6 Keys to Automating the DSAR Process Under CCPA

DSAR Fines Under CCPA and GDPR Regulation

Different laws specify how these requests should be managed in different jurisdictions. Breaching DSAR rules has led to more than a dozen fines so far under the European Union’s General Data Protection Regulation (GDPR), including a recent fine of €200,000 sanctioned against a German company for refusing to provide the requested information. Other common reasons for DSAR fines have included failure to respond to requests in time and failure to provide complete personal information to DSARs excluding video, audio, and phone recordings.

The new California Consumer Privacy Act (CCPA), which came into force on January 1st, 2020, is set to be at least as tough on penalties as the GDPR. The CCPA provides that companies will be subject to a civil penalty of between $2,500 and $7,500 per violation of the CCPA, which includes the DSAR mandate. While we can't say at this stage how the courts will interpret 'per violation', for large businesses, it is clear that fines could reach into the hundreds of millions in some cases.

What to Expect from CCPA fines?

Compliance with the CCPA has a massive reach as there are over 40 million Californian’s which means most organization’s databases will have at least a few in their systems. Furthermore, it is expected that other states, such as New York, Washington, and Illinois will use the CCPA as a blueprint and follow up with the legislation of their own.

You can read more about some of the differences between the GDPR and the CCPA here.

Now that we have laid the groundwork, let’s walk through the steps to implementing an efficient and cost-effective DSAR procedure.

Automation is Essential

Personal information is an extremely broad category of information. The CCPA defines personal information as information that: “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier perhaps a login name, online identifiers such as an IP address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.”

While the request to access this information is commonly called a DSR, other common names include:

• DSAR - Data Subject Access Request
• VCR - Verifiable Consumer Request
• IRR - Individual Rights Request
• SRR – Subject Rights Request
• SAR – Subject Action Request

Complying with these requirements in the CCPA has the potential to be time-consuming and expensive: PwC estimates that businesses have already spent more than $5 million on average preparing for the CCPA.

The motto for CCPA compliance needs to be ‘automate where you can’. Planned automation will result in:

• Financial cost savings in the DSAR Process
• Reduced risk of financial compliance penalties due to more robust compliance processes
• Reduced risk of brand loss

Companies need to consider the consumer’s right to make a DSAR –the right to request access to personal information alongside related rights under the CCPA. That is, the right to request the deletion of information and the right to opt-out of the on-sale of their personal information to a third party.

Beyond the compliance imperative, consumers are increasingly demanding data transparency, which consequently drives DSAR growth. Just as with other consumer preferences related to their moral or personal convictions, consumers will increasingly pay a premium for a company that takes care of their personal information. Automation is crucial to bring those consumers the data they request, quickly, and in the format they desire.

6 Key Steps to Processing DSAR’s Under CCPA & GDPR

In order to respond to DSARs, companies need to have a robust process in place. Let’s go through 6 steps that we believe will fulfill the requirements of CCPA, the expectations of your customers while providing accuracy and ultimately saving your organization time and money.

1. Collect & Process DSARs

The first step for dealing with DSARs is the efficient collection of verified consumer requests. It is recommended that companies have a data request form on their website to enable the ready acceptance of DSARs. Ideally, this form should:

• Be embedded into the company website, so it’s easily accessible to the consumer;
• Be customized, depending on regional requirements and the additional needs of the company. This may mean multiple forms for consumers from different regions;
• Allow consumers to select from a series of predefined choices (e.g., a drop-down box) to avoid overly general or vague requests. This is also useful for establishing if the consumer has a different, related, request such as a request to delete their personal information;
• Include strong identity verification measures. These measures protect incoming requests, prevent fraud and eliminate incoming bots.

2. Collect Personal Information and identify the owner

Once the request has been submitted, the company systems need to locate the consumer’s information. Elements of personal information collation include:

• Locating information from disparate systems. Personal information is often in different places and in various forms: Some of it may be contained on-premises, some may be stored on cloud services, some information may be contained in emails. Often the data is both structured (such as data found in databases) and unstructured (such as data sitting in emails);
• Coordinating with third-party vendors to accumulate all the relevant information;
• Ensuring each required aspect of the personal information is collated. Under the CCPA, collated information must include the categories of personal information collected, the categories of information sources, the commercial purposes for the information, the categories of third parties with whom information has been shared and the categories of that personal information.

3. Orchestrate Tasks for Review & Approval

While it is recommended that the collection of personal information in step two use an automated process, there is still an essential human element. Privacy team members within the business or other employees will generally need to follow up on unresolved issues from the automated collection. For example, if the system flags potentially duplicate information, this may need to be manually checked.

