Since 2018, organizations covered by the EU’s General Data Protection Regulation (GDPR) have had to disclose personal data upon request of the data subject or face harsh penalties. Besides the GDPR, more and more data protection and privacy laws, such as the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD), are requiring organizations to identify personal data; disclose, correct or delete data upon request; and demonstrate regulatory compliance.
Organizations that fail to comply with relevant legislation face substantial fines, litigation and reputational damage that can cost customers.
The different data privacy regulations across the globe provide similar rights for individuals – including employees and customers – to access, correct or delete personal data held by an organization. Data subjects can also request information on how their data is processed, stored and shared. This article focuses on aspects of DSAR compliance programs that are applicable to most data privacy regulations, although for ease of discussion, we use the GDPR definitions of “data subject” and “data subject access requests (DSARs)” as general references.
A recent Gartner survey found that it costs an average of US$1,400 for organizations to manually process a DSAR, with most taking more than two weeks to respond.1 The most difficult aspects of processing DSARs involve locating personal data in an unstructured format, monitoring data protection practices of third parties and data minimization.2
The differences between the GDPR, CCPA and any other privacy regulation must be carefully addressed by legal counsel. Variances mean any workflows created for one regulation may require modifications to comply with another. Any organization that becomes subject to new privacy legislation should use the opportunity to assess whether existing processes can be revised to improve compliance, efficiency and cost-effectiveness.
Sharing data with third-party vendors
When an organization receives a request to delete personal data, the GDPR requires notification to all downstream parties that received or processed the subject’s personal information. Under the GDPR, data processors share responsibility for fulfilling requests with data controllers.
Processor due diligence is specifically outlined under Article 28 of the GDPR. To meet the accountability and responsibility requirements, controllers should regularly assess how vendors protect the personal data they receive. Both the GDPR and the CCPA require detailed written contracts between businesses and vendors that process data.
Automation and data analytics are increasingly being used to reduce the time and costs of third-party due diligence, while offering new risk and business insights.
DSAR workflow design
Building a standard methodology is critical for streamlining the process, meeting relevant regulatory and legal requirements, and engaging all stakeholders in an effective and efficient manner. Considering that the data privacy regulatory landscape is still fast evolving, a clearly defined workflow will enable the organization to stay agile and effectively respond to changing compliance requirements.