Data privacy has been a thorny issue for many years, but it’s only relatively recently that regulators have taken forceful steps to address consumer concerns. The first of these steps was the EU’s General Data Protection Regulation (GDPR), which became enforceable in 2018. GDPR was followed by the California Consumer Privacy Act (CCPA), which became effective in late 2020, and has inspired similar legislation in other states across the country. The Virginia Consumer Data Protection Act (VCDPA) goes into effect on January 1, 2023, and the Colorado Privacy Act (CPA) becomes effective July 1 of the same year. As of July 2021, more than 30 states are drafting or are close to passing state privacy laws.
Ever since the first consumer privacy protection measures emerged, enterprises have been on notice to ensure they’re ready to respond to consumer data subject access requests (DSARs) – and to keep adapting as new state regulations are introduced. The implementation of CCPA has already led to a surge in the number of DSARs, and it is clear that enterprises should brace for a high tide of additional requests when VCDPA, CPA, and other regulations go live.
So, what’s the best way for enterprises to respond to this new interest in privacy-related regulations and the subsequent surge of DSARs requests that will inevitably follow?
Responding to DSARs is costly and complicated. Enterprises typically use between 50 and 100 different systems to store personal data, so fulfilling DSARs can involve intense collaboration between multiple teams—even for a single request! The average cost for each, according to a recent Gartner report, is around $1,400.
It’s hard to pin down the most difficult aspect of processing DSARs, but high on the list is the challenge of locating all an individual’s personal data across an entire organization. Multiply one request by tens, hundreds, or even thousands, and you get a sense of the scope of the challenge.
How can you be sure you have the best processes and workflows in place to handle multiple types of DSAR requests from different jurisdictions, and still comply with privacy policies? How should you prepare the enterprise to respond quickly and accurately, and what are the key points to address in your readiness plan?
As you prepare, key considerations include how to aggregate data in such a way that it can be produced appropriately for the requesting agency, and how to coordinate and collate data across all the interconnected apps and infrastructure in the organization.
Processes and Workflows
Legal teams will need to establish flexible and transparent processes to move forward efficiently with DSAR requests, and for this, they’ll need all the automation and data analytics capabilities of today’s most robust eDiscovery tools, which will allow them to slash the time and costs of responding and provide better visibility into workflows.
To maximize DSAR workflow efficiency, it must be fully integrated into your privacy management system. For example, if as an employer you are obliged to search personal devices, personal email accounts, and personal social media accounts belonging to employees, the structure of your DSAR workflow must reflect the unique characteristics of each of these data sources.
As the number and complexity of DSAR requests across different privacy jurisdictions increases, so too does the value of advanced eDiscovery tools in mitigating organizational risk in terms of cost, compliance, and efficiency.
To better manage the compliance burdens created by consumer privacy regulations, enterprises need to be able to quickly locate all the data subject’s personal information.
Your technology solution must help you quickly understand how data is stored within your organization across all the many interconnected applications and infrastructure elements such as SaaS apps, data lakes, and hosted databases.
Data mapping helps track data through its life cycle, from collection and processing to retention or removal. This is particularly important when personal data moves from one jurisdiction to another and becomes subject to varying privacy regulations.
Knowing precisely where personal data is stored allows enterprises to better protect and regulate that information. It also helps you determine whether personal information is used or stored beyond its original, lawful purpose and ensures that, where correction or deletion is required, adjustments are made in each of the locations where that information is stored. It’s important to know your policies for sun-setting data – and how those policies will affect your ability to respond effectively to DSARs.
Again, automation will help you carry out these processes much more efficiently and cost-effectively and ensure you stay in compliance with evolving and increasingly stringent regulations. Missed deadlines are subject to steep fines, which only adds to the cost of DSARs. Targeted technology will help you understand and refine workflows, monitor progress, and ultimately save time and money.
With the help of the right eDiscovery tool, organizations bracing for high volumes of DSAR requests can get ahead of the game. They can start now by reviewing, updating, and creating an inventory of personal data processing activities, identifying assets, and developing and implementing robust processes for the protection of sensitive personal data.
Stay tuned for Part II where I provide ways your organization can overcome challenges and manage DSARs with legal technology.