PRIV- 28 – Data Subject Access Request Procedures

What is this control about?

Implementing the control ‘Data Subject Access Request (DSAR) Procedures’ is crucial for organizations to uphold data subject rights and ensure compliance with data protection regulations. Data subjects have the right to access their personal data held by an organization, and these procedures are essential for facilitating and managing such requests efficiently.

Available tools in the marketplace

Tools:

TrustArc WireWheel

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Data Subject Access Request procedure example
• Data Subject Access Rights Template

Control implementation

Here are some guidelines to implement a DSAR program:

• Establish DSAR Process Documentation: Create a comprehensive DSAR procedure document that outlines the steps to be followed when receiving, validating, and responding to DSARs. This document should include roles and responsibilities, communication channels, and escalation procedures.
• Designate a Data Protection Officer (DPO) or Point of Contact: Designate a DPO or responsible person who will be responsible for managing DSARs. Ensure that their contact information is easily accessible for data subjects to submit their requests.
• Implement Data Subject Verification Methods: Develop robust data subject verification methods to ensure the authenticity of the data subject making the request. This is crucial to prevent unauthorized access to personal data.
• Create a DSAR Request Form: Develop a DSAR request form that data subjects can use to submit their requests. This form should collect essential information, such as the data subject’s name, contact details, and specific details about the data they are requesting.
• Establish Internal Communication Procedures: Set up internal communication channels to ensure that DSARs are promptly forwarded to the designated responsible person or team for processing.
• Data Retrieval and Validation: Implement processes to identify and retrieve the requested data from relevant systems or databases. Validate the data to ensure it belongs to the requesting data subject.
• Respond to DSARs in a Timely Manner: Adhere to the specified timeframes for responding to DSARs, as required by data protection regulations. Acknowledge receipt of the request and keep the data subject informed of the progress.
• Prepare the Response: Prepare a comprehensive response that includes the data subject’s personal data in a structured format. Provide any necessary explanations or interpretations to assist the data subject in understanding the information provided.
• Ensure Data Security: Take appropriate measures to secure the data during the DSAR process, including encryption, access controls, and audit trails to track data access and disclosure.
• Document the DSAR Process: Maintain detailed records of each DSAR received, including the request date, response date, actions taken, and any additional correspondence with the data subject.
• Monitor and Review the DSAR Process: Regularly monitor the effectiveness of the DSAR process and conduct periodic reviews to identify any areas for improvement or compliance gaps.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Provide the DSAR Procedure Document that outlines the step-by-step process for handling DSARs. This document should include details about how DSARs are received, verified, processed, and responded to, as well as the timeframes for each stage of the process.
• Provide an example of Data Subject Request Forms. These forms should collect essential information, such as the data subject’s name, contact details, and specific details about the data they are requesting.

Evidence example

For the suggested action, an example is provided below:

• Provide the DSAR Procedure Document

Leverage this Data Subject Access Request procedure example to create yours. Use your Legal team to vet this procedures –

• Provide an example of Data Subject Request Forms

Use this Data Subject Access Rights Template