Importance of Data Privacy and Compliance

The advent of electronic media has led to some organizations collecting their customer’s personal information and using that data as they please. As cyber threats and identity theft took center stage, regulations failed to keep up. However, with time, governments and agencies all over the world have laid down data privacy and compliance standards. The core objective of this regulation is to transfer the ownership of people’s personal information back to them. This way, they will be the undisputed owner of their identity. The impact these regulations have on organizations is complex and far-reaching. Companies now have to transform how they collect, store, protect, and manage personal information. They also have to comply with the rights conferred to customers. If you collect personal information, you can’t sit on the sidelines anymore. 

In this article, you will learn about data privacy and compliance and the role eDiscovery plays in it. Let’s start by discussing what data protection policies are.

eDiscovery in Privacy and Compliance-04

Data Protection Policy (DPP)

A data protection policy refers to a security policy that focuses on standardizing the use, management, and monitoring of data. These policies have been created to ensure the protection and security of data that is consumed, stored, and managed by the organization. Even though these policies are not required by law, they can help you comply with regulations and standards of data protection. 

A DPP should cover the data that your company stores, including offsite locations, on-premise storage locations, and cloud services. Through this policy, you will be able to ensure the integrity and security of data—both data-in-transit and data-in-rest. It demonstrates your commitment to ensuring the privacy and protection of consumer data. If your organization experiences a data breach or is subjected to compliance audits, the policy will be evidence of your commitment to the data protection policy.

Casepoint can help you with requests related to GDPR, CCPA, and more. The platform can help you respond to data breaches as well while strengthening your compliance. 

Now that you have an understanding of a data protection policy, let’s get into some of the most well-known data privacy laws in the world.

General Data Protection Regulation (GDPR)

This is known to be the toughest security and privacy law in the world. Even though the European Union (EU) drafted and passed this law, it imposes an obligation on any organization that collects or targets data that is related to citizens of the EU. Put into effect on May 25 2018, this regulation levies heavy fines on organizations that violate its security and privacy standards. The penalties can even reach tens of millions of dollars. 

The GDPR was a way for Europe to showcase to the world its firm stance on privacy and security of data. This came at a time when more and more people were entrusting their data with cloud services. Since this regulation is fairly light on specifics, complying with GDPR can be daunting for any enterprise.

California Consumer Privacy Act (CCPA)

This is state-wide data privacy and compliance law regulating how businesses handle the personal information of residents of California. It was brought into effect on January 1 2020. This law is applicable to any for-profit business that sells information of over 50,000 Californians annually, derives over 50% of its annual revenue selling California residents’ personal information, or has an annual gross revenue of more than $25 million.

California Privacy Rights Act (CPRA)

This is another state-wide data privacy bill that expands significantly upon the CCPA. It was passed on 3 November 2020. It can be considered as an addendum to CCPA, which strengthens the rights of California residents. It also tightens the regulations on the use of personal information by a business. The bill also established a new agency for data privacy enforcement in the state called the California Privacy Protection Agency (CCPA).

Virginia Consumer Data Protection Act (VCDPA)

Governor Ralph Northam signed the VCDPA law on 2 March 2021, making Virginia the second state to enact its own consumer data security and privacy law. The VCDPA builds on the early legislation of CCPA and GDPR. However, unlike in California and Europe, the VCDPA managed to get support from businesses like Microsoft and Amazon. This is because its compliance and coverage are considered to be less onerous than the other regulations.

Data Subject Access Request (DSAR)

Now, let’s get into what a customer can do to ensure their data privacy. A Data Subject Access Request (DSAR) is a request submitted by an individual to a business asking about the personal information that has been collected, used, and stored. The DSAR can also include asking for certain actions to be taken with the data, including opting out of data collection, amending incorrect data, and deleting data. 

