Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

Responding to a DSAR Request

In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests.

An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR:

Conduct a Data Inventory

Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information.  The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements.

Organize DSAR Requests

You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data.  There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery.

Fulfill the Request

A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated with providing the data), and finally, providing the information within the required timeframe.  Remember that you can’t violate any other person’s privacy rights when delivering data so you will need to mask or redact any personally identifiable information (PII).

Demonstrate Compliance

According to the provisions of the GDPR, organizations must have the ability to demonstrate compliance with the regulation, including being able to show records outlining all DSARs received. The record should include the data subject’s contact information, a description of the request, when and how the response was made and by whom (including reasons why it was honored or denied) and the time taken to reply.

When responding to a data request, organizations are required to remind the requester that they have the right to object to the processing of the data, request the rectification of it, or lodge a complaint with a supervisory authority.

Next up in this series: DSAR Best Practices and Workflows an Organization Should Follow. Do you have anything to add regarding how to respond to a DSAR request? Tell us about it in the comments!

About the Author

Jason Velasco on EmailJason Velasco on FacebookJason Velasco on Linkedin
Jason Velasco
Founder/eDiscovery & Information Governance Advisor at eDiscovery Advisory
Jason Velasco is an electronic discovery industry veteran with more than 20 years of experience assisting organizations conceptualize, initiate, manage and complete big-picture transformation in electronic discovery, information governance, and data compliance solutions.

Jason is the founder and lead advisor for the eDiscovery Advisory practice providing valuable and insightful guidance to eDiscovery and Information Governance challenges.

He has direct in-house experience with a global financial institution and a financial regulator developing solutions around eDiscovery workflows, legal hold, legacy data, and matter management systems.

He has conducted more than 350 computer forensic examinations for civil litigators and has provided expert witness services related to electronic evidence topics and data preservation issues.

Jason has also conducted more than 700 CLE courses on topics such as eDiscovery, document retention, preservation archiving, collection methodologies, email archiving and compliance, effective communication with IT, and the technical aspects of electronic evidence.

Jason is currently certified as a Certified eDiscovery Specialist (ACEDS), Information Governance Professional (ARMA), AWS Cloud Practitioner (Amazon), & O365 MS-900 (Microsoft).