In 2020, just 10% of the global population’s personal data was protected by some form of data protection law or regulation. Gartner predicts that by 2023, that figure will be closer to 65%.
With that huge increase in data protection law coverage comes an associated increase in rights for individuals over the information concerning them that companies hold. This in turn requires that companies be able to demonstrate that that information is in good hands.
The European General Data Protection Regulation (GDPR) is arguably the best-known example, granting data subject rights (DSRs) to individuals resident in the European Economic Area to know if a company holds information about them, access that information (in GDPR terminology, the “data subject access request,” or DSAR), correct it, move it elsewhere, or have it deleted, among other rights.
However, a number of other major privacy laws also grant individuals rights over their personal data, including the Australian Privacy Act, the Californian CCPA, Canada’s PIPEDA, and Brazil’s LGPD. The most common right is the right of access, but many data protection laws also provide for the right to update or correct information.
Key considerations with DSRs
Many small and medium businesses are concerned about DSRs, and the potential challenges of managing them.
There are three main expectations with any DSR:
1. That a company will respond/take action
2. That the response will include the mandated information/action
3. That the response/action will happen in a set amount of time
A basic element for any business dealing with DSRs is the ability to track them. The aim is to be able to track date of receipt and date of response, in a format that allows the company to prove that:
- The response was provided
- The response adheres to requirements and deadlines in the event of an audit, or, worst case, a data protection authority complaint
Some key things to look into as soon as a DSR comes in:
- What law applies (see, for example, where the data subject is located or their nationality)
- Whether an acknowledgement of receipt is required
- What the timeline for response/action on the request is
Having these things established allows teams to set the priorities for next steps, and understand what those next steps should be.
Exceptions to DSRs
In some cases, a company will fall into an exception situation, or be otherwise unable to action the request. In most cases, this should still trigger a response to the individual making the request, outlining that the company can’t respond, why, and (where applicable) what further rights the individual has, such as contacting their local data protection authority.
A common exception case under GDPR is disproportionate effort. However, as companies can’t abuse exceptions to avoid responding, and as the definition of “disproportionate effort” isn’t clearly defined, any company applying this exception needs to be able to prove unequivocally that the effort, or cost, to comply with the obligation is disproportionate.
PIPEDA carves out legal reasons, such as solicitor-client privilege and active investigations as exceptions, as well as instances where providing personal data to an individual would reveal the data of another individual (and that third party’s information can’t be removed from the file).
The Californian CCPA permits an exception to complying with deletion requests where that information is still required to provide the services (for example, where the consumer submits a deletion request before the end of a warranty period).
As these exception cases show, exceptions will vary based on the applicable laws and jurisdictions, underscoring the importance of defining which law applies early in the process.
Verifying identity and DSRs
Where a company is obliged to action a DSR, before actually sharing or altering information, it’s vital to ensure that the person making the request has the right to make requests about that information (or is their legal representative).
Various laws have different expectations regarding the scrutiny required in verifying an individual’s identity in this context. For example:
- The GDPR requires that all “reasonable measures” to verify the identity of a data subject are taken, including requesting additional information if reasonable doubt exists
- The regulations to the CCPA, on the other hand, provide very specific guidance on how many data points must be matched for different types of data requests, to a “reasonable degree of certainty” or a “reasonably high degree of certainty.”
Under a number of laws (GDPR included), companies can’t require individuals submitting a DSR to create an account with them and sign-in in order to have their DSR attended to. Because of this, it’s important for teams dealing with DSRs to ensure they’re aware of the requirements of law and regulation before opening this conversation with an individual. Companies should also avoid demanding a large amount of sensitive information in order to verify an identity – stick to the minimum amount needed for the purpose.
Responding to a DSR
The response to a DSR will vary depending on the original request, but some basic requirements will apply:
- Ensure the identity has been verified
- Where an exception is relevant, ensure that it’s explained to the individual
- Work with internal teams to obtain/alter/delete records
- Ensure that the information is provided in an easily readable format (or other accessible format)
- Ensure that the information is complete
- Ensure that the deadline is met, or, where it can’t be, that the individual is notified before the expiration of the original deadline
- As most responses will involve transferring PII, ensure that the information is sent securely
The “trusted” paradigm
Globally, there are varying approaches to individual rights. In some instances, the system for making a request is hard to access, or requires access to an account that the individual may never have created in the first place, or has since closed and can no longer access. Some companies extend into a vertical (for example, credit reporting) that allows long-term personal data retention.
Sometimes, resistance to these requests occurs because of the perception that they’re complex, time-consuming and will absorb working hours. Nevertheless, avoidance and resistance can come with impacts to companies: most data protection laws include the right to administer penalties, which can run to up to 4% of a company’s global turnover, or €20 million. Some draft laws are looking at even higher penalties.
However, the payoff for having a process in place to support individuals’ asks is that nebulous quantity: consumer trust. Transparency and responsiveness are key when an organization deals with a consumer, and with the increasing number of data protection laws worldwide, putting a process in place to handle these asks simply and efficiently may save time, avoid penalties, and enhance your business reputation.