With recent legislation developments ensuring citizens’ rights to request their personal data that companies hold, companies are facing a turbulent future. Compliance is not optional. Now, the race is on. Citizens will be reaching out to companies, requesting disclosure. Companies need to adopt a software solution that enables fast and reliable personal data search and reporting.

What is DSAR?

The Data Subject Access Request policy basically states that citizens may request, under the General Data Protection Regulation (GDPR), that a data controller (business or other organization) disclose the requester’s personal data that the organization holds about them.

Companies need to respond in a defined time frame and provide the information to the requestor. Companies also need to be able to edit or delete personal data upon request from a citizen. To successfully fulfill these tasks, companies and organizations need reliable Data Subject Access Requests (DSAR) Software solutions that meet all the requirements set by the DSAR initiative.

Different countries have different interpretations of the DSAR policy, complicating an already daunting challenge of compliance.

It all starts from the EU General Data Protection Regulations (GDPR) which replaced the old 1995 data protection directive. It was published in May 2016 and went live on May 25, 2018.

In the United States, the closest GDPR equivalent is the California Consumer Privacy Act (CCPA) that became law on January 1, 2020. It is the first US-based consumer privacy regulation.

The state of Washington is currently working on legislation known as the Washington Privacy Act (WPA). The WPA regulation is stronger than CCPA and uses some GDPR concepts, therefore it is viewed as a leading example of consumer privacy regulation in the U.S.

There is obviously a movement towards nation-wide acceptance and formalization of the Data Subject Access Requests initiative, so citizens can claim ownership of their data, regardless of who holds this data.

Who gains from the DSAR and who are the stakeholders?

Clearly, the citizens are the main winners in this process; they gain new fundamental rights: personal data privacy and protection. Individuals get the right to ask companies and organizations to disclose what data they hold, and request further action such as editing, moving or deletion beyond recovery of that data.

Companies and organizations, also known as data controllers, must ensure that the Data Subject Access Request initiative really works. Companies and organizations are expected to deliver on DSAR. They will have to fulfill these new obligations by developing internal processes, workflows, and technologies that allow full compliance. Data controllers are expected to return a notice within 24 hours after receiving the data access, and they are expected to answer the data access request within a month after the request was submitted. Failure to comply can have legal ramifications and will also include fines

In some cases, data controllers can have external data processors who have the responsibility to handle these data access requests on behalf of the controllers. They should implement all measures needed to receive the request and respond to it in a timely, secure fashion.

While DSAR is a fairly straightforward high-level idea, the nuances are challenging. A citizen submits a to a company or organization, using their DSAR workflow processing software. The company’s staff receives this request. Then the controllers and data processors find all the data on that citizen and reply to the request. So-far, so-good.

However, receiving the request requires a more complex software that will help the organization verify that the requestor is the same person that would be the data-subject. Otherwise, the company would face the ramifications of disclosing personal information to third parties.

Then, the ability to pull all the data from all data sources, and combine it in a single report, is also challenging. If the data requester asks for data edits, the company should be able to send these data updates to the specific location, making DSAR not only a data retrieval but also a data modification process.

On top of that, this DSAR software would need to have auditing capabilities, which means strict user access level controls and logging of every single action that is taken around each case.

Why should you care about DSAR?

Compliance with these regulations is not optional. Companies and organizations must adhere to the DSAR initiative and the legal frameworks like GDPR, CCPA, and WPA.

Failure to comply will almost always result in fines. The Barnes v. Hanna Andersson case is the very first case for violations based on the CCPA. The minimum amount of that case damage is a million dollars. In just 30 days from the CCPA launch, this case was opened on February 3rd, 2020 against SalesForce and Hanna Andersson, LLC.

Fines from GDPR in Europe are an almost everyday occurrence, ranging from a few hundred euros to a 99 million pound fine against Marriott International Inc. for a data breach.

According to the latest Talend’s survey, only 42% of all companies and organizations were able to successfully respond to DSARs. According to a report by Gartner, the average cost to process a single DSAR request is $1400. Such a high fee implies that the process is manual and labor-intensive.

Companies and organizations are hard-pressed to process a growing number of DSAR requests under a threat of lawsuits and any company and organization storing personal data could be the next target.

The Microsoft Example: Preemptive DSAR Compliance

Microsoft has chosen to deal with DSAR requirements proactively by implementing their DSAR software solution nationwide, not just in California.

