A term popularized by the EU’s General Data Protection Regulation (GDPR), a Data Subject Access Request, also known as a DSAR, is an individual’s right to request information on personally identifiable information (PII) an organization has gathered about them, how that organization is using that data, and who that data has been shared with. PII includes names, social security numbers, phone numbers, behavioral data, and more; pretty much anything that can be used to identify a specific individual.
For companies that fall under GDPR, as well as similar regulations like the California Consumer Protection Act (CCPA), DSARs are not optional and will result in fines if ignored or not responded to within a certain period (ex. 45-days, 60-days, etc). This makes knowledge of DSARs and how to react to them essential for any organization that falls under regulations that include them.
To make this easier, let’s outline the steps that will prepare an organization to receive DSARs and respond to them.
While the steps outlined here are good preparation for any DSAR request, it’s important to know which data privacy regulations apply to your organization. This will allow you to understand the exact responsibilities expected during the DSAR process.
Data privacy regulations that require a DSAR workflow include the following, although this list will grow as data privacy regulations expand and become the norm.
Gartner has predicted that “by 2022, half of the planet’s population will have its personal information covered under local privacy regulations in line with the General Data Protection Regulation (GDPR), up from one-tenth today”. So even organizations that don’t fall under specific data privacy regulations should start preparing.
This is typically done via an online form or email but can be by other means depending on the specific regulation. For most organizations with an online presence, an online form will be the easiest method and most secure when implemented properly. This allows companies to encrypt data in transmission, require certain form fields, and associate requesters with existing website accounts.
It’s also important to note that DSARs aren’t always just consumer requests for copies of their data. DSARs can include consumer requests for:
With all these different variations of a DSAR, having an automated intake process will help get the request to the proper channel within your organization, as well as narrow down the scope of the request and potential response.
This is typically a Data Protection Officer (DPO) but depending on your specific regulation it may be another member of your organization. This person receives DSARs and ensures they’re responded to in a timely manner.
There are also scenarios in which a DSAR may be denied, although it’s uncommon. It will be up to your point person to determine when to handle the situation this way per your specific regulation.
Ultimately you need to make sure someone is seeing incoming DSARs and responding to them, and that this person has a backup in case they’re on vacation, sick, or otherwise unavailable. If DSARs pile up without a reply, then the fines can add up quickly.
Whether the requester wants to see their personal information, have it deleted, or move it somewhere else, you’ll need to have a workflow in place for tracking down all relevant data.
This is easily the most difficult part of responding to a DSAR, and if your organization doesn’t have a form of data discovery and audit software in place then it will be a long and arduous process. On short notice, you need to be able to take a subject’s information (name, email, etc.) and quickly retrieve all personal information your organization has stored about them.
Personal information will likely be stored on more than just file servers, and maybe in the cloud in addition to on-prem. Examples include, but are not limited to:
It’s critical to not wait until a DSAR is received to figure out how this process should play out, as you’ll quickly fall behind if you don’t already have workflows in place for locating data and classifying it. It should not be a manual process either, as there is software specifically designed to assist with this.
Typically, only personal information is required, however, supplementary information may be required per your specific regulation. In certain circumstances regarding deletion requests, you may also need to request the deletion of data from third parties you previously shared the data with.
This is typically the last stop in the DSAR process, and if you’ve navigated all these steps without too much difficulty then you’re in a good position to handle requests. This includes providing a copy of a requester’s data, deleting that data, preparing that data for transport, and more per the points outlined earlier and the nature of the specific request.
Between gathering data and acting on it, software automation is the clear path forward.
Knowing where sensitive data is stored, how long it’s stored for, when it’s considered stale, who has access to that data, and what users are doing with that data gives you a big advantage. Without this knowledge, you’ll be scouring your servers and cloud repositories each time a DSAR is received and may miss important data that can later result in fines or penalties.
Remediating stale data is also important, which can be deletion per a DSAR request or standard archive/deletion of data no longer needed for business or regulatory reasons. While data is king, you want to avoid storing unnecessary personal information as it can lead to much larger issues in the event of a data breach.
DSARs are not a one-time process, so you need to be continuously ready to handle them and modify your workflow as regulations change. Stealthbits’ Data Access Governance solution helps with this automation and answers the most difficult questions you’ll face when managing data, users, security, and regulatory requirements.
Discover Data: StealthAUDIT automatically discovers where data is stored within your organization and classifies it.
Govern Access: StealthAUDIT shows you which users have access to discovered data, and automatically remediates overprovisioned access. Users with too much access can wreak havoc on the structure of your data and increases your data breach attack surface.
Monitor Activity: StealthAUDIT and Stealthbits Activity Monitor track and report user activity with data, and can reveal inappropriate behavior related to the handling of sensitive data. Proactively track down and remediate situations that can lead to exposed data, or that can result in data being stored in unexpected places.
Report Findings: StealthAUDIT provides multiple ways to interact with your collected and analyzed data, including report generation and distribution to the appropriate parties in your organization.
Learn more about how Stealthbits can help with DSARs and Data Access Governance here.
Dan Piazza is a Technical Product Manager at Stealthbits, now part of Netwrix, responsible for PAM, file systems auditing and sensitive data auditing solutions. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, automation, and code. Prior to his current role he worked as a Product Manager and Systems Engineer for a data storage software company, managing and implementing both software and hardware B2B solutions.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.