Under EU law, and several state laws in the US, a data subject (a person) has the right to see the personal data a business has on her and to know how that business is using the data. A person can exercise these rights by making a Data Subject Access Request (DSAR) to a business holding her data. Depending on the law (be it GDPR or CCPA, etc.), data subjects may have some or all of the following rights: (1) access to the data the business holds on the person; (2) deletion of their data; (3) correction their data; (4) opt out of the sale of their personal data to a third party; (5) opt out of the processing of their personal data; and (6) data portability (right to receive an electronic copy of their data).
While data rights are good for consumers, businesses often struggle with fulfilling these requests, even routine DSARs. For instance, a business must first properly verify that the data subject making the request is who she claims to be. This necessity is becoming increasingly critical as more and more nefarious actors seek to steal personal data from businesses. Therefore, businesses must meticulously vet and verify persons requesting to exercise their data rights.
Once a data subject is finally verified, the data discovery process itself is often cumbersome as businesses often collect and store customer data via numerous systems used to accomplish specific customer and business needs, like customer bookings and business marketing for example. The mere task of finding a certain person’s data in these multiple data stores can be like trying to find a needle in a haystack.
Also, hundreds or even thousands of copies of the same data can be in numerous databases (what we call data sprawl), making data deletion requests a nightmare to fulfill. In the data deletion/anonymization context, a multiplicity of systems means the efforts to find, erase, or anonymize data upon request can become much more time consuming than if the subject’s data is in a single solitary system. Each additional system in which the data is stored adds to the level of effort needed for the business to fulfill a DSAR.
Many businesses are still using a manual data subject verification and fulfillment process, which means the need for greater privacy specialist headcount, and thus more business costs. In addition to being inefficient and labor intensive, manual DSAR fulfillment means human error in both the data subject verification and data discovery process thereby exposing the business to violations of privacy laws and resulting regulatory fines.
Ongoing developments in privacy law worldwide promise to increase the burdens of compliance with DSAR fulfillment as consumer privacy laws are rapidly emerging globally and in the US. For instance, The California Consumer Privacy Act (CCPA) came into effect in 2020, following the effective date of Europe’s General Data Protection Regulation (GDPR). Currently, California, Colorado, and Virginia have laws that provide or will provide the functional equivalent of DSARs; whereas Nevada allows its residents the right to opt-out, or restrict the processing of their personal data.
While the COVID-19 pandemic resulted in a temporary reduction in the number of incoming DSARs; our clients have seen an increase in the numbers of people exercising their privacy rights in the past several months, returning to and in some cases exceeding pre-COVID numbers. We can expect these numbers to steadily increase over the coming months. Not only are more people becoming aware of their privacy rights under existing laws in their jurisdictions, but additional jurisdictions such as Brazil and China have added privacy rights to their laws. We also expect additional states to follow the example of current data privacy laws in CA, CO, NV, and VA, at some point in the future, and a Federal privacy law is not out of the question in the next few years.
The increased DSARs will result in a major cost center for firms in coming years unless they are proactive. According to one recent survey by the Gartner organization, businesses report spending, on average, $1,400 per data subject rights request. Unfortunately some requests can be even more expensive than this eye-popping number. For instance, some records require the redaction of large amounts of information to ensure protection of the privacy of persons beside the data subject. The result is the multiplication of DSAR fulfillment costs.
All the above issues are good business practices to ensure efficient use of customer data. However, these redundancies and multiplicity of systems match poorly with new access and erasure requirements coming into use by customer bases worldwide. For this reason companies which tackle their DSAR tasks manually see their costs per DSAR start high, and go higher.
Businesses looking to outsource their DSAR fulfillment process can rely on Advisori. Advisori is a full-service DSAR Fulfillment Center. Our virtual DSAR platform allows a data subject to submit a DSAR directly to our Fulfillment Center via our secure DSAR portal. We verify the data subject using multiple means and sources, use our cutting-edge technologies with the capabilities of searching every type of data store for personal data of all categories and formats, and then packaging all related personal data up for dissemination back to the data subject through our secure electronic portal. The data subject can review her data via our portal or even download it. We are also able to find and delete/anonymize data when a data deletion request is filled. We are able to do this quickly and efficiently to ensure that all DSAR regulatory requirements and deadlines are met. Bottom line is, we help our clients fulfill DSARs cheaper, faster, and better. Check us out at www.advisori.com or contact us at [email protected].