DSARs Are the Rising Discovery Requirement That Just About All Organizations Can Face: eDiscovery Trends

Discovery isn’t just for litigation anymore.  The rise in importance of data privacy compliance has forced organizations to be prepared to support discovery related to data being managed by the organization about data subjects.  And unlike litigation, which many companies don’t have (or at least not to the point that they require eDiscovery technology to help manage their discovery workflows), data privacy compliance affects just about every organization out there, so your organization needs a workflow to support these requests from data subjects regarding their data.

The formal name for these requests is Data Subject Access Requests (DSARs).  The term “DSAR” became popular when the General Data Protection Regulation (GDPR) became effective in May 2018. Regulations like GDPR and the California Consumer Privacy Act (CCPA) give individuals the right to request information about the way companies handle their personal information, and a DSAR is the mechanism by which that request is made.

DSAR requests typically include:

  • Contact information of the data subject (including name, email address, and phone number);
  • The type of request, which typically falls into one of the following categories: 1) Identify the information you collect on customers, 2) Identify the information you collect on me, 3) Delete my information, or 4) Take my data elsewhere;
  • An open description field where the data subject can provide additional description to their request.

A data subject typically makes his or her request via email or an online form. The organization then needs to verify the requestor’s identity – after all, we can’t have people making data requests about themselves without proving who they are, can we? – and presence within their organization’s data collection, then track the request through to resolution. Organizations are typically required to respond within 30 days, but if the request is complex or large, you can request an extension of up to two months, though you must explain the reason for the delay.

In the case of GDPR, in addition to a copy of the data held on them, the data subject is entitled to supplementary information including the purpose of data processing, categories of data concerned, recipients, period of storage, the source of the information, and the existence of automated decision making.

To be prepared to respond to DSARs, you need to identify someone in the organization who is tasked with not only responding to DSARs, but also management of compliance in general with privacy regulations.  In many cases, that person is designated as the Data Protection Officer (DPO) of the organization.  You then need to develop guidelines for handling data and develop a standardized workflow for responding to DSARs that includes automated processes to the extent possible.

According to a new survey released by compliance technology company TrustArc (covered by LegalTech News® here), over 1,500 respondents were asked to identify what areas, if any, were solutions deficient in meeting their privacy needs. “Automating processes” was named by 19 percent of respondents, placing it at the top of a list that also included “ease of administration” (18 percent), and “tracking how personal data is being processed” (18 percent).


And, as for CCPA compliance, which (as I noted last week in my first weekly blog post on Ipro’s blog) is still on track for enforcement starting July 1, only 47 percent of U.S. respondents and 31 percent of European respondents indicated that they were “very likely” to be compliant with CCPA.  Hilary Wandall, senior vice president of privacy intelligence and general counsel at TrustArc, suggested that at this early stage of the CCPA’s life span, businesses may be willing to take the financial risk of a regulatory compliance action as they wait to see how the law is enforced, much like they did with the GDPR.

We’ll see.  Regardless, expect to see more and more DSARs over time from data subjects wanting information from organizations on how their data is used.  If your organization stores data for consumers (or even employees, who can submit DSARs as well), it’s important to have a formal plan and workflow for managing DSARs you may eventually receive (if you haven’t already).

So, what do you think?  Has your organization been required to respond to DSARs yet?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


  1. Data Inventory, Data Mapping, Data Retention Plan, Data Elimination Plan, Clear Stakeholders. That will be cheaper than all the impending litigation.

Leave a Reply