A DSAR requests a list of all the personal information that you might have on the sender. However, there are cases in which the subject will have requested specific details. Regardless of what information the subject has requested, you are obligated to provide it. Here are a few examples of information that customers might request:

Reputational risk and fines associated with data breaches Confirmation regarding whether or not you process their personal data

Reputational risk and fines associated with data breaches Better Information

Reputational risk and fines associated with data breaches Access to their information

Reputational risk and fines associated with data breaches The period for which their information will be stored and the criteria used for determining that period

Reputational risk and fines associated with data breaches Relevant information regarding the method of data collection, profiling, and automated decision-making

Reputational risk and fines associated with data breaches Third-parties you share information with

 

It is important to note that your customers don’t need to have a reason to request this information. They can submit a DSAR at any time. As a business, you can only ask questions to verify the customer’s identity and locate the requested information. If you don’t have all the personal information of your customers in a single, convenient place, this might become time-consuming and exhausting. You might want to have a data mapping process that tracks your data and its location. You can also get a reporting tool that is capable of pulling information from different sources and generating a DSAR response.

Process for Handling a DSAR

Now, let’s get into what a customer can do to ensure their data privacy. A Data Subject Access Request (DSAR) is a request submitted by an individual to a business asking about the personal information that has been collected, used, and stored. The DSAR can also include asking for certain actions to be taken with the data, including opting out of data collection, amending incorrect data, and deleting data. 

A DSAR requests a list of all the personal information that you might have on the sender. However, there are cases in which the subject will have requested specific details. Regardless of what information the subject has requested, you are obligated to provide it. Here are a few examples of information that customers might request:

Reputational risk and fines associated with data breaches Confirmation regarding whether or not you process their personal data

Reputational risk and fines associated with data breaches Better Information

Reputational risk and fines associated with data breaches Access to their information

Reputational risk and fines associated with data breaches The period for which their information will be stored and the criteria used for determining that period

Reputational risk and fines associated with data breaches Relevant information regarding the method of data collection, profiling, and automated decision-making

Reputational risk and fines associated with data breaches Third-parties you share information with

 

It is important to note that your customers don’t need to have a reason to request this information. They can submit a DSAR at any time. As a business, you can only ask questions to verify the customer’s identity and locate the requested information. If you don’t have all the personal information of your customers in a single, convenient place, this might become time-consuming and exhausting. You might want to have a data mapping process that tracks your data and its location. You can also get a reporting tool that is capable of pulling information from different sources and generating a DSAR response.

Section Image

The process of responding to the DSAR starts with verifying the identity of the person who made the request. This way, you will know for sure whether or not you have the information they want. It will also enable you to distribute the information safely. If you send information to the wrong person, you will be on the hook for a data breach.

Verify the identity of the customer

Section Image

Next, you have to review the DSAR to know exactly what information the customer wants to know. In some cases, they might only want to see the data you have, but in others, they might invoke their data privacy and compliance rights. For example, they might ask you to delete their data or correct inaccurate data. Another benefit of clarifying the nature of the request is that it helps you determine whether or not you can reply to the request within 30 days. In case you need more time, you can explain the same to the customer.

Clarify the nature of the request

Section Image

Make sure that you review the data carefully before sending it to the requester. This information should not include the personal information of anyone else. While you are reviewing the data, you can also add an explanation for why you collected and stored that information. With Casepoint, your team members will be able to collaborate and handle all data privacy and compliance requirements for requests.

Review the Data

Section Image

Next, you have to start working on collecting all the data requested by the customer to develop it into a response. Depending on the information, the format of the response might differ. In most cases, it is something that is easily accessible. The GDPR encourages businesses to give the requesters remote access to a secure system providing them direct access to the requested personal information. In case the customer has asked for everything, your response needs to be as comprehensive as well. If you miss anything, you might be accused of violating their rights.

Collect and Package the Data

Section Image

While sending the response, don’t forget to add a section at the end reminding them of their data privacy rights. You have to let them know about their right to object to data processing, request data rectification, or file a complaint with a supervisor.

Explain Data Privacy Rights to the Customer

Section Image

The last step is sending the response to the requester. Don’t forget to document the communications so that there is a trail demonstrating your compliance and accountability.

