How to Deal with CPRA Data Subject Access Requests (DSARs)

Yet, many organizations aren’t equipped to handle DSARs cost-efficiently. Manually performing the workflows costs around US$1,400 per request—which can add up quickly. Here’s how to shorten response time and lower operating costs.

What Are CPRA Data Subject Access Requests?

A DSAR is a request made by an individual about the data that an organization collects and stores on them. Customers, users, employees, prospects, contractors, job candidates, etc., can all make a DSAR. The organization must respond within 45 days to avoid potential fines and penalties.

Struggling with consent management and compliance? CHEQ can help. Schedule a demo today.

The individual can request the organization to disclose the categories and specific pieces of personal information it has collected, the data sources, the business or commercial purpose for collecting the information, and the third parties with which the data is shared.

Organizations must follow these steps to respond to a DSAR include:

1. Verify the requester’s identity to determine if they have information on the individual and whether to provide access to the data.
2. Understand the nature of the request (e.g., to see the data the organization has collected or correct the information) to see if they can fulfill it within the 45-day timeframe.
3. Review and approve the data to be shared with the requester to ensure that it only contains their information.
4. Deliver the information via secure channels.

Best Practices For Handling Data Subject Access Requests

Follow these best practices to reduce cost and improve response time when processing DSARs:

Conduct a Data Mapping Exercise

To retrieve subject data efficiently, you need to know what you’re storing, where you’re keeping it, and why the information is stored. Start with business units that handle a lot of personal data, such as HR, sales and marketing, finance, legal, etc., and analyze where they capture personal information.

Then, decide if you have legal bases or business value for processing and storing the data. Getting rid of information you don’t need can help you streamline future DSAR processes to save time, money, and often legal headaches.

Filter and Redact Unstructured Data

Structured data stored in a database is relatively easy to search and sort. However, it can be tricky to locate and filter unstructured data, such as information buried in email, chat messages, etc., and redact content that contains personal data.

Understand the context and interpret the requests to frame the search’s scope so you can effectively identify what information to redact. Also, use technologies to assist with the redaction process to improve cost-efficiency.

Streamline the Identity Verification Process

Be reasonable and proportionate about the amount of information you ask to verify the requester’s identity. Don’t request more information than necessary, especially if the person’s identity is apparent because of an ongoing relationship with your business (e.g., an employee.)

You can also verify the data subject’s identity with existing authentication methods, such as username and password or a one-time email confirmation link. Not reinventing the wheel can help you streamline workflows and reduce the response time.

Implement an Efficient Workflow

The DSAR workflow should be an integral part of your consent management system so you can use automation technologies to handle these requests at scale. Use software to route DSARs through the appropriate departments to avoid bottlenecks that can delay the process.

Assign roles and responsibilities for each step within the workflow to ensure proper oversight. Stakeholders should receive regular training (e.g., at least once a year) to learn new best practices and stay current with any changes in the regulations.

Respond to DSARs Cost-efficiently With a Robust Consent Management Platform

A robust content management platform (CMP) gives you the foundation to handle DSARs cost-effectively. CHEQ Privacy and Compliance Enforcement goes beyond a basic CMP to deliver advanced functionalities that can help you comply with fast-changing privacy laws and industry regulations without sacrificing the customer experience.

Learn more about CHEQ Privacy Compliance Enforcement and request a demo to see how we can help you streamline your consent management workflow.