An automated system can ensure delivering notifications and that tasks are assigned to team members within and outside the business.

4. Collaboration

Once personal information has been identified, it will often be essential to collaborate across business units and with third parties to organize the information, verify it, and complete the request.

Personal information should not be sent over insecure systems for review and approval. An automated process here can allow for a ‘virtual Ops-Center’ - A secure space for team members to securely work together to discuss, coordinate and resolve issues as consumer responses are compiled.

5. Deliver Responses Securely

Once the DSAR response content has been prepared and a compliance report created, it needs to be securely released to the consumer. These reports should be provided to consumers:

• In an easy to transfer format, and
• In a secure format that is not vulnerable to alteration or tampering during transport (e.g., encrypted with a key unique for that consumer).

Due to the possibility of an audit or legal action, a company must also keep excellent records of DSAR fulfillment in order to demonstrate compliance with the CCPA.

6. Consider DSAR Exemptions and Refusals

In addition to requesting access to the information itself, a DSAR can also be accompanied by a request to delete that information. There is a range of exceptions and exemptions built into the DSAR rules which businesses need to be aware of. This helps balance the individual’s desire for privacy and a business’s requirement to retain that data.

The exceptions to erasure in the CCPA include:

• Information required to complete a transaction;
• Security. Sometimes information must be retained in order to detect fraud, prosecute those responsible and debug errors;
• Errors. Some personal information may need to be retained to identify and fix program errors;
• Exercise Free Speech;
• CalECPA (California Electronic Communications Privacy Act) compliance. This means that businesses don’t need to delete certain information when state law enforcement have requested personal information;
• Personal Information collated for the purposes of research in the public interest;
• Expected internal uses;
• Legal Compliance. Any personal information a business has to keep to satisfy a legal obligation is not subject to consumer deletion requests.

An automated system can flag any personal information that should not be deleted for these specified reasons.

How DSAR Automation Reduces the Financial Cost of the DSAR Process

The financial costs of manually carrying out the steps 1-6 are significant. Manual processing of DSARs can cost a company between $1,400 to $10,000 per DSR request, depending on the complexity of its organization. With automation, we estimate the following savings in the DSAR process:

• A 90 percent saving on work hours for identifying personal information and 60 percent reduction in work hours for assessing that information
• A substantial reduction in the financial costs of other CCPA compliance tasks. For example, automated processes for identifying personal information are extremely useful when working out which consumers need to be notified in the case of a data breach
• Dealing with request ‘spikes’. The speed at which automation allows a company to deal with a DSAR also permits the company to more efficiently manage ‘spikes’ in requests where many consumers make a request at the same time.

How DSAR Automation Reduces the Potential Financial Costs of Non-Compliance

In addition to the reduced financial costs in process DSAR requests, there are potential savings from a reduced risk of non-compliance as well. These savings result from:

• Reducing the compliance risk caused by human error. Collating data manually is subject to human error in a way that automated machine learning solutions are not. In addition, the steps for processing and responding to a DSAR manually, add to ‘data sprawl’, and a risk that information shared through insecure channels could itself be breached
• The time and energy spent in dealing manually with DSAR could be better devoted to other compliance tasks
• Demonstrating Compliance. It is essential under the CCPA that a business be able to demonstrate its compliance if it were to face legal actions from consumers or the California Attorney-General. An automated procedure is much better at automatically recording compliance steps taken.

How DSAR Automation Reduces the Risk of Brand Loss

Faster response times, the ability to deal with request ‘spikes’, and responses to consumers that make it clear to them that their information is secure, all add to the consumer’s positive experience with that brand. Businesses that manage DSAR manually run the risk of losing out to the competition that can demonstrate greater respect for data privacy and protection.

In addition, a satisfied consumer whose response to a DSAR is received in a timely manner is less likely to pursue legal action against the company and substantially hurt its brand by not purchasing its products or by providing poor reviews.

DSAR Automation Key Takeaways

• Complying with the CCPA and other data protection laws and regulations requires that companies have a robust DSAR procedure in place. The majority of companies need to take this into account – not just those located in California.
• We recommend six broad steps to a robust DSAR Procedure. Collecting requests, collecting information, processing, collaboration, secure DSAR delivery, and exception processing.
• We strongly recommend an automated solution for implementing these six steps. This reduces the costs of the process, reduces the risk of compliance penalties and will protect you from brand loss.
• PRIVACI has automated solutions for processing DSARs under the CCPA as well as other regulatory regimes.