DSAR Training: Why It’s Needed & How to Do It?
The right to access is one of the primary data subject rights in almost every data protection regulation, including the EU’s GDPR, California’s CPRA, Chinese PIPL, and Brazilian LGPD.
What this right says is that the individual or customer has the right to access the data that the business has on them.
How do they “ask” the business to give them this data?
By submitting a data subject access request or DSAR. It’s free, and there are even DSAR tools that make it easy for customers to automate their DSAR requests.
Answering these requests properly and on time, however, isn’t easy and puts a strain on the business.
But, with DSAR training, it gets a lot easier.
- Businesses often have to handle dozens, if not hundreds, of data subject access requests every month. The sheer amount and scope of these requests can be overwhelming.
- DSAR training can help your business handle these requests in a way that benefits both you and your customers
- A DSAR training program needs clear goals and objectives, which will lead to the best results.
Why is DSAR Training Important?
People, especially the younger generations, are increasingly more aware and active about their data privacy and want more control over how it is used by the companies they give it to.
To illustrate the point, 48% of customers have switched to other companies over concerns about how the previous company handled or shared their data.
And by submitting a DSAR request, they don’t have to guess.
The problem for businesses, however, is that fulfilling these requests is one of the greatest compliance challenges and they might receive dozens or even hundreds of DSAR requests per month.
In fact, in one poll, 24% of companies said they get between 10 and 50 DSAR requests each week, 11% that they receive 100 to 500, and 9% received over 500 requests.
Handling just one of these requests is challenging enough, imagine being swamped by hundreds every week!
This is why, for companies that want to maintain their regulatory compliance and satisfy their customer’s privacy concerns, DSAR training is essential.
What Makes a Successful DSAR Training Program?
Whether we’re talking about a gym training program or something like a compliance training program, an effective training program must identify three important attributes: goal, objective, and results.
Wait. Aren’t these three the same thing?
No. While they’re often used interchangeably, goal, objective, and results are different things.
Goals are broad and can have several objectives. They are also long-term rather than short-term.
For example, gym training goal is to be healthier and stronger.
Or, if we’re talking about DSAR training, the goal would be to help the company build trust with its customers and achieve regulatory compliance.
Just below the goals are the objectives. These are more specific and measurable.
Again, the objective of gym training is to build muscles.
So, an objective of DSAR training would be to teach employees responsible for handling these requests to do so in a timely and correct manner.
And finally, we have results, which is what you want to get from the training.
For gym training, the results would be what you see in the mirror or the positive comments you get from others.
If we’re talking about DSAR training, it might be something like being able to respond to 100 more DSAR requests than in the same period of the previous year or to decrease the time needed to respond to DSAR by 20%.
Finding a Good DSAR Training Program or Course
But how do you find a DSAR training program that will help you effectively and efficiently respond to data subject access requests?
You might be wondering why we used gym training to illustrate the importance of goals, objectives, and results in a training program. This has nothing to do with the author being a meathead.
Finding a good training program, whether we’re talking about DSAR or something like a gym program is notoriously difficult, and the wrong program will only waste your time and money.
So, what should a good DSAR training program look like?
Essentially, this has to do with two questions:
- What will the program or course cover?
- What will the attendants learn from it?
When it comes to what it will cover, the program or course should be fairly comprehensive but focused.
Usually, these programs will last for around 6-7 hours, with breaks, separated into blocks or sessions, so time is limited.
During these few hours, the program needs to cover the following topics:
- What is a data subject access request?
- Understanding the specific data privacy regulation (for instance, GDPR or ADPPA)
- How to receive a DSAR
- Recognizing authentic and valid subject access requests using identity verification
- Managing DSARs
- DSAR processes and timescales
- Unfounded and excessive DSARs
- The information the DSAR applies to
- Data search approach
- Profiling and automated decision-making
- Deceased records
- Lack of capacity requests
- Third-party data
- Withhold or exempt information
- Data erasure requests
- Providing the information
- Managing and enforcing DSARs
So, what are some things that your employees should, hopefully, learn from a program like this?
- What is a data subject access request or DSAR?
- How to handle DSARs?
- What specific information must you provide in a DSAR response?
- What information can you withhold or exempt and why?
- How to avoid a possible data breach by responding to a DSAR
Best Practices for DSAR Training
If you’re looking to streamline DSAR training and ensure it helps you meet regulatory compliance, there are several best practices you should aim to follow.
Define Roles and Responsibilities
Not everyone in your company should be handling DSARs. Typically, this is the responsibility of a data protection officer or DPO.
As such, the DPO or their team needs to be trained in specific DSAR processes, such as recognizing a valid request or identifying excessive ones.
Correct Data Handling
Another best practice for DSAR training is ensuring that employees are educated on correct data handling procedures. This includes understanding the types of personal data your company collects, how it is stored and processed, and who has access to it.
Employees should also be trained in proper deletion or erasure methods if a valid request for this action is received. This can help prevent accidental sharing of sensitive information during the response process.
Try Out Simulated Scenarios
One effective way to train employees in responding to DSARs is by utilizing simulated scenarios. These simulations can replicate different types of requests that may arise in real-life situations.
Simulations give employees an opportunity to practice their skills and knowledge in a controlled environment without consequences or risks involved with real-life responses. They allow teams to identify any weak points in current processes and make necessary improvements before being faced with actual requests.
An effective DSAR response should ultimately eliminate the customer’s worries about how your business is handling their data and build their trust.
It is not about simply delivering this information and calling it a day.
Data protection regulations, like GDPR, only say that you should respond to DSAR requests but do not specify how.
