The Guide to CCPA Data Subject Access Requests

April 22, 2022 - Jeff Edwards

Data Subject Access Requests (DSARs) are a critical component of the California Consumer Privacy Act (CCPA). Under the law, organizations must respond to these requests promptly by taking the appropriate action or explaining why they can't satisfy the request.

Yet, many organizations aren't equipped to handle DSARs cost-efficiently. Manually performing the workflows costs around US$1,400 per request—which can add up quickly. Here's how to shorten response time and lower operating costs. 

What Are CCPA Data Subject Access Requests?

A DSAR is a request made by an individual about the data that an organization collects and stores on them. Customers, users, employees, prospects, contractors, job candidates, etc., can all make a DSAR. The organization must respond within 45 days to avoid potential fines and penalties.

GDPR Enforcement Actions are Up 70% Year-over-Year. Get the Report.

The individual can request the organization to disclose the categories and specific pieces of personal information it has collected, the data sources, the business or commercial purpose for collecting the information, and the third parties with which the data is shared.

Organizations must follow these steps to respond to a DSAR include:

  1. Verify the requester's identity to determine if they have information on the individual and whether to provide access to the data.
  2. Understand the nature of the request (e.g., to see the data the organization has collected or correct the information) to see if they can fulfill it within the 45-day timeframe.
  3. Review and approve the data to be shared with the requester to ensure that it only contains their information.
  4. Deliver the information via secure channels.

Best Practices For Handling CCPA Data Subject Access Requests

Follow these best practices to reduce cost and improve response time when processing DFARs:

Conduct a Data Mapping Exercise

To retrieve subject data efficiently, you need to know what you're storing, where you're keeping it, and why the information is stored. Start with business units that handle a lot of personal data, such as HR, sales and marketing, finance, legal, etc., and analyze where they capture personal information.

Then, decide if you have legal bases or business value for processing and storing the data. Getting rid of information you don't need can help you streamline future DSAR processes to save time, money, and often legal headaches.

Filter and Redact Unstructured Data

Structured data stored in a database is relatively easy to search and sort. However, it can be tricky to locate and filter unstructured data, such as information buried in email, chat messages, etc., and redact content that contains personal data.

Understand the context and interpret the requests to frame the search's scope so you can effectively identify what information to redact. Also, use technologies to assist with the redaction process to improve cost-efficiency.

Streamline the Identity Verification Process

Be reasonable and proportionate about the amount of information you ask to verify the requester's identity. Don't request more information than necessary, especially if the person's identity is apparent because of an ongoing relationship with your business (e.g., an employee.)

You can also verify the data subject's identity with existing authentication methods, such as username and password or a one-time email confirmation link. Not reinventing the wheel can help you streamline workflows and reduce the response time.

Implement an Efficient Workflow

The DSAR workflow should be an integral part of your consent management system so you can use automation technologies to handle these requests at scale. Use software to route DSARs through the appropriate departments to avoid bottlenecks that can delay the process.

Assign roles and responsibilities for each step within the workflow to ensure proper oversight. Stakeholders should receive regular training (e.g., at least once a year) to learn new best practices and stay current with any changes in the regulations.

Respond to DSARs Cost-efficiently With a Robust Consent Management Platform

A robust content management platform (CMP) gives you the foundation to handle DSARs cost-effectively. Ensighten's CMP+ goes beyond a basic CMP to deliver advanced functionalities that can help you comply with fast-changing privacy laws and industry regulations without sacrificing the customer experience. 

Learn more about CMP+ and request a demo to see how we can help you streamline your consent management workflow.  



Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now