GDPR DSAR Response Time: How Long Do You Have?
Knowing the response time limits set on data subject access requests for any business within the scope of the GDPR is crucial. Your business could face troublesome penalties if you are unsure of the GDPR DSAR response time and miss the deadline.
Given the complexity of some DSARs, it can take a lot of work to fulfill requests on time. If your business is new to DSARs and wants to understand the required response time or is looking for ways to shorten your response, you have come to the right place.
We will detail the GDPR’s specific DSAR requirements, how your business can improve its response time and the possible consequences of not meeting the deadline.
Let’s dive in.
- The GDPR requires that businesses respond to any DSAR within one calendar month, and the CCPA requires a response within 45 days. There are possibilities for extensions for confirming identity, complex requests, or needing to request additional information.
- On average, it takes around two weeks to respond to a DSAR. Still, several factors affect the response time, including data spread across multiple platforms, a high labor requirement, and a final legal review time.
- Your business can shorten DSAR response time by streamlining internal processes, utilizing DSAR software, implementing compliance DSAR training, and consulting with experts like Captain Compliance.
GDPR DSAR Response Time
Under the General Data Protection Regulation (GDPR), your business must respond to any Data Subject Access Request (DSAR) within one calendar month at midnight of the corresponding day. Data subjects can request the personal information that your business holds at any time.
The calendar month starts from the first day a data subject makes the access request, and your business successfully receives it. The Information Comissioner’s Office (ICO) details how you can determine the time limit to fulfill an access request.
For example, if your business receives a request on April 15, you would have until midnight of the corresponding date of the next month, May 15.
In another example, if you receive an access request on March 31, April only has 30 days, so there is no such date as April 31. In this case, you have until April 30 at midnight to complete the request.
However, If the corresponding day falls on a holiday or weekend, your business has until the next workday. For example, a request on November 25 would mean one calendar month away is December 25, Christmas, so your business has until December 27 to fulfill the request.
The ICO grants extensions for up to 90 days after the DSAR request under a few circumstances.
- The access request is complex and will take time
- You need to request information from the data subject
- You need proof of Identity from the data subject. (In this situation, the calendar month will only begin after you receive the necessary confirmation)
It is also worth noting that if your business does not fall under the GDPR but rather the California Consumer Privacy Act (CCPA), you are given a different timeline to fulfill DSAR and SAR requests. Under the CCPA, DSAR response times must be within 45 days of the request, and extensions can be up to 90 days.
How Long Does a DSAR Take to Respond to?
A DSAR response time can vary, but in general, with proper systems and DSAR management in place, it takes about two weeks. However, there are a number of factors affecting DSAR response times.
Specific data subject access requests will require long and extensive searching. The information you need and where you find it all varies depending on the data subject and what/how they have provided their personal information.
Here are some factors that influence how long it takes to respond to an access request:
Data Spread Across Multiple Platforms
The first factor that may influence the time of a DSAR response is that all of a data subject’s personal information may not be in the same place.
If your business is like most, you may have a combination of physical and digital data. In addition, different types of personal data you have collected may not be accessible through the same program.
Sorting through and digging for all the personal information you need can take time. More complex requests typically require more information, meaning they could take longer.
Staff Labor Needed
In addition to personal data spread across multiple platforms, the people who have to find the data are under a lot of pressure. There is a tireless process of, on average 50 emails with countless attachments involved in every data subject access request.
In most businesses, the responsibility may fall on a data protection officer or compliance expert. If this position is alone or there is no dedicated compliance team/budget, the process can be grueling and take time.
The final factor affecting your business’s DSAR response time is a legal review of the personal information gathered. Many businesses conduct a last review of the information they collect as good data practice.
In this review, your business can redact and anonymize personal data that does not directly relate to the data subject and their request. The review will also ensure you have fulfilled the data protection law requirements supervising the request.
How to Shorten the Amount of Time Needed to Respond to a DSAR?
Your business should prioritize efficiency and promptness with all DSAR response protocols. Data subjects are within their rights to request anywhere at any time, and with strict deadlines, it is best to be prepared and have an effective system in place.
Here are some excellent practices to maximize your business’s DSAR response efficiency:
Streamline Internal Processes
A great place to start improving your business’s DSAR response time is by optimizing data processing from start to finish.
We recommend setting up an organized, easy-to-understand system that helps streamline sorting and finding a data subject’s personal information upon request.
Create standard operating procedures (SOPs) for employees to follow upon every request. Always maintain clear communication channels to request assistance or information across departments.
Use DSAR Software
DSAR software is an excellent investment to accelerate DSAR response times. DSAR software can help your business by automating data subject access requests. The choice of DSAR software will vary depending on your business’s needs but is helpful to all who use it.
Another benefit of DSAR software is that it is a great way to showcase your business’s efforts to create practical data privacy standards.
Your business’s increased response times will increase consumers’ trust and ensure your compliance with data protection regulations like the GDPR.
Your business can implement compliance training for all departments and employees that play a role in DSAR response. Compliance training prepares employees by providing knowledge of relevant regulations and experience handling access requests properly.
Collaboration with Compliance Experts
To help your business implement compliance training and select the best DSAR software, you can outsource the help of compliance experts like us. At Captain Compliance, we offer a full suite of compliance services and bring centuries of collective experience to provide guided assistance for your business’s compliance needs.
We can help your business implement effective compliance training and DSAR response protocols to increase response times and ensure corporate compliance.
Consequences of Not Responding to a DSAR in Time
According to the GDPR, your business could face fines of up to 20 million euros or 4% of your annual turnover, depending on which amount is greater, in the most extreme of cases. A typical fine would be 10 million euros or 2% of the annual turnover.
For businesses subject to the CCPA, there are different fines in place. The CCPA issues fines on a violation-by-violation basis, meaning your business will be charged for a single CCPA violation. The fines for this violation can range between $2,500- $7,500.
Other repercussions for not responding to a DSAR without proper reason include legal action directly from the data subject. Consumers hold the right to make a legal claim against your business for violating their data subject rights.
Legal action against your business could result in different penalties for your business. Unlike data protection law violations, civil cases typically have no set limit for fines and could result in even higher penalties.
Your business must legally respond to all data subject access requests within one calendar month under the GDPR. There are a few options to receive an extension, but it is always best to respond promptly and efficiently.
Some DSARs are more complex and challenging to fulfill in a strict timeline. Our team of compliance professionals at Captain Compliance can help your business implement successful strategies and solutions to improve your DSAR response and avoid significant fines.
Get in touch with us today to learn about our complete list of compliance services and how we can ensure your business’s compliance with all relevant regulations.
What is the GDPR DSAR process?
Under the GDPR, data subjects maintain the right to access, view, and correct/delete any personal data that your business has collected concerning them.
They submit a request (data subject access request) to view this information, and your business must respond, providing the information, within 30 days.
Can a DSAR be refused?
Your business can refuse a request you believe is unreasonable or too frequent. However, the GDPR has no specific guidelines for distinguishing unreasonable requests.
Does my business have to respond to DSARs?
If your business operates as a data processor under the GDPR or CCPA, you must fulfill any DSARs within the provided time.
What happens if you don’t respond to a DSAR?
If your business is subject to the GDPR and you do not respond to a DSAR, you could be charged a penalty of up to 20 million euros or 4% of your annual turnover, depending on which amount is greater.
How do I respond to a DSAR?
Your business should gather all information requested by the data subject and then securely send it to the consumer via the agreed-upon platform (email, phone, etc.) To meet GDPR standards, you must be transparent and provide all requested information.