DSAR Cost: How Much Does Each Cost?
EU consumers have the right to access their data under the privacy protection laws like the GDPR.
One of the major guidelines is that all businesses must provide a DSAR (data subject access request) service for their data subjects (the consumer). Newly emerging businesses often wonder what the DSAR cost is for providing this service.
This article will explain why it is important for businesses to take DSARs seriously, as well as provide the cost overview and some extra advice on how to train your staff to operate within your business to manage a DSAR request.
Let's dive in.
- Responding to DSAR is very important for business. Failing to do so can have major consequences that could result in fines and legal action.
- DSARs can be very expensive for businesses due to many factors that come into play in providing the service.
- In most cases, a business cannot charge to do a DSAR, but there are some ways that can warrant it under certain circumstances.
Why is Responding to a DSAR Important?
Any business that processes EU resident data must answer a data subject access request. It is mandated by the General Data Protection Regulation (GDPR) data protection law, according to Article 15. Falling to do so could result in major penalties, fines, or lawsuits.
The right to access is given to every EU resident under the GDPR. It allows data subjects (consumers or any individuals who have provided a data controller with their personal data) the ability to request the data that they have on file with them - along with any requests for deleting or correcting the data.
A DSAR request can come in the form of a digital copy or physical document mailed to the data subject based on their preference. The business responsible for accepting the DSAR response must have the information to the data subject within 30 days, but in some cases, they can be allowed 60 days.
DSAR Cost Overview
Doing DSAR for data subjects is costly for a business. The average administrative cost per data subject request is roughly $1,524, with some costing as much as $28,000 (£23,000). As one can imagine, having to do many could severely cut into a business's profits.
There are several key factors that contribute to the high costs of offering a DSAR service:
As mentioned, delivering a DSAR must be done in a timely manner. While 30 days may sound like a significant amount of time, it isn't. That is because there are certain requests that are more time-consuming than others.
For example, the deletion of data is relatively straightforward. However, if the data subject requests a record of all text messages, emails, and Microsoft Team conversion recordings on file, then it could be very time-consuming for the DPO (Data Protection Officer) responsible.
Daniel Barber, CEO of DataGrail explains that:
"The largest costs related to DSAR fulfillment come from the manual processes required to perform a DSR. Businesses store personal data in hundreds of different systems—both owned systems (e.g. databases) or Saas-based systems (e.g. Salesforce, Shopify, Zoom, etc.,)—and in order to fulfill a privacy request, an organization must identify where across all these systems personal data lives. When done manually, our research has shown it could involve more than 26 employees and countless hours."
Whenever a data subject makes an access request, the company must work at a fast pace in order to meet the deadline. Larger businesses are often required to hire and train multiple DPOs, which can be quite costly.
It is common for the DPO to have to put in overtime when trying to meet tight deadlines. On average, a DPO will respond to around 50 emails per DSAR that involve dealing with attachments of varying types.
DPOs are under immense stress while having to manage multiple DSARS. It requires keeping track of various data subject’s personal information while also prioritizing the ones that are coming close to the due dates.
The amount of multitasking and stress can take a toll on the DPO. In some cases, it can cause the DPO to make mistakes while working on the DSAR, which in itself can cause compliance penalties to the business.
Lack of Internal Process and Automation
Automated processes, such as DSAR software, can make a night and day difference in addressing data subject requests. A good system can compile and store data in a way that makes it easier for the DPO to collect what is necessary for the DSAR.
Not having an internal process for automation does put more pressure on the DPO, which results in longer hours and more money spent.
Developing an internal process that handles automation is not easy, however. If you own a business that is interested in developing an Automation process to address DSARs more efficiently, consider contacting us to learn how your business can do it affordably and effectively.
- Want to respond to DSARs at a fraction of the price while still being fully compliant? Get in touch with us today for a complimentary consultation.
Can You Charge for a DSAR?
Article 12 states that the first copy of a data subject’s access should be provided for free. After that, a data controller can charge the consumer for more requests if they are deemed excessive or unfounded.
