A Data Subject Access Request (DSAR) is a process in which a subject (Individual) requests through electronic process (e-mail, phone call, or web contact form) or physical visits to obtain a copy of their personal data.
Most organizations will collect information about individuals through its normal business practice. For example financial institutions or airlines will collect the name, DOB, Age, Address and various other required information about an individual, all of which are legitimate business practices. However over the life of those accounts additional information may be collected during customer service interaction or other touch points adding additional information to what has already been collected. In some scenarios this information is also shared with third party business that may service those accounts or through solicitation practices such as airline discounts and preference for new credit cards. Organizations will expectantly lose track of what has been collected due the complex process and distributed data collection practices.
With the new regulations such as GDPR, CCPA, and various other US state laws which protect individuals rights, it's now required that organizations be able to provide what data has been collected to individuals requesting this through a data subject access request.
The DSAR process starts when a request is received by an individual which is then forwarded to the data protection officer or as appropriate for the organization that collects that data. The office handling this requests will respond for proof of that customer's identity and begin the process of collecting pertinent data to fulfil the request.
In addition to requesting proof of identity the customer will also need to provide a valid reason why the customer is asking for this information. Common reasons may such as debt consolidation practices, financing, audits, credit disputes, identity theft, etc., and those companies must be able to find that data otherwise are subject to large regulation fines.
Once this process has completed the DSAR must be fulfilled "without undue delay", typically within 30 days of receipt. The DSAR requests can be extended in rare cases when the scope of data to be searched will take longer than the physical limits of the technologies to meet these deadlines, however this process must already be in place. The overall DSAR process is typically handled by that organizations legal and data protection authorities.
To facilitate the process most effectively Spirion is used to search for locations to look across various data repositories and identify what data is personally identifiable and to whom it belongs. Spirion can be leveraged to search for these types of custom data which frequently include the name of the individual, Address, DOB, phone number, or perhaps data more specific to the organization collecting the data such as client ID, etc.
Deciding where to search and the relative size of the search has to be reasonable in order to fulfill the request within the timeframe given. It requires organizations the ability to scan at scale; all searches take time, so plan ahead and have a process in place. There are numerous factors which will impact the DSAR scan such as the various data composition (images, text, etc.) and the performance of the systems being scanned. Because every company's data composition is different it's important to be in front of the process and have a solution like Spirion in place.
This includes tools used to integrate with Spirion such as OneTrust which is partner tool used to further expand on the technologies of what Spirion delivers. Spirion provides expansive abilities to accurately discover sensitive data, classify the data, and provide reports for the locations and type so sensitive data. A tool such as OneTrust then expands upon those capabilities by providing further governance, regulatory, and compliance processes to meet the stringent requirements of the regulators. Spirion provides data with the appropriate bulk report formatting to digest and extend the capabilities and satisfy DSAR requests and data mapping.