5 Steps to Comply with DSARs
Josephine Yam, JD, LLM, MA (AI Ethics)
AI Lawyer | Skills4Good AI Co-Founder | TEDx Speaker | Top 100 Brilliant Women In AI Ethics | RBC Top 25 Canadian Immigrants Awardee | Empowering Professionals with Responsible AI Literacy through Community Learning
Here’s an embarrassing story of a company that did not take its privacy obligations seriously.?
One day, a Danish customer called Nuuday, one of Denmark’s telecommunications companies, to apply for broadband access at his address. He was asked for his social security number as part of Nuuday’s application process. Because the customer felt very uncomfortable providing his social security number, he filed a data subject access request (DSAR) asking why and on what basis the company had collected his social security number. He didn’t receive a final response until six months later.?
In early 2022, the Danish Data Protection Agency (DPA) publicly criticized Nuuday for unfairly collecting information about its customers’ social security numbers. The DPA also censured Nuuday for its delayed response to the DSAR in violation of the 30-day deadline set by the EU General Data Protection Regulation (GDPR). As Nuuday admitted, they had neither a purpose nor legal basis for collecting an individual’s social security number. They also confessed that they had failed to respond to the DSAR promptly.?
One key takeaway of this story is that organizations must have an effective process for handling DSARs to achieve privacy compliance.
Despite the challenges encountered when complying with DSARs, organizations must show that they respect the privacy of their customers and employees and are committed to protecting their personal data.?
领英推荐
There are five steps you need to follow to handle DSARs effectively. Here they are:?
1. Understand the types of data that fall under privacy laws.?
?Complying with a DSAR can be complex and time-consuming, as different data types fall under privacy laws. Some of this data includes personal data, like an individual’s name or contact information. Other data types that may be protected under privacy laws include financial, health, and even biometric data. Collecting and managing this data can be a challenge for organizations, so it’s essential to have a process for handling DSARs. By understanding the types of data that fall under privacy laws, organizations can better prepare for and comply with DSARs.??
This also means that companies must be able to explain what types of data they are collecting and for what purpose. Failing to comply with this request can result in a significant fine or even criminal charges. As a result, companies need to understand the types of data they are collecting and processing to comply with DSARs.?