If your company is subject to data protection laws, such as the general EU data protection regulations and the Californian Consumer Protection Act, it will soon face data access requests.
Under both laws, consumers have the right to access any personal information that the company has collected about them. This means that they can request access to their data. A company that complies with both laws – and almost all large companies comply with at least one or both – must be able to meet this requirement in one way or another.
The idea of Data Access Requests (DSARs) may seem reasonable and simple. In fact, compliance with data protection legislation in this sector is risky. Compliance officers trying to manage their company’s data protection program do not have simple tasks.
What data protection laws are actually required
The right of access to data is laid down in Article 15 of the GPA and in Section 3 of the CDSA. The two provisions are generally similar, but not identical. For example, both provisions require the company to disclose the information when a person – consumer, employee or any other person – makes a verified request for access:
- Categories of personal information collected about an individual ;
- The purpose of the company is to collect data;
- Categories of third parties with whom the Company shares personal information ;
- the sources from which the company has collected personal information when it has not collected it directly; and
- The personal information actually collected by the company.
In addition, the GDPR stipulates that the company must indicate for how long it intends to retain data on a person. No, it’s not. The GDPR gives a company 30 days to respond to a data access request (sometimes longer for complex cases), while the CCAC gives 45 days.
An important point: These provisions apply to the company that collects and controls the data, not to the company that processes them.
For example, if a travel website collects information about its customers, but stores and processes this information with external technical providers, the travel website falls under Article 15 of the GDPR. Suppliers do not do this because they do not check the information; they only process it on behalf of the auditor. (Although data controllers may be involved in the execution of DSAR data processing).
According to the GDPR, if the data subject does not respond to the DSAR in a timely manner, he or she can lodge a complaint with his or her data protection authority, which may conduct an investigation and impose sanctions on the company. The same applies to the PDVA: Individuals could file a complaint with the attorney general, who could impose a $7,500 fine. In addition, consumers can also bring collective actions, the costs and damages of which can quickly increase.
Execution of a request for access to data
The challenges for the compliance officers are twofold.
First, to a certain extent, the company needs to receive and respond to DSARs – because you may have tens or hundreds of DSARs at any given time, so your company may need to search millions of records scattered across multiple vendor-managed databases.
Second, as part of the DSAR process, you must be able to verify the identity of the subject and determine what personal information you cannot provide to him or her – since both laws also provide for exceptions to the DSAR provisions.
For example, you can try to build a self-service model to run DSAR. A consumer will visit your website, verify his or her identity and your computer systems will then be able to retrieve and display all data relevant to that person. This approach allows you to automate most of the implementation work, reducing the workload of your employees.
In practice, however, a lot can go wrong if this idea is ruthlessly implemented. For example, an impostor may claim to be a specific person and, in the absence of proper verification procedures, you may provide personal information to the wrong person. Result: breach of confidentiality.
Your systems may also share certain information that must be kept confidential, such as information relating to a law enforcement investigation against a person (for example, credit card fraud or theft). Result: Law enforcement officers are irritated by your business, potential civil litigation and similar headaches.
What can the inspectors do to avoid these pitfalls?
Determination of effective but reasonable procedures
Start by reviewing the requirements of the CCPA and the RMP to understand that your organization needs to deliver to someone submitting a DSAR. For example, you should be able to acknowledge receipt of a DSAR even if you are unable to complete the request immediately. They must also verify the identity of the person requesting the DSAR.
So contact your IT team to find out what processes can be created to achieve these goals, taking into account the systems and applications used in your organization. A company can use the online form to obtain a DSAR and integrate verification into the process by asking individuals to enter the username and password they have previously created in your company. (You can even use multi-factor authentication for extra security). If no steps are taken to verify the identity of the person concerned and if the information is not passed on to the wrong person, this will lead to an investigation and governmental and civil action by the perpetrator.
You must also understand the circumstances under which you may not have been able to provide the personal information in your possession. For example, you may not disclose information about emails between your company and law enforcement agencies relating to an ongoing criminal investigation into this matter. You can also withhold data relevant to civil proceedings.
In this case, the compliance, legal, HR and IT teams must work together to develop procedures for matching requests for access to data with legal or HR systems. The aim will be to develop controls to prevent confidential information from being inadvertently passed on to the person concerned.
A large company can achieve this by using advanced data management to mark personal information according to a taxonomy that automatically marks sensitive information. Smaller organisations may need to adopt a more humane approach, with staff assessing and approving SARs on a case-by-case basis.
Role of the Compliance Officer
In all cases, the regulatory experts must understand the challenges your company faces in implementing DSAR, and then develop procedures and controls to adequately meet this legal obligation.
These tasks go far beyond simply keeping personal data under your company’s control. Thus, part of the implementation of DSAR is to express the business purpose of the company to collect personal information. Who can identify this target? Probably someone in marketing, human resources or operations – but these people often don’t follow the rules by a long shot, and because we might not be the answer here. It will therefore be necessary to consult these leaders and reach a reasonable consensus on what data is collected and why.
As mentioned above, a compliance officer will also need to work with the IT, legal and human resources teams (and possibly others) to develop DSAR procedures and controls tailored to your company’s needs. It is about clarifying risks, roles and responsibilities. The aim is to ensure that everyone has the right tools and processes to contribute to the implementation of the RSDP. And compliance officers themselves must be able to monitor and control DSAR and confirm that everyone is following the correct policies and procedures.
In today’s world, with so many systems and so many third parties working under your organisation’s umbrella, all this will be difficult. However, given the disastrous consequences that poorly functioning data protection programmes can have, it is essential that everything is properly implemented.
About the author
Matt Kelly is the editor of the Radical Compliance blog, which oversees the company’s compliance and risks. In addition, he regularly speaks about compliance, management and risks. Kelly was named Rising Star of Corporate Governance in the first class of 2008 by the Millstein Center for Corporate Governance and was named one of the most influential in the field of business ethics by Ethisphere in 2011 (No. 91) and 2013 (No. 77). In 2018, he received the JD Supra Readers’ Choice Award as one of the top ten authors in the field of corporate compliance.
Requests for access to data according to GDPR and CCAC were the first to appear on Hyperproof.
*** This is the Hyperproof network of syndicated bloggers, written by Matt Kelly. The original message can be found at the following address: https://hyperproof.io/resource/data-access-requests-gdpr-ccpa/.
responding to ccpa requests,ccpa deletion request template,dsar response template,dsar process flow,dsar template,ccpa data deletion request,dsar wiki,gdpr dsar,ccpa request template,ccpa private right of action,ccpa text,dsar,california consumer privacy act,one trust,ccpa and protective order,ccpa info,what does dsar stand for,dsar onetrust,dsar gdpr,how does the dpa 2018 classify personal data,data access request ccpa,ccpa access request response template,ccpa data request,data subject access request,ccpa data subject rights,sample ccpa response letter