Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on August 18, 2022 AUTHOR - Eric Andrews
An individual (data subject) may submit a Data Subject Access Request (DSAR) to a company to find out what information has been collected and stored about them or to ask that certain actions be taken with their data. A DSAR can be used to request that data be deleted, incorrect information be corrected, or that future data collection be opted out of.
Legal sections within the CCPA and GDPR outlining businesses’/data controllers’ responsibility to adhere to DSARs:
Cal. Civ. Code § 1798.130(a)
In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall in a form that is reasonably accessible to consumers:
Article 15 GDPR
An enterprise served with a DSAR is legally obligated to fulfill these requests within a limited timeframe to avoid non-compliance. This is why automating the processing of DSARs is necessary to respond within the aforementioned timeframe. So, let’s discuss the importance of DSARs, how they differ under CCPA and GDPR, and how your business can cost-effectively prepare for and automatically respond to DSARs, which are likely to increase substantially in a post-CCPA world.
DSARs give consumers unprecedented control over their personal information stored by organizations, from access to data and requesting information on stored data to requesting information on the data safeguards the organization provides. With CCPA, consumers can request DSARs twice a year at no cost whatsoever.
For businesses, speedy and accurate fulfillment of DSARs substantially boosts their brand image while also ensuring compliance with CCPA regulations. However, some estimates put the cost of the fulfillment of each DSAR could be in the thousands, since it requires data gathering across a multitude of systems, putting them in one place, going through data records and compiling it all in a comprehensive report. Moreover, fulfilling each DSAR can take weeks. This is where a solution based on automation can be a potent weapon.
While both CCPA and GDPR provide consumers with mechanisms to exercise greater control over their data, there are some fundamental differences between how much power a consumer has under each law. Let’s have a look:
A Data Subject Access Request (DSAR) is a formal inquiry made to a company by a data subject inquiring what of the data subject's personal information has been collected, stored, and used. Anyone who is a data subject can submit a request.
If the person submitting the DSAR has the data subject's consent, they may also do so. Examples include:
In the event someone else is requesting DSAR, the request for written authorization or other supporting documentation may be required by the organization.
Many expect that the number of receiving DSARs have increased significantly after CCPA. So let’s explore what is required and how to prepare:
Organizations have 45 days to respond and fulfill a customer’s data subject request, in a transferable electronic format. These obligations may vary depending on the customer’s request and how their information is handled.
Deletion requests involve not only team members from within the organization, but also all third-party vendors and partners with whom the personal information has been shared.
CCPA requires the disclosure of rights and communication about DSARs, as does the GDPR. The rights given to consumers under CCPA and GDPR are similar but not identical. This means that organizations will need to change their communication accordingly.
The following are the steps required to process and fulfill a DSAR:
Organizations must register data requests, log them in a system of record, and authenticate the user before starting work on their fulfillment, either manually or automatically.
For organizations to prepare for DSARs, they will need to discover and categorize the personal data they process and store. This data is often stored on an array of systems within an organization and externally as well. The personal data must also be mapped to the individual owner of that data to facilitate the processing of DSARs. Leveraging a People Data Graph can help streamline this process. The collection of this data must also be done in a safe manner to avoid additional data sprawl which could translate to greater liability.
After gathering the necessary information, organizations need to review the data and make sure it meets the DSAR requirements without disclosing proprietary information or the personal data of any other data subject.
The final response must then be delivered to the consumer securely. If a data breach or leakage occurs, it can cost as much as $750 per leaked record.
Here are several risks associated with fulfilling a data subject request you must watch out for:
One important factor to consider is that using traditional means will do more harm than good. For example, using emails to deal with DSARs can be dangerous as the risk of data sprawl increases when sending and receiving data over a system that is not secure. Moving personal information in an unencrypted system increases the risk of data breaches. It takes an average of 196 days for an organization to pick up on a data breach, making it essential for enterprises to fortify and automate their systems to protect themselves from any data breach.
If the organization has designated a data protection officer (DPO), they will often be in charge of fulfilling DSARs. If an organization does not have a DPO, the responsibility should fall to a staff member knowledgeable about data protection and honoring DSAR.
In most cases, you are not allowed to charge a fee for handling a request. After receiving the request, you must react without delay and within one month. However, controllers are permitted to charge a fair price depending on administrative costs when a person requests more copies of their personal data being processed.
When responding to a DSAR, organizations are required to have the following heading in their response:
The names of any third parties information is shared with.
Receiving a DSAR can strain organizations' resources, resulting in operational challenges. These challenges intensify when organizations collect large volumes of personal data, have obtained data from third parties, or share it with third parties, data residing in numerous data systems, categories of data (personal and sensitive), etc.
Data controllers are required to respond to a DSAR "without undue delay" and "in any case within one month of receipt of the request," according to Article 12 of the GDPR. The ICO previously specified that this 30-day window begins the day after a data controller receives a DSAR.
If the request is complicated or the organization has received many requests from the person, the deadline may, in some circumstances, be extended by two more months. For instance, the person simultaneously lodged a DSAR and a right to be forgotten.
According to ICO standards, a DSAR may be rejected if it is excessive or unwarranted. It's critical to keep in mind that each request's eligibility for an exemption must be considered individually. If you decline to fulfill a request, you must let the person know why and that they have the option to file a complaint with the ICO.
Here are some highlights:
Large organizations may have hundreds of millions of records about their consumers, often spread across an array of systems. Sorting this data and creating a data inventory to cope with DSARs is a challenging task that requires organizations to automate their current practices.
At Securiti, we have solutions that offer robotic automation, machine learning and secure cross-channel collaboration to help your business stay prepared for CCPA.
To learn more about automation and orchestration of data subject requests and how much time you can save, check out the video below or schedule a demo to see it live, in action!