top of page

Data Subject Requests

Privacy regulations provide individuals control over their personal data, allowing them to know what data is collected, how it's used, request corrections, demand deletion, restrict processing, and receive their data in a portable format. These rights are called Data Subject Rights. Given that these obligations vary significantly across different jurisdictions, a comprehensive and adaptable approach is essential for ensuring global compliance.

DSAR Merudata

Privacy Regulations Allow Individuals to:

  • Limit/Restrict/Opt-Out: Requests to restrict sharing of individual’s information with affiliates and partners or limit the use of their personal data

  • Summarized Categories: Requests for summarized categories of information an organization has about individuals

  • Copy of Information: Request for copy of all information organization has about the individual

  • Update/Change/Collect Information: Request to change/update information about the individual, particularly if it is inaccurate

  • Delete Data: Request to permanently erase or delete an individual’s personal data

The DSAR Process

 The steps involved in the DSAR process are listed below

01

Verification and Validation constitute the first stage of the DSAR process. It involves contacting the customer making the request via email to verify their identity and that they are the rightful owner of the data associated with the email address. This is an important requirement of the process as the request cannot proceed further without appropriate validation. Here, the customers' details are checked against the company's master database. In case additional information is required from the customer, a request for the same is made at this stage.

The second stage is the Processing of the request. Based on the customer’s requirements, their data is deleted, rectified, summarized, copied, or updated (customers can also request to restrict or opt-out of processing and sale based on their jurisdiction) from the respective department and business system. Action items pertaining to the request are created and used here to facilitate the processing.

02

03

The final stage is the Communication and Delivery of the information. Here, for delete, opt-out, and rectify, the request is completed and the customers and intimated regarding the same. For requests pertaining to a copy of or summarized versions of the data, the data is collected and a report is built, which is then sent to the customer in an encrypted or password-protected format.

Abstract Architecture

Why Automation is Important

The personal data collected is stored in multiple data centers, within the organization and as well as with third parties. Processing these requests is not a linear function. It first involves accounting for all data belonging to each person and then identifying all data stores and applications, determining what data is personal and to whom it belongs. Fulfilling these subject access requests at scale can be a challenging task for many companies. In order to build a scalable and sustainable DSAR system, a robotic process automation system becomes critical.

Resources

Find interesting topics and news related to Privacy and Information Governance.

bottom of page