Articles

DSAR Management: How to Handle Subject Rights Requests Efficiently

Written by Matt Davis, CIPM (IAPP) | July 31, 2024

Navigating the stringent requirements of data subject access requests (DSARs) can feel like summitting a mountain—the path forward isn’t always clear, pitfalls abound, and you’re fighting gravity all the way. 

The good news is, simplifying DSAR management is possible. And necessary. Here’s why: 

First of all, the volume of DSARs isn’t going down. Each year, over 25% of all internet users submit a subject rights request. According to EY research, 60% of all organizations subject to the GDPR have seen an increase in subject rights requests in the past year. As more people become aware of their data privacy rights, and as more U.S. data privacy laws come online, DSAR requests will keep coming. s in the past year. As more people become aware of their data privacy rights, and as more U.S. data privacy laws come online, DSAR requests will keep coming.

Second, noncompliance with DSAR requirements is no joke. Ignore DSARs, and your organization may need to pay a lot—both financially and in other ways.

The Costs of Getting DSARs Wrong

Organizations that fail to meet DSAR mandates face sizable consequences, most commonly fines imposed by data protection authorities. In 2023, 45 companies received fines from the EU for insufficient fulfillment of data subjects' rights, totaling over €47.3 million ($51 million). One notable offender, Spotify, was fined €5 million ($5.4 million) in Sweden for not providing full information about the personal data it processes in response to individual requests.

As a result of the California Consumer Privacy Act (CCPA), businesses spent $1.3 billion handling DSARs in 2020 and 2021 alone. And by the time 2026 comes around, Gartner predicts global annual financial penalties associated with DSAR mismanagement will exceed $1 billion. 

These are not trivial penalties. And fines can quickly escalate for repeat offenders or those with egregious violations, leading to prolonged legal battles.

Beyond financial penalties, noncompliant DSAR practices violate customer trust and reflect a lack of commitment to data privacy. In fact, 72% of consumers report they would stop buying from a company or using a service because of privacy concerns. News of mishandling DSARs can spread rapidly, impacting not just customers’ perception of your company but that of potential partners and stakeholders as well.

Safeguarding against the costs of mishandled DSARs requires your business to adopt comprehensive strategies. Compliance should not be viewed as a checkbox exercise but as preserving integrity and maintaining customer trust. Recognizing the high stakes involved in DSAR fulfillment makes it easier to ensure regulatory adherence and a steadfast commitment to protecting consumer data.

Clearly, it’s critical to comply. But it’s also critically painful for privacy pros processing the requests. Let’s talk about the root causes of this pain and the best ways to find relief and get the job done.

Why Is DSAR Management So Hard?

The overall process for completing a DSAR is relatively straightforward—you can review the individual steps to DSAR management in our blog, What Is a DSAR? A Complete Guide to Data Subject Access Requests. For now, let’s focus on why managing DSARs is so hard and what you can do to make them easier.

Factors that add complexity to DSAR management include:

  1. Tight timelines
  2. Lack of data visibility
  3. Large volumes of data
  4. Coordinating internal stakeholders
  5. Complying with requirements across jurisdictions

But for every challenge, there’s a solution that can alleviate it (if you have the right platform and features).

Challenge #1: Tight timelines

Laws like the GDPR and CCPA/CPRA have mandated 30- or 45-day timelines to fulfill DSARs, which can compound the pressure if you have to contend with high volume, low visibility, and multiple regulations. Doing the required work in a diligent manner will almost certainly extend past mandated timelines. And, rushing the process can result in more errors. Adding staff and resources to process DSARs within mandated timelines is one option, but it’s an expensive one. While you may avoid fines by completing work on time, you’ll take the financial hit in elevated operational costs instead.

The Solution: Automated Subject Rights Management

It should come as no surprise that fulfilling a DSAR is a tedious and time-consuming task when performed manually. Organizations that receive one or two DSARs every now and again may get away with manually sifting through their systems for relevant data. But even then, they risk making errors like missing pieces of a data subject’s personal information, exposing someone else’s data, or missing deadlines. And as we’ve discussed earlier, DSAR noncompliance can get very costly very quickly.

Subject rights fulfillment is an excellent use case for automation. While it’s vital that a human remains in the loop to verify accuracy, automated subject rights solutions can significantly expedite the DSAR fulfillment workflow, helping you to meet those 30- and 45-day deadlines.