Send the data

How to Use Legal Technology to Support Privacy and Compliance

Today, companies are spending time dealing with an increasing number of claims from customers and working on their liabilities policies. The large volume of data and its complex nature make it almost impossible to monitor personal data manually. What you need is privacy compliance software that can help you analyze, document, and analyze your data protection processes. Here are a few potential applications of a privacy compliance program:

Central data storageCentral data storage

Faster, simpler, and more reliable analysis of real-time dataFaster, simpler, and more reliable analysis of real-time data

Easy access to all legal documents and communication on the decisions and processes relevant to data protection lawEasy access to all legal documents and communication on the decisions and processes relevant to data protection law

Archiving important documents such as employee data protection declarations, non-disclosure agreements, or third-party agreements concerning data processingArchiving important documents such as employee data protection declarations, non-disclosure agreements, or third-party agreements concerning data processing

Creating and managing a directory of procedures and processes related to data privacy and complianceCreating and managing a directory of procedures and processes related to data privacy and compliance

Risk management dashboard that enables monitoring of relevant activities for personal data processing, risks, and countermeasuresRisk management dashboard that enables monitoring of relevant activities for personal data processing, risks, and countermeasures

Central management of data processing agreements with service providers along with employee data protection declarationsCentral management of data processing agreements with service providers along with employee data protection declarations

Automated reminders of missing documentationAutomated reminders of missing documentation

Audit-proof documentation of processesAudit-proof documentation of processes

Protection for sensitive dataProtection for sensitive data

Automated email reminders and task dashboardAutomated email reminders and task dashboard

Overview of the current, completed, and planned trainingOverview of the current, completed, and planned training

Flexible access management system that minimizes the number of people with access to sensitive dataFlexible access management system that minimizes the number of people with access to sensitive data

Filing contracts that are checked under data privacy lawFiling contracts that are checked under data privacy law

 

With the increasing risk of personal liability and the threat of hefty fines, it is more important than ever for businesses to use privacy compliance software that will allow them to work securely and efficiently. If you own a business, you must engage with the internet from time to time. It is your responsibility to answer questions like whose data is collected, what happens to it, and who you share it with. 

Casepoint can help you with data processing of over 600 file types. Its built-in AI and advanced search features facilitate a faster review. Apart from this, Casepoint can also save you from hours of manual redactions. This eDiscovery software comes with an auto-redaction feature that you can use for personally identifiable information. 

Even though there are several data privacy and compliance laws in place, the concept of data privacy compliance is extremely complex. Many companies often get lost in the minutiae of legal requirements. There are some companies that don’t take the issue of data privacy breaches seriously. But, with the rise in cyberattacks, it is more important than ever to have solid data security practices in place. Data is multiplying at an increasing rate by the minute. Controlling and managing this data can be difficult, which is why you need Casepoint to help manage compliance regimens.

Section Image

The process of responding to the DSAR starts with verifying the identity of the person who made the request. This way, you will know for sure whether or not you have the information they want. It will also enable you to distribute the information safely. If you send information to the wrong person, you will be on the hook for a data breach.

Verify the identity of the customer

Section Image

Next, you have to review the DSAR to know exactly what information the customer wants to know. In some cases, they might only want to see the data you have, but in others, they might invoke their data privacy and compliance rights. For example, they might ask you to delete their data or correct inaccurate data. Another benefit of clarifying the nature of the request is that it helps you determine whether or not you can reply to the request within 30 days. In case you need more time, you can explain the same to the customer.

Clarify the nature of the request

Section Image

Make sure that you review the data carefully before sending it to the requester. This information should not include the personal information of anyone else. While you are reviewing the data, you can also add an explanation for why you collected and stored that information. With Casepoint, your team members will be able to collaborate and handle all data privacy and compliance requirements for requests.

Review the Data

Section Image

Next, you have to start working on collecting all the data requested by the customer to develop it into a response. Depending on the information, the format of the response might differ. In most cases, it is something that is easily accessible. The GDPR encourages businesses to give the requesters remote access to a secure system providing them direct access to the requested personal information. In case the customer has asked for everything, your response needs to be as comprehensive as well. If you miss anything, you might be accused of violating their rights.

Collect and Package the Data

Section Image

While sending the response, don’t forget to add a section at the end reminding them of their data privacy rights. You have to let them know about their right to object to data processing, request data rectification, or file a complaint with a supervisor.

Explain Data Privacy Rights to the Customer

Section Image

The last step is sending the response to the requester. Don’t forget to document the communications so that there is a trail demonstrating your compliance and accountability.

Send the data