data in a repository such as Amazon S3 this kind of automatica data identification will eliminate the pressure of this important compliance requirement.

Try out Cloud Compliance now for Amazon S3 or your NetApp cloud volumes here.

-