What is DSAR and why do HR practitioners need to know about it? DSAR is short for Data Subject Access Request or the right of employees over their data and your duty to stay transparent in terms of employee data. As it is regulated by law, stay with us to discover the correct way to abide by these requests.
GDPR and CPPA regulations have put the importance of users’, including employees’, data at the center of the spotlight.
Now, employees have several rights and control over the collection, use, and sharing of their personal information within the organization they work for.
Among the most important rights for an employee is the right to know, at any time and through a request, what information a company has collected, how it has been used, and to eventually request a correction or deletion of the data.
This type of request is called DSAR.
A failure to adhere to such requests can result in heavy financial and legal consequences for your business. Therefore, if you have a business and manage a team, read on. In this article, we'll explain what the DSAR is and why it's important.
Let’s dive right in.
What is DSAR?
Data Subject Access Requests (DSARs) are requests made by an individual (data subject) to a business asking what personal information they have collected and stored, as well as how it is being used.
If your organization has collected any information about the users, who may also be current or former employees, you might be able to assist. If so, you must give them a copy of the information you have on the subject.
Check out Osano's guide to DSARs for a comprehensive look at the topic.
What you should include in an employee DSAR response?
Generally, a DSAR response should contain all the information you have about the requesting employees. However, they may also need you to provide them with specific information only.
DASRs must include and subjects can ask for the following:
- Your confirmation that their personal data is processed
- Access to their personal information
- The legal basis upon which you process their data
- For how long you will keep their data
- Information about how the data was collected
- Any third parties you have shared their information with
How to manage and respond to DSARs from employees?
While you now know what should be included in a DSAR, you probably don't know what to do about all the requests you receive.
The following are the steps required to process and fulfill a DSAR:
-
1. Authenticate, register, and log the DSAR
Regardless of whether organizations use manual or automated processes to fulfill data requests, they must first register them, log them in an appropriate system, and authenticate employees before fulfilling them.
-
2. Collect personal information
Finding out and categorizing the personal data stored and processed by your organization is a prerequisite for preparing for DSARs. In addition, it is essential to collect this data in a secure manner to avoid additional data sprawl, which could lead to increased liability.
-
3. Approve and review the information
As soon as you have gathered the necessary information, you or your team will need to review it for compliance with DSAR and ensure no proprietary information or personal data of any other person will be revealed.
-
4. Ensure employee information is delivered safely
You must deliver the employee's final response in a secure manner within 45 days. When a data breach occurs, the cost can be as high as $750 per leaked record.
The importance of DSAR for employees
A DSAR can be of great importance to every employee, as you can imagine. Here are listed some of the most important reasons.
Employees' awareness of their data collection
A key factor contributing to the importance of DSAR is the possibility for employees to become aware of all the information you or any other company they work for or worked for in the past, collects about them.
This is particularly relevant in terms of transparency and awareness.
A right to have their data erased
Once employees learn about the personal information collected about them by their current or past employer, they also have the right to request deletion of that information.
Therefore, employees can exercise the power of their rights in a straightforward manner.
A right to correct their data
In addition to their right to request the deletion of their personal information, employees may also request that the company correct all or parts of their personal information. It may be necessary for them to update their email addresses or phone numbers, for example.
The importance of being DSAR compliant for employers
DSARs are extremely relevant and allow employees to exercise rights, but on the other hand, it is important for employers to comply with such requests. Furthermore, compliance can also bring a number of benefits to the business.
Listed below are a few advantages companies can gain from DSAR compliance.
Avoidance of legal and financial consequences
Non-compliance with GDPR and CCPA regulations, as well as failing to follow the procedures for DSARs to be answered and processed, could result in serious financial and legal consequences for your organization.
Depending on your company's size and capital, these repercussions could compromise its financial stability, possibly resulting in its decline. Compliance with the DSAR will prevent all this from happening.
Maintain a professional appearance in front of employees, clients, and stakeholders
By complying with DSARs according to the law and answering them efficiently and in a timely manner, your company can appear professional, trustworthy, and efficient.
Employees, and users in general, will be more likely to consent to store their data and to do business with you. Plus, by showing that you respect your employees' rights, you will increase employee retention and avoid employee offboarding.
In addition, this will improve the overall reputation of your company, which will attract investors and other companies interested in partnering with you.
How to ensure your company is compliant with employee DASRs
If your company wants to be in compliance with DASRs, it can take steps to prepare and process them accordingly.
The following are a few of the most relevant steps and suggestions to achieve this purpose.
Organize all the data you collect about employees ordinately
After employees submit a DSAR to you, you need to be able to identify them and access the personal information about them that you have collected.
This means you need to store the information inordinately and have a database where you can search for the employees and extract their data.
Consider using software that allows for the ordinate collection of employee data for this purpose, such as Grove HR.
Train your staff
Owning a company of medium or large dimensions will probably involve your team in managing the DSAR. When a request comes in, they might be able to know what to do and how to handle it.
You may need to train your employees to ensure that all the steps are taken and all procedures are followed.
First, ensure that they are aware of the regulations regarding privacy and the collection of user data. Then, train them on how to deal with DSARs.
To accomplish this, you might provide access to online courses, documents, or set up regular online or in-person meetings.
Involve specialists
Lack of regulation and law-related knowledge and unschooled skills can lead to businesses breaking the law and facing the consequences. It may also occur in circumstances of uncertainty, where there is uncertainty about whether the action taken is correct or not.
If this is the case within your organization, it may be wise to hire specialists or hire consultants to ensure everything is running smoothly. As a result, employers and employees are able to ask for advice when they need it, ensuring compliance with procedures and actions.
Stay up-to-date on changes to the regulations
As technology advances and more users jump on the web, the governments of different countries may refine their regulations, perhaps adding rights or banning certain procedures.
To stay compliant with such regulations, you and your team will need to keep up to date with changes and news, in order to take the necessary measures on time.
Regularly conduct internal audits
An internal audit can help uncover ineffective and inadequate procedures that lead to non-compliance. Audits may focus on financial, operational, technological, or regulatory aspects of a company.
Having an independent auditor is a good idea when it comes to ensuring compliance.
Conclusions
Internet technologies and the need for companies to collect as much data as possible about their users and employees for marketing or other purposes have made it necessary for states to enact new regulations to protect users' rights.
DSAR is one of those rights, as it provides employees with the right to learn what kind of information a company has collected about them and the right to correct or cancel that information.
Therefore, DSARs are incredibly important for employees, and employers need to ensure that they are in compliance with them.
We hope that this article helped you understand what DSARs are and how they should be managed.
Thank you for taking the time to read this article. If you are interested in reading more, please see this section about organization policy.
About the author
Flavia Silipo is a skilled SEO copywriter and digital marketing specialist with over two years of experience. You can find her on LinkedIn.