The individual whose data it is, is known as the “data subject.” Unfortunately, no one organizes data based on whose data it is. That data is likely scattered across different systems, databases and corporate divisions. Given this distribution and all of the moving parts required—technology, manpower, and workflow processes, to name a few— fulfilling these requests can be very challenging.
In the EU, many companies are still playing catchup with the GDPR. They have put a “fig leaf” involving largely manual processes in place to avoid heavy regulatory fines (of up to 20 million Euros, or 4% of annual revenue). But the volume of these requests has increased, and the complexity has grown as well. While enforcement actions began rather slowly, their pace is picking up as well. In addition, mechanisms for collective redress of privacy violations are becoming a reality, and are expected to be EU-wide by January 2023. Many organizations are reevaluating these initial efforts, and reaching the conclusion that additional investment is needed to avoid a growing regulatory risk.
Without an operational data inventory to track the data you have and what it means and how it is used in business transactions, it is practically impossible to comply with privacy laws. This is because if you don’t know how to find the data, or know where it all lives in your organization, you can’t remediate it. So if your organization needs help establishing a data inventory, read chapter 1 in the Basics of Data Privacy.
Once your data inventory has been established, there are steps required to completing each DSAR, which are laid out below.
Why Do DSARs Matter?
Organizations need a quality DSAR remediation process as part of a compliance/cost avoidance regime to ensure that fines precipitated by data privacy regulations never materialize. This becomes clear when considering the following four facts:
- It’s the law: The CCPA, GDPR, and other privacy laws have strengthened individual rights
- Organizations are subject to penalties ranging from $2,500 to $7,500 per violation (CCPA)
- It’s easy for individuals to request information because don’t have to go through a formal process to do so
- Individual rights are expanding both geographically (the Virginia VCDPA includes this form of individual rights) and by adding more rights (CDPA, set to take effect January 1, 2023 in California, includes additional consumer rights)
In other words, DSARs matter because the CCPA was designed to make it easy for consumers to find out what data a company has about them, and to make it very costly for companies to avoid these responsibilities.
DSAR & the CPRA
The California Consumer Privacy Act (CCPA) is the U.S.’s most expansive consumer data privacy law in effect. Its successor, the California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020, goes into effect on January 1, 2023. This law echoed the rights of the “data subject” (the person whose personal data this is) over the use of that personal data by an organization that collects it. When first launched, DSAR rights were granted to consumers, but not to employees. Employees will gain those rights when CPRA goes into effect. Employees already have those rights under GDPR.
Employee DSAR & Consumer DSAR: What’s the Difference?
At the heart of any DSAR is the concept of searching for, collecting, and reviewing/ redacting personal information, whether it’s an employee or a consumer. It is extremely likely that a business will store more data on an average employee than an average customer. The added volume and increased number of potential data repositories creates complexities that don’t come with a typical consumer request.
With any request, there are a few key considerations that effect how difficult it is to process. Some of these are:
- The nature of the request
- The sensitivity of the request
- The complexity of the request
- The volume of data involved
- The dispersion of data throughout your organization
- The expectations of the requestor
These considerations are applicable whether it’s an