One recent review of the 50 companies from the Fortune 500 list made by the Data Protection Report indicated that it will be much more difficult to differentiate users in California versus the entire U.S. The complexity will grow when all new state regulation initiatives are in place: New York Privacy Act (S5642), Massachusetts (SD 341), New Hampshire (HB 1680-FN), and Virginia (HB 473), for example.

Hopefully, federal unification of the regulations will happen quickly. The process to unify regulations is being addressed through the Online Privacy Act (H.R.4978) bill introduced in the US Congress, which includes a provision that users have the “right to choose how long data can be kept and opt-in consent for the use of data for A.I. algorithms.”

Next Steps: Tools of the trade

While the Data Subject Access Request framework is relatively new, it is still a process that can be automated to a large degree. Using existing technologies for business process management, data storage, form submission, document search and redaction can significantly simplify the process of becoming DSAR compliant, regardless of the local legal frameworks such as GDPR, CCPA, WPA, etc.

Here are just a few trusted technology providers who have been in the document management and case management industry. Companies don’t need to build an entirely new technology stack from the ground up to get a solid DSAR software.

Alfresco Digital Business Platform

Alfresco recently announced several changes to their software solutions according to GDPR and CCPA regulations. This makes the Alfresco platform a reliable DSAR Software solution:

“Alfresco has updated its Alfresco Governance Services, introduced new Federation Services that enable ‘Manage in Place’ records management, enhanced its E-Discovery and ‘Legal Hold’ with Artificial Intelligence (AI), and added Governance to Desktop Synchronization.”

Here are a few key benefits that Alfresco brings on the market:

1. Alfresco Federation Services enables users to perform a search through different business and content repository types from a single application with no need for content migration. Now they can search, view and manage information even from non-Alfresco repositories from a single user interface and take any action they like – place the data on hold or export it for further use in e-discovery or review tools. This is a so-called “Manage-in-Place” feature – a single point of access without migration.
2. Alfresco Governance Services now has AI-powered e-Discovery. It eliminates the complexity of the “Legal Hold” process and speeds up e-discovery tasks. Now companies can process requests faster, even with information stored across geographical borders or different systems.
3. Desktop Synchronization is now synchronizing not just the data through different repositories but also the data record management policies that are associated with that data. The predefined level of governance will remain associated with different repositories or user’s desktops.
4. Automation of digital filing and detection of Personal Identifiable Information (PII) provides greater data security and protection in the DSAR process.

With Governance Services as a part of the open source Alfresco Digital Business Platform -the platform can serve as a part of a DSAR software solution.

ArkCase Open Source Case Management and DSAR Solution

If we see DASR software solutions from a workflows perspective, we can easily recognize that any data privacy request, at its base, is a new case. Creating, managing, tracking, and responding to these requests is similar to responding to any other case: legal, FOIA, complaint, etc.

Companies with experience in service request management solutions are developing and promoting DSAR software solutions. ArkCase is one of these DSAR software solutions.

ArkCase is an open source case management system that integrates with the industry leaders such as Alfresco, Content Server, Documentum, Mobius, Ephesoft, etc. With its modular open source platform, configuring specific workflows is fairly straightforward.

The ArkCase Data Request Management module provides a fully functional DSAR software solution out of the box.

For years, ArkCase has supported receiving, processing, tracking, and responding to requests for similar use cases, and has been optimized to support a DSAR application for fast, secure, reliable case management solution.

In ArkCase, editing forms and workflows use a low-code, drag-and-drop technology so that even non-technical staff can easily verify or adapt the functionality to their specific needs. It provides standard but customizable request forms and workflow solutions.

ArkCase can also be easily deployed in different environments in compliance with data storage and security regulations.

Wrap-up

The DSAR initiative spawned legal frameworks like GDPR, CCPA, and WPA, and more regulations are in the works until a nation-wide data privacy law is enacted. Only one month after the CCPA law went into effect, there is already a major lawsuit based on its requirements.

Companies should follow the Microsoft example in erring on the side of caution and adopt a DSAR software solution as soon as possible. Luckily, established companies like, Alfresco and ArkCase have developed software solutions to address these regulations.

If you’re looking for a DSAR software solution, hopefully this post was helpful. For more information, don’t hesitate to write us or give us a call. Armedia has been supporting agencies and companies with their data management and case management needs as a solutions integrator. Feel free to give us a call for a no-obligation consultation.

In the meantime, don’t forget to share your opinions in the Comments section below, and share this blog post on social media.