Before an organization can respond to data subject access requests (DSARs), it needs to have a clear understanding of the data in its possession, such as what types of personal data are collected, where they are stored, how they are processed, who has access to them, and how long they are retained. This will help the organization to locate and retrieve the relevant data for each DSAR, and to ensure that the data are accurate, complete and up to date. Understanding the data in its possession will also help the organization to comply with other data protection principles and obligations, such as data minimization, purpose limitation, security and accountability.
The other options are less important or irrelevant to do first. Investing in a platform to automate data review may help to speed up the response process, but it does not guarantee that the organization has identified all the data sources and categories that are subject to DSARs. Confirming what is required for disclosure is also important, but it depends on the specific request and the applicable law or regulation. Creating a policy for handling access requests is a good practice, but it should be based on a thorough understanding of the data in its possession.
References:
Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 2: “It is important to understand what personal information is collected and processed by an organization.”
Introduction to Data Subject Access Requests - Everlaw, section 3: “The first step in responding to a DSAR is identifying where the relevant personal data reside within your organization.”
Guidelines 01/2022 on data subject rights - Right of access Version 1, section 2.1: “The controller should have a clear overview of all processing activities involving personal data.”
