A primary feature of most major data privacy laws is what is called a data subject access request (“DSAR”), which provides individuals with the right to access personal information collected from them by organizations. These rights generally extend to customers, potential customers, employees and others; if you’ve collected data from an individual located in a regulated jurisdiction, then they’re likely to be in scope. What does that mean for your organization? What tasks do you have to complete to comply with these DSARs? What are the repercussions from ignoring a DSAR? How will you manage DSARs as they increase in volume and intensity? We’ve heard versions of these questions from our customers, and have organized the primer below with the things that you need to know to keep your organization in compliance.
How can an individual make a DSAR from your organization?
Generally, an individual can make an access request in any form, including by email, letter, social media message, over the phone or even verbally in person. For certain regulations such as the California Consumer Privacy Act, organizations must provide access to an online form if they have a publicly-accessible website.
How long does my organization have to comply with a DSAR?
It depends on the regulation, and we’ve provided this handy guide to walk you through the differences in major regulations currently in existence. We’ll continue to update our resources as additional data privacy regulations are enacted and implemented around the world (they’re sprouting up by the day). As a quick example, under GDPR generally organizations have 30 days to respond to a request, while under CCPA that time period is 45 days. There are extensions available depending on the size and scope of the request.
Am I required to locate absolutely every piece of personal data requested within the DSAR?
While every regulation is different, generally complying with the DSAR means conducting a reasonable and proportionate request in light of the amount of data collected and how it is used. What does “reasonable” mean? That’s a subjective term, so it will depend on a variety of factors and may require a judgment call. Having a policy in place at your company regarding the amount of employee time you deem reasonable to complete a request (e.g. up to 90 minutes) may be helpful as a guideline. Just don’t expect complying with DSARs to take 90 seconds each time.
What kind of information can an individual request in a DSAR?
DSARS give individuals the right to discover what data an organization is holding about them, why the organization is holding that data and who else their information is disclosed to. Are you collecting email addresses and phone numbers? That counts. Is your website using tracking scripts and cookies? Guess what, IP addresses are considered personal data so that information is in scope. The more data you have, the more difficult, time-consuming and expensive responding to DSARs may become.
How can my company improve its DSAR compliance?
We recommend a three-pronged approach:
1) Purge unnecessary data! This is called “data minimization”, a practice that involves deleting old and unused information, and is an ounce of prevention that can save you a pound of cure in the form of sifting through mountains of data for each DSAR.
2) Create a written procedure for your staff to deal with access requests to include:
· details on how individuals can make an access request;
· how the person’s identity is verified before granting the request;
· how the firm should search for the data; and
· how the data is reviewed before being sent out.
3) Leverage technology (and we’re not talking about Microsoft Office tools) that can provide a flexible and scalable approach. Remember those 4 steps that we outlined in #2 above? Clym’s platform handles these items seamlessly and allows you to manage DSARs in a cost-effective manner. We expect DSARs to exponentially increase in the next few years as consumers gain awareness of their rights related to data privacy. You’re going to need a scalable program requiring a technological solution.
What are the fines for failing to comply with DSARs?
As with most things data privacy, this depends on the jurisdiction. Failing to respond to DSARs can result in GDPR violations of up to €20 million or CCPA violations of up to $7,500 per incident (read: each time you fail to respond to a DSAR). Typically, organizations are fined for failing to respond to requests in a timely fashion and failing to conduct a reasonable search related to personal data.
There’s no one-size-fits all solution to global data privacy; that’s true for DSARs and many other aspects of laws across jurisdictions. The one constant is that transparency and access are two primary goals of data privacy laws, and organizations will be well-served to leverage dynamic platforms to help comply with global regulations as they continue to be enacted, implemented and modified.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with GDPR, CCPA, LGPD and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.