For example, Article 15(3) of GDPR says:
“The controller shall provide a copy of the personal data undergoing processing.”
That’s not much to go on, but it provides a great opportunity for making your customers happy by better communicating their DSAR responses.
Regularly Review Data Protection Regulations and Update DSAR Processes
Finally, you should always remember that data protection laws and regulations will change over time.
This is a relatively new type of regulation, and a lot of countries or states don’t yet have such a law. Most of those that do have more or less copied the GDPR and added a thing or two here and there.
For instance, only 13 out of 50 US states have a signed data privacy law, and 18 don’t even have a bill introduced as of October 2023.
You want your business to be ready for when these countries or states introduce these laws or when they change existing ones (like when California amended the CCPA with the CPRA) so you can, among other things, better handle subject access requests.
Use the Help of Captain Compliance
One of the best ways to ensure effective DSAR training and compliance is by using specialized solutions like Captain Compliance.
Captain Compliance offers comprehensive solutions for managing, tracking, and responding to DSARs. We can train employees on how to identify valid requests, handle data effectively, communicate with customers throughout the process, and stay up-to-date on changing regulations.
With features like automated responses and customizable templates, Captain Compliance streamlines the entire DSAR process from start to finish, making it easy for businesses to stay compliant and maintain customer satisfaction.
Challenges of DSAR Training
Every training program presents certain challenges. For DSAR training, for example, these are most often:
How to Handle Large Volumes of Personal Data?
The number of data assets that a DSAR request could contain can be vast and oftentimes, whether intentionally or not, data subjects might request more information than they do.
Data subjects often don’t realize that your business has a limited time (one month under GDPR) to respond to their DSAR. The broader the scope of their request, the more time it will take to respond.
How to Process Different Data Types?
Another challenge when it comes to DSAR training is how to process and review different data types.
Here are just some questions:
- Is it text, audio, video, or a combination of the three?
- What format of text, audio, or video is it?
- What medium is the data on? Paper or electronic?
- Where is the data stored?
How to Handle Third-Party Data?
Many companies rely on third parties to store and process their data, making it even more challenging when handling DSARs. Training should cover how to identify which personal data is stored by a third party and how to obtain this information in a timely manner.
Additionally, third party processors have their own obligations under GDPR and may have different data processing practices from your company.
This makes it important for employees to know how to liaise with these third parties in responding accurately and efficiently to DSARs. Training should cover the necessary procedures for requesting information from external processors and potential challenges that could arise during this process.
Is the Requester Authorized to Ask for This Data?
What about classified or privileged data? Is the data subject authorized to request this kind of data?
Disclosing this data to the wrong people could have potentially dire consequences for the company and cause a data breach. And there is certainly no shortage of fake DSARs - so you’ll need to have a good verification system.
Your company must ensure the data subject access request comes from a verified source who has the right to request this information.
How to Implement DSAR Training Properly?
Implementing DSAR training properly can be a daunting task, but with the help of Captain Compliance, your business can ensure that all employees are equipped with the necessary skills and knowledge to effectively handle subject access requests. Here’s how we do it:
1. Customized Training Programs:
Captain Compliance offers customized training programs tailored to meet your specific business needs and compliance requirements. Our experienced trainers will work closely with you to understand your company’s processes and procedures for handling DSARs before creating specialized training materials.
2. Legal Knowledge:
Our team is well-versed in data protection laws like GDPR, CCPA, CPRA, and other major data protection laws, ensuring that our training reflects current regulations while also taking into consideration any upcoming changes or amendments.
3. Hands-on Experience:
As experts in managing DSARs ourselves through our software solution, we bring practical experience that helps employees better understand what kind of information might be involved in different types of requests as well as common difficulties encountered during processing them.
4. Superior Software
Our comprehensive solution includes powerful features like automated responses and customizable templates, making it easier for employees to manage DSARs while staying compliant. This software can also track requests and response times, providing valuable data for future training sessions.
5. Ongoing Support:
Captain Compliance offers ongoing support even after the initial training is completed. We understand that regulations are constantly changing, and we strive to keep our clients up-to-date with any new developments or amendments so they can continue handling DSARs properly.
Having not only a thorough understanding of data protection laws but also hands-on experience in managing subject access requests allows us at Captain Compliance to be an invaluable resource when it comes to training employees. Our specialized solutions and ongoing support ensure that your business stays compliant, avoids penalties, and maintains customer trust through the effective handling of DSARs.
79% of adults in the United States said in a Pew Research Center study that they are concerned about how companies are using the data they collect about them.
Thanks to the data privacy laws and regulations, they now have the instrument to take control over their data privacy, and one way to do it is through data subject access requests or DSARs.
It is up to you and your business to handle these DSAR requests in a way that satisfies your customers’ needs.
This is where Captain Compliance can help you by providing different kinds of compliance training solutions.
Get in touch with us and find out how we can help your business achieve compliance.
What does DSAR stand for?
DSAR stands for “data subject access request,” and it represents a request that a customer can provide to the company in which they ask for the data the company has on them.
What is a DSAR process?
A DSAR process is a process through which an individual or a customer can request the data that the company has about them.
What is the best practice for DSAR?
The best practice for data subject access requests is to ensure your company responds promptly, that data is accurate and up-to-date, and that the request is valid and won’t lead to a data breach of any kind.
What is an example of a DSAR?
Data subject access requests or DSARs can take many forms, and there’s no rule on how it should look.
One example of a DSAR could be:
“Provide all emails I received from example@email between 18th October 2022 and 18th October 2023”.
“Send me all CCTV records of my face from the southwest-facing camera from 3rd August 2023 between 2:00 and 3:00 AM.”