If your company is subject to data protection laws like the EU General Data Protection Regulation and California’s Consumer Protection Act, it will soon enough be challenged to make data subject access requests.
Under both laws, consumers have the right to see all personal data that a company has collected about them. That means they can request access to their data. A company governed by one of the two laws – and almost any business of any size of any size is subject to at least one, if not both – must be able to somehow accommodate that desire.
The idea of DSARs (Data Subject Access Requests) may sound reasonable and straightforward. In reality, compliance with this branch of data protection law involves risks. Compliance officers trying to manage their company’s privacy program are no easy task.
What data protection laws actually require
The right to access data is set out in Article 15 of the GDPR and in Section 3 of the CCPA. The two provisions are largely similar, but not identical. For example, both provisions state that when a person – a consumer, employee, or other person – submits a verified access request, the company must disclose:
- The categories of personal information collected about the person;
- The purpose of the company for collecting the data;
- The categories of third parties with whom the company shares the person’s data;
- The sources from which the company collected the personal data, if the company did not collect the data directly; and
- The actual personal information that the company has collected.
The GDPR also requires a company to indicate how long it wants to keep the individual’s data. The CCPA does not. The GDPR gives a company 30 days to respond to a data access request (sometimes longer, in complex cases), while the CCPA allows 45 days.
One important point: These provisions apply to the company that collects and controls the data, and not the company that Processes it.
For example, if a travel website collects information about its customers, but stores and processes that information with third-party technology providers, the travel website is subject to Article 15 of the GDPR. The providers are not because they do not “control” the information. They only process it on behalf of the controller. (Although data processors may be asked to assist the data controller in complying with a DSAR.)
If a company does not respond to a DSAR in time under the GDPR, the person concerned can complain to their data protection authority, which can initiate an investigation and impose fines on the company. The same goes for the CCPA: individuals can complain to the attorney general, who can impose fines of $ 7,500. In addition, consumers can also file class action lawsuits in which costs and claims for damages can escalate quickly.
How to meet data access needs
There are two challenges for compliance officers here.
First, the company needs a process to receive and respond to DSARs on a large scale. You may have dozens or hundreds of DSARs concurrently, potentially causing your company to search millions of records that are spread across multiple databases managed by multiple vendors.
Second, as part of this DSAR process, you must be able to verify the identity of the subject. and determine what personal information you cannot share with the subject – as both laws also have exceptions to their DSAR provisions.
For example, you could try building a self-service model to meet DSARs. A consumer would visit your website, check their identity and your IT systems could then retrieve and display all relevant data for that person. This approach automates much of the fulfillment work, reducing the burden on your staff.
In practice, however, a lot can go wrong with this idea if implemented ruthlessly. For example, a fraudster could pretend to be a specific person and, without proper verification procedures, you could give personal information to the wrong person. Result: data breach.
Or your systems may share certain data that should be kept secret, such as: B. Records of law enforcement investigations against the individual (e.g. credit card fraud or embezzlement). Result: Law enforcement officers resent your business, potential civil lawsuits, and similar headaches.
What can compliance officers do to avoid these pitfalls?
Create effective but reasonable practices
First, review the requirements of the CCPA and GDPR to understand what your company needs to deliver to someone filing a DSAR. For example, you need to be able to acknowledge receipt of the DSAR even if you cannot immediately fulfill the request. You will also need to verify the identity of the person submitting the DSAR.
So, contact your IT developers to see what procedures can be put in place to achieve these goals given the systems and applications your business uses. The company can use an online submission form to obtain DSARs and build verification into that process by asking individuals to enter a user ID and password that they previously created with your company. (You can even use multi-factor authentication for extra security.) If you fail to take steps to verify the data subject’s identity and pass the information on to the wrong person, authorities will be asked to investigate and enforce Civil lawsuit by the unjustified person.
You also need to understand the circumstances under which you might be Not share personal data in your possession. For example, you might not be able to provide an email record of an ongoing criminal investigation into the subject between your company and law enforcement agencies. You may also be able to withhold data relevant to civil litigation.
In this case, the compliance, legal, human resources, and IT teams would need to work together to develop procedures that reference data access requests to legal or HR systems. The aim would be to develop controls that prevent confidential information from being inadvertently disclosed to a data subject.
A large company could accomplish this with sophisticated data management to tag personal data according to taxonomies that automatically tag sensitive information. Smaller organizations may need to take a more humane approach with staff reviewing and approving DSARs individually.
The role of the compliance officer
In all cases, compliance officers need to understand the challenges your organization faces in complying with a DSAR and then develop procedures and controls to carefully meet this regulatory obligation.
These tasks go well beyond simply tracking personal information that your business can control. For example, completing a DSAR includes formulating the company’s business purpose for collecting personal data. Who can define this purpose? Probably someone in marketing, human resources, or operations – but these people are often far from regulatory compliance and “because we can” is not a satisfactory answer. Therefore, compliance needs to consult these executives and achieve appropriate consensus on what data is being collected and why.
As mentioned earlier, the compliance officer also needs to work with IT, legal, and HR teams (and likely others) to develop DSAR procedures and controls that make sense for your business. It’s about clarifying risks, roles and responsibilities. It’s about making sure everyone has the right tools and the right processes to do their part to help meet DSARs. And compliance officers themselves need to be able to monitor and monitor DSARs to confirm that everyone is correctly following policies and procedures.
In a modern company with so many systems and so many third parties working under the umbrella of your company, none of this will be easy. However, given the disastrous consequences that can result from failing privacy programs, getting it right is imperative.
About the author
Matt Kelly is the editor of Radical Compliance, a blog dedicated to corporate compliance and risk issues. He also speaks frequently on compliance, governance, and risk issues. Kelly was named a “Rising Star of Corporate Governance” by the Millstein Center for Corporate Governance in the 2008 opening class. and 2011 (No. 91) and 2013 (No. 77) list of “Most Influential in Business Ethics” of Ethisphere. In 2018 he won a Reader’s Choice Award from JD Supra as one of the top 10 authors for corporate compliance.
The post data access requirements under GDPR and CCPA were first shown on Hyperproof.
*** This is a Hyperproof blog syndicated by Security Bloggers Network and written by Matt Kelly. Read the original article at: https://hyperproof.io/resource/data-access-requests-gdpr-ccpa/