The transition to a digital economy has made it possible for businesses to collect an extraordinary amount of personal information quickly. Many organizations store this data, mining it as needed to create new marketing opportunities. Detailed demographics, web browsing habits and purchase history are just a few of the data categories in high demand. A single company often collects information from multiple sources, such as registrations and service requests. Store data by type rather than by individual to find client contact details in one system and customer service records in another. Without a comprehensive process, bringing the data together to comply with data subject access requests can be all but impossible.
The Basics of Data Subject Access Requests
The Data Protection Act of 1998 was designed to protect consumers from the misuse of their personal information. Section 7 of the regulation created specific obligations for entities storing any consumer data. Individuals have the right to submit a Data Subject Access Request (DSAR) to see a copy of the information held by an organization. After receiving a DSAR, companies must produce the following:
- Confirmation that the organizations holds the personal data requested
- A description of the personal data
- An explanation as to why the organization is storing and processing personal information
- Details on plans to share the data with other entities
- A copy of the information retained by the company
- The source of the material held by the organization
In addition, organizations must give requestors an explanation for automated decisions, such as a denial of credit or performance assessments.When an organization receives a request in writing, it has 40 days to respond. Effective May 2018, the General Data Protection Regulation (GDPR) lowers that time frame to just 30 days. Failure to comply with DSARs simply isn’t an option, as the fines for non-compliance can reach up to 4 percent of a company’s global annual turnover.