Challenge #2: Lack of Data Visibility

How many applications does your company use on a daily basis? Would you have any idea which of those applications contain personal information—let alone what kind? The fragmented nature of data management further complicates the journey to DSAR compliance. With data siloed across various departments, databases, and file structures, many organizations lack visibility across data stores or a unified approach to managing that data. This lack of centralization and visibility hinders the fast, accurate retrieval of data.

The Solution: Comprehensive, Integrated Data Mapping

To manage data, you need to be able to see it. An intuitive, holistic data mapping solution that integrates with your DSAR solution can create a detailed map of data flows and sources that facilitates faster data discovery and helps alleviate one of the bigger headaches of the DSAR process.

Ideally, these solutions automatically identify and integrate systems that process personal data in your organization. For example, Osano can discover many systems through sources like your single sign-on (SSO) provider of customer data platform (CDP). However, not all systems will be discoverable in an automated way regardless of what solution you use. For any niche, disconnected, or shadow IT systems, you’ll want to make sure your solution allows for frictionless manual uploads of data store information. This ensures your data map is as comprehensive and provides as much visibility as possible. In turn, you’ll be better equipped to find relevant data when fulfilling DSARs.

Challenge #3: Large Volumes of Data

Too much data held by organizations can make DSAR processing an arduous task. Any data involved requires careful verification, review, and packaging. Compounding this work by a huge volume of data makes processing DSARs a massive effort.

The Solution: Automated Data Discovery

Even if you have perfect insight into your organization’s data landscape, finding a specific individual’s data to fulfill a subject rights request can feel like finding a needle in a haystack. With an automated data discovery solution, you can identify a given individual’s personal data even if it’s spread across multiple, disparate systems.

When Osano's data discovery capabilities, you can discover data through your data map and its underlying data inventory. Not only will this help you quickly identify all an individual’s data held within your systems, but you’ll be better able to identify when and where data has passed to a third party. This way, you’ll be able to quickly notify vendors and other partners of the need to comply with a DSAR.

Challenge #4: Coordinating Internal Stakeholders

Data privacy compliance can’t exist in a vacuum. Subject rights requests, in particular, require extensive and coordinated collaboration. Privacy professionals don’t have insight into or control over every single system that may process personal information. And as we’ve described earlier, it won’t be possible to automatically pull personal information out of every system in your organization.

Privacy professionals need to coordinate with the internal stakeholders who own various personal data stores and ensure they know how and when to take certain actions to fulfill subject rights requests. That could involve deleting certain data, reporting on what data they have, and so on.

The Solution: Workflow Automation

While training and clear communication are excellent, it always helps to have a system that can provide guidance and ensure everybody stays on the same page.

Osano allows users to tag individuals in their organization as data store owners. Doing so enables you to assign those data store owners action items should they control data relevant to a subject rights request. A suite of webhooks and APIs allow for notifications in the other systems and tools your organization already use to manage the workday. Osano users can also set internal timelines—this way, you can set deadlines earlier than the 30- or 45-day window provided by law so you can account for stragglers without risking a regulatory violation.

Challenge #5: Complying With Requirements Across Jurisdictions

To add another layer of complexity, businesses must navigate the requirements for each data privacy law they are subject to. Different laws provide data subjects with different rights that they may exercise and impose different requirements on organizations when fulfilling those rights requests. All of this means that a multijurisdictional company may be inundated with DSARs from multiple regions, with each request requiring meticulous attention to detail to ensure compliance. Without an easy way to take inventory of existing data, fulfilling data requests can be next to impossible in a large organization with massive data stores.

The Solution: Geofencing and Localization

Data privacy solutions shouldn’t leave the nitty-gritty of compliance up to you; they should have regulatory knowledge built-in and verified by experts, so you can focus on your core work. Osano’s uses geofencing and localization to ensure that data subjects from different jurisdictions have access to the request types that their governing law provides. This way, you won’t have to worry about fulfilling subject rights requests from jurisdictions without a governing data privacy law or failing to fulfill a unique request type you weren’t aware of. Osano Subject Rights Management has all that knowledge baked into its design.

Looking to Simplify Your Own DSAR Management?

As the demands of data privacy continue to evolve, the ability to provide quick and precise responses to DSARs guarantees legal compliance and customer trust.

With centralization of the subject rights request process and automation of time-consuming and repetitive tasks, you can speed up compliance, relieve the burden on your team, and reduce the likelihood of human error in your own DSAR process.  

Book a demo and see how Osano can help you create a simpler, less laborious DSAR process.