In the age of data-driven decision-making, our personal data is scattered across countless organizations. But did you know that as an individual, you have the right to ask these organizations what data they hold about you? This is called a Data Subject Access Request (DSAR). For companies, handling such requests is a critical part of compliance. In this blog, we’ll break down DSARs in simple terms, guide companies on how to handle them, and empower users to exercise their rights effectively.
What is a DSAR?
A Data Subject Access Request (DSAR) allows individuals (data subjects) to ask organizations (data controllers) to provide information about their personal data. Under India’s Digital Personal Data Protection Act (DPDPA) and global laws like the GDPR, this includes:
- What personal data is collected
- Why it’s being processed
- Who it is shared with
- Copies of the data
- Retention period and security practices
In short, it’s your way of taking control of your digital footprint.
For Companies: Practical Steps to Handle DSARs
Handling DSARs isn’t just a legal checkbox; it reflects your commitment to privacy. Here’s a practical, step-by-step guide:
1. Acknowledge the Request Promptly
- Timeline: Organizations must not delay to reply and must respond within reasonable time.
- Best Practice: Send an acknowledgment email confirming receipt and the expected timeline.
2. Verify the Identity of the Requestor
Before sharing any personal data, confirm the requestor’s identity to avoid data leaks.
- Ask for identification documents (e.g., Aadhaar, passport).
- Set clear rules on what verification is acceptable.
3. Understand the Scope of the Request
- Clarify if the user wants all data or specific categories.
- If the request is vague, seek clarification to avoid unnecessary work.
4. Locate the Data
This step can be challenging if data is scattered across systems. Use:
- Data inventories to map personal data.
- Data discovery tools to automate search.
5. Review and Redact
- Check for third-party data intertwined with the subject’s data.
- Redact information that could infringe others’ rights or is exempted under law (e.g., legal privilege).
6. Deliver the Response Securely
- Provide data in a readable electronic format.
- Use secure channels (encrypted email or secure portals).
7. Document the Process
- Maintain a DSAR log: date of request, actions taken, and response.
- This helps demonstrate compliance during audits.
Challenges Companies Face (and How to Overcome Them)
- Scattered Data: Centralise data management to avoid frantic searches.
- Excessive Requests: If requests are repetitive or burdensome, check if they are ‘manifestly unfounded’ under the law before refusing.
- Short Deadlines: Assign a DSAR response team to handle requests smoothly.
For Users: How to Make a DSAR
As a user, knowing how to exercise your rights is empowering. Here’s how you can request your data:
1. Identify the Right Organisation
Send your request to the Data Protection Officer (DPO) or any other point of contact of the company.
2. Draft a Clear Request
Include:
- Your full name and contact details.
- The data you want to access (be specific if possible).
- Proof of identity (as per company requirements).
Sample Line:
“I am requesting access to my personal data as per my rights under the Digital Personal Data Protection Act, 2023.”
3. Keep Records
Maintain a copy of your request and any acknowledgment emails.
4. Know Your Timelines
Companies must respond within 30 days in India. If they don’t, you can escalate to the Data Protection Board of India (DPBI).
Key Takeaways for Companies and Users
For Companies:
- Build a DSAR SOP (Standard Operating Procedure).
- Train staff to handle requests politely and lawfully.
- Invest in tools to streamline DSAR processing.
For Users:
- Know your data rights.
- Don’t hesitate to ask organisations for your data.
- Escalate if your request is ignored.
Conclusion
DSARs are not just a regulatory requirement; they represent the balance of power between individuals and organisations in the digital age. For companies, handling them well builds trust and demonstrates accountability. For users, they’re a powerful tool to take control of your personal information.
Want to explore more about data rights and compliance? Learn with CKonnect’s expert-led privacy courses and stay ahead in the privacy-first world.
References
1. Digital Personal Data Protection Act, 2023
2. India’s data Sharing agreement:https://secureprivacy.ai/blog/india-dpdp-act-data-sharing-agreements
3. What is Data Subject Access Request (DSAR):https://dataprivacymanager.net/what-is-data-subject-access-request-dsar/
4. DSAR for GDPR Compliance:https://www.datagrail.io/glossary/data-subject-access-request-dsar/
5. What is Data Subject Access Request Complete Guide:https://securiti.ai/blog/dsar-rights-and-compliance/