How Data Subject Requests are at the heart of protecting privacy
Before the advent of the General Data Protection Regulation, the term “Data Subject Request” was not one most people recognized, let alone could define. But now that GDPR is in full force and privacy has become a major consumer and business issue, people are paying attention to the term – especially those who oversee privacy programs.
GDPR, the soon-to-be-effective California Consumer Privacy Act (CCPA) and other privacy regulations empower people with the right to know what personal information an organization holds about them, and a DSR is the vehicle for that request.
For the consumer, a DSR is the critical first step in the process of understanding their own data and how an organization is using it. Under GDPR, an individual (“data subject”) has the right to request whether an organization is processing their personal information; what that information is; how it is being used; who is receiving it; and how long it is being held.
Based on DSR results, individuals can initiate other requests, such as rectifying, removing or restricting the personal information, and more. The DSR must produce an accurate result for individuals to obtain their rights under GDPR, CCPA and other privacy statutes.
For organizations, DSRs are extremely important for the same reasons: They help establish and retain trust of their consumers and are also the basis for complying with data privacy regulations and must be responded to quickly and accurately. If a company becomes flooded with DSRs, they may also face a crippling impact to their IT systems and staffing resources.
Lastly, the inability to respond to DSRs accurately and quickly might indicate poor data governance practices within a company. Simply put, organizations have many reasons to get DSRs right.
On the surface, this might sound easy for an organization: In reality, it’s not easy at all.
There are five critical steps to effective DSR management:
- Intake: The organization needs to verify the requestor’s identity and existence within the data ecosystem and track the request fulfillment until resolution.
- Verification: The organization must confirm the existence of the data subject anywhere in its ecosystem and identify corresponding information for the DSR response.
- Search: The organization must locate a data subject’s personal data by searching across its data ecosystem to identify all personally identifiable information (PII) attributes, categories, and the company’s purpose for collecting and processing the subject’s information. The search also needs to identify the specific systems and locations that contain this PII.
- Deletion: The organization needs to initiate a process to delete or obfuscate the customer’s data from relevant systems, as well as from third-party data processors. However, it’s also important to validate which systems the data can be deleted from, based on regulatory or business constraints.
- Response: All communications and DSR activities should also roll into a reporting dashboard and audit trail to demonstrate accountability, compliance and progress towards resolving requests.
Of these five steps, the “search” capability is the most difficult – primarily because organizations often don’t truly know what personal data they hold, and that data is continually changing. Data sets are acquired through mergers and acquisitions, from third parties, as streams and feeds to build better customer profiles, and by entering into data transfer agreements with partners, just to name a few ways.
Not only has data proliferated, but it’s also mutated into derivative forms. Customer data is often collected across multiple channels without being linked to a master identifier, and the definition of what is considered PII is continuing to change.
The other reason the DSR search process is difficult is that many organizations still rely on questionnaires and spreadsheets for data discovery. These manual processes are inefficient at best, and incredibly inaccurate at worst. Consider that a single bank transaction might be replicated across 100 systems. Successfully fulfilling a DSR for that customer could require multiple people to manually search all those systems, and the accuracy and completeness may be questionable. Not only would the individual’s privacy be compromised, but the bank would also have to defend the results with regulators.
In an age of big data and automation, relying on manual processes to fulfill privacy laws seems unbelievably arcane, if not impossible given the sheer volume of data companies have. Fortunately, many organizations are beginning to realize the complexity and importance of the DSR process and are looking to automate it.
I highly recommend taking an automated approach that prioritizes speed and accuracy, and that can find a data subjects relevant PII across all data sources, whether the data is at rest or in motion.
Most of all, I recommend that organizations and their privacy teams spend the time and resources to do the best job possible on Data Subject Requests. People’s privacy and the organization’s reputation could be resting on it.