You won’t be disappointed
Your Needs Solved
…instead of just a piece software
Data Protection Officers
Not Just Privacy
We are with you from A to Z
Years in Business
We are one of the providers with the longest experience in the market
Our data protection expertise is transnational and we work internationally
Privacy Impact Assessment
2B Advice has been named a Sample Vendor in four different Gartner Hype Cycle (Cyber Risk Management, Data Security, Privacy, Legal and Compliance Technologies)
Top 5 % Employer
Received the prestigious award from kununu, one of the leading European platforms for employer evaluation.
IAPP Gold Member
2B Advice is ISO/IEC 27001:2017 Certified
Certified Information Privacy Professionals
Data Subject Request Forms
Data Subject access request (DSAR) is a formal request for access to personal data held by an individual or organisation in the EU, and GDPR as well as new US state privacy laws require that organisations provide individuals with a copy of their personal data free of charge.
For data processors and data controllers, there are specific record-keeping requirements around the time to respond, the ability to request an extension, the requirement to validate the identity, and securely transmitting the response to the individual.
Different Solutions or for different Volumes of Requests
Every company is different and how many Data Subject Requests you receive depends on the size of company, the industry, the target group and other factors. With 2B Advice’ experts and tools, we can set you up with workflows and the grade of automisation that makes sense for your situation. 2B Advice Data Subject Request Forms work hand-in-hand with our ticketing system to ensure auditable tracking and timely response to each request.
Our experts and tools allow you to stay compliant with local and international data protection legislation, while providing a high level of transparency and accountability.
Sign up to our Newsletter
Privacy Law and Right of Access
Consumer right of access is a core component of many privacy laws in effect around the world today. Privacy laws in Canada and the EU go back several decades, but changing consumer sentiments around privacy have driven updates to existing laws as well as motivated more countries to enact comprehensive data privacy laws. In the US, several states, including California, are considering or have implemented privacy laws, and the US is considering a federal level law as well. In addition, Brazil, Singapore, and China have all put new privacy regulations into effect that mirror many of the tenants of the EU’s GDPR.
Individuals have the right to access their personal data, and this is commonly referred to as subject access. A number of privacy laws such as the GDPR or CCPA give individuals the right to obtain a copy of their personal data as well as other supplementary information. This helps individuals to understand how and why businesses are using their data, and checks that they are doing it lawfully.
The right of access also allows the data subject to exercise further rights such as rectification and erasure. In most cases, the right to access is afforded to customers as well as company employees.
Lack of compliance with subject rights can have significant impact on a company. Under the GDPR and other similar privacy laws, an omitted or incomplete disclosure is subject to fines.
Handling Data Subject Access Requests
Handling data subject access requests requires an intensive amount of time and effort, especially if data is distributed across multiple systems. The time-consuming cost of manually handling a single data subject request has been estimated to be anywhere from a few hundred dollars to a thousand or more, depending in the number of systems and the level of infrastructure and automation the business has in place today.
Many companies are finding ways to automate and streamline the process with privacy management software that includes workflows, communications, and count-down clocks.
USA EU Cookie Regulations
To be ready for incoming data subject access requests, a company should have a process in place that begins with a data mapping exercise to understand what personal data is collected, how it is shared, and where it is stored by the company or any third parties or service providers.
Because individual right of access also allows the data subject to exercise further rights such as rectification and erasure, it’s important to have a formal structure established for handling all of these rights. Being able to process these types of data subject requests promptly and completely is important because an omitted, delayed or incomplete disclosure is subject to fines.
An important step in subject rights management is establishing a preferred method or methods of receiving and handling data subject requests from customers, employees, and vendors. Methods may include a dedicated hotline, online web form, an internal email address, customer portal, etc. Make sure to check your applicable privacy regulations as some have specific requirements for options.
In addition to capturing and logging a request, it is important to be able to verify the identity of the requestor.
Data Subject Access Requests (DSAR) Under the GDPR
Article 15 GDPR describes the right of access by the data subject, employee or consumer. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. In addition, the controller must provide additional information including:
- Purposes of the processing
- Categories of personal data
- Recipients to whom the data will be disclosed
- The period for which the data will be stored
- The existence of automated decision-making
The controller shall provide a copy of the personal data undergoing processing.
Under the GDPR, individuals may make a DSAR verbally or in writing.
Subject access response time is a critical aspect of handlining request. Article 12 GDPR stipulates that the business has one month to respond to a DSAR request. Extensions may be granted under certain conditions.
Whilst most attention is paid to the ability for consumers to make data subject requests, under the GDPR, so may employees. According to a PrivSec report, around three-quarters of EU firms (71 percent) have received DSARs from their staff since the introduction of GDPR.
Given that larger businesses in consumer industries can receive up to 500 DSARs a month, research shows there is a huge potential financial cost in having to respond to them. For example, UK businesses spend, on average, £1.59 Million and 14 person years annually processing DSARs.
Right of Access Under the CCPA
Under the CCPA, consumers (and employees) have the right to request a copy of personal information collected about them in the last 12 months. Consumers have the right to request a business disclose the categories of personal information collected, the business or commercial purpose, and the categories of third parties with which they share personal information. In addition, they may request to have a copy of the specific pieces of information the business holds about them, within certain limitations.
Consumers may make a subject access request verbally via a toll-free number or in writing via a web-form.
Subject access response times under the CCPA allow 45 days for businesses to respond to a request.
Penalties for Lack of DSAR Compliance
Can you be fined for failing to respond fully or promptly to a data subject access request? In a word, yes. Remember, EU regulators can impose the maximum 4% GDPR for violations of privacy requirements and this includes data subject requests pursuant to Articles 12 to 22. Under the GDPR, already we have seen businesses being fined anywhere from a few hundred dollars to tens of thousands of dollars for failing to fully respond to data subject access requests.
Under the CCPA, for fines and enforcement, the maximum penalty of the CCPA is $7,500 for intentional violations of the CCPA. Other violations lacking intent are subject to a $2,500 maximum fine.
In other countries with GDPR-like privacy regulations, such as Brazil’s LGPD, the fines may be less severe. Article 52 of LGPD states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals”. However, it should be noted, that the timeframe for time to respond is 15 days, which is much shorter than either the GDPR or CCPA. The bottom line is prompt and complete subject access response for consumers and employees is an imperative.
If you want to learn more about privacy and compliance, 2B Advice offers a variety of data privacy software solutions for any size business – contact us today to learn more.
Today marks 20 years since Marcus Belke and Hajo Bickenbach started this amazing company on January 13th, 2003.Special delivery to Ukraine
2B Advice team members spend an afternoon preparing supply packages to be donated to Ukraine via DHL's free shipping.A good summary of the draft adequacy decision
The EU Commission has published the long-awaited draft adequacy decision for data transfers from the EU to the US after analyzing US law and practice.