Data rights are good for consumers, but DSARs can be a burden on businesses.
Many businesses struggle with fulfilling even routine DSARs. For instance, a business must first properly verify that the data subject making the request is who they claim to be. This necessity is becoming increasingly critical as more and more nefarious actors seek to steal personal data. Businesses must meticulously vet and verify persons requesting to exercise their data rights.
Once a data subject is fully verified, the data discovery process itself can be cumbersome. Businesses often collect and store customer data via numerous systems used to accomplish specific customer and business needs, like customer bookings and marketing. The mere task of finding a certain person’s data across multiple data stores can be like trying to find a needle in a haystack.
Hundreds or even thousands of copies of the same data can be in numerous databases (what we call data sprawl), making data deletion requests a nightmare to fulfill. In the data deletion/anonymization context, a multiplicity of systems means the efforts to find, erase, or anonymize data upon request can be that much more time consuming – made even more complicated by businesses still using manual data subject verification and fulfillment methods. Manual methods are slower, costlier, more labor intensive, and subject to human error.