Data Subject Access Requests: Compliance, Record Retention, Customers vs. Employees, GDPR, and U.S. State Law Mandates

This program has been cancelled

A live 90-minute CLE video webinar with interactive Q&A

Thursday, September 30, 2021 (in 5 days)

1:00pm-2:30pm EDT, 10:00am-11:30am PDT

(Alert: Event date has changed from 9/9/2021!)

This CLE course will provide corporate counsel with best practices on compliance with data subject access requests (DSARs) under the GDPR, CCPA, CPRA, and other privacy laws. The panel will discuss current activity under the GDPR and the potential for abuse, how best to differentiate employee DSARs from consumer requests, and technology requirements for automating complex employee DSARs.


A right to access personal information an organization collects about an individual is a primary feature of most major data privacy laws. These rights generally extend to customers, potential customers, and others.

Counsel must know how to recognize an access request, what the process is for responding to one, and what are special issues to keep in mind. Business counsel should understand the compliance timeframe for current major regulations.

Under the GDPR, DSAR compliance means conducting a reasonable and proportionate investigation on its collection and use of consumer data. What "reasonable" means depends on many factors and may require discretionary judgment. Businesses may establish a policy regarding how much employee time is reasonable to complete a request under the GDPR.

DSARs give individuals the right to discover data an organization has on them, why the organization has the data, and with what third parties the organization shares the information. Data may include everything from email addresses and phone numbers to tracking scripts and cookies. Counsel will help establish the means of improving DSAR compliance by purging unnecessary data, creating a written procedure for access requests, and leveraging technology to respond to requests cost effectively. Establishing these processes is necessary to avoid potentially onerous fines for violating data privacy regulations.

Listen as our expert panel addresses how to comply with data privacy laws from GDPR to CPRA and the typical data subject access request from both employees (where applicable) and consumers.



  1. Data subject asset requests
    1. General Data Protection Regulation
    2. CCPA and CPRA
    3. Other privacy laws
  2. Employee requests vs. consumer requests


The panel will review these and other relevant topics:

  • How can an individual make a DSAR with an organization?
  • How long does an organization have to comply with a DSAR?
  • How should a business respond to a DSAR request? Does the company have to provide a consumer with every piece of personal data it has?
  • What are special issues and considerations to keep in mind?
  • What are steps organizations can take to prepare?


Brown, Glenn
Glenn A. Brown

Of Counsel
Squire Patton Boggs

A senior member of the firm’s Data Privacy & Cybersecurity Practice Group, Mr. Brown provides...  |  Read More

Kagan, Odia
Odia Kagan

Partner; Chair of GDPR Compliance & International Privacy
Fox Rothschild

Ms. Kagan combines her in-depth knowledge of privacy and data security regulations and best practices, both domestic...  |  Read More