It should also be mentioned that any extra fees that are collected cannot profit an organization. They are there to help a business recoup a cost if a data subject is making DSAR requests that heavily burden the business. Whatever the cost the business is charged for doing a DSAR is what the data subject pays.
With that said, there must be a clear criterion set in order to charge these fees. Making a DSAR is a right that all citizens in the EU and some other countries have, which makes it required to offer compliance services. In order to charge a data subject a fee, it must absolutely valid reasons tied to administrative tasks.
One example is if a data subject wants multiple copies of their personal data. Any SAR request that does this is putting more stress on the business’s resources than usual, which deems it excessive. A business can make a valid reason to charge, which would be to cover the higher-than-usual cost for the DSAR.
Another factor a business could charge for DSAR is if the data subject access request is unfounded. This can be defined as having no intention to exercise their right and instead using it for malicious purposes.
An example of malicious intent is if an employee was fired from a business and wanted to request DSAR with no reason other than to disrupt the business and charge them money.
Unfounded and malicious intents must not all be presumed and based in a factual manner. A business must have evidence that shows the clear intention of the person’s misuse of the DSAR.
Can You Refuse a DSAR?
Yes, according to Article 12, section 5, the qualifications for refusing to do DSAR for a data subject match the same criteria if it is deemed excessive, unfounded, or malicious in nature.
Refusing a DSAR involves proving that the data subject is using the service and information for reasons that are not protected under their rights. Anything that invokes harm or disrupts a business purposely can be used as a reason to either refuse or charge a DSAR fee.
When it comes to excessive copies, it is important to consider why someone would want multiple copies in the first place. If a data subject requests more than one copy, it can be justified for simply wanting extras in case the originals get damaged or lost.
Excessive is when a data subject requests an exaggerated number, like 50, which, in that case, the business can either refuse to do the service outright or charge the data a fee subject accordingly.
There is no limit to how often a business can refuse to do DSAR. A business can also refuse a DSAR as long as it can prove the subject falls under any of the categories that allow it to do so.
How to Implement DSAR Training Properly
Having a team that can be ready to handle potential DSAR requests is essential for not just business working with EU residents but also with certain parts of the US, like California (with the California Consumer Privacy Act).
GDPR’s influence on data protection laws has expanded to some areas in the United States, such as California, and their implementation of the CCPA DSAR.
Addressing DSARs is important. Failing to do so could penalize your business or result in a permanent shutdown.
Captain Compliance can help you implement a DSAR training program for your business. We have experts who stay up with data privacy laws and corporate compliance guidelines.
Our experts have great knowledge of compliance services. We can advise you on what your training program should include and how it should be executed within your business environment.
We understand that you as a business may be limited in funding, which is why our outsourced compliance programs are affordable and offer top-of-the-line results that can enhance risk management and mitigate potential liabilities.
How Can Captain Compliance Help?
Data privacy law is continually evolving, and DSARs are only one of the many data protection rights that are under the General Data Protection Regulation (GDPR). There is also the right to rectify, erase, restrict, and more.
Find out how to ensure your company meets all compliance obligations with a free consultation guiding you through data protection strategies.
What happens if a business fails to address a DSAR before the deadline?
If a data subject does not receive their DSAR within the posted deadline, then the business is vulnerable to being reported to the ICO (Information Comissers Office), which can result in penalties.
Can a data subject request corrections to their data through a DSAR?
Yes, a data subject can request to make correction changes to their personal data through the right of access policy that the GDPR mandates.
Can a data subject request another person’s DSAR?
No. In most cases, it is not allowed due to legal reasons and privacy concerns. The only reason for this is if someone had the power of attorney of another person or if it pertained to national security reasons to authorize an investigation.
What happens if a data subject revives doors in their DSAR?
If a data subject revives any errors on their DSAR, then they have the legal right to return with a follow-up to have it corrected. Failing to address the correction can lead to legal action.
How do I get a DSAR?
DSARs can be received in writing or verbally by any method. If you have an office, then someone should be able to request it directly there. Someone may request it over social media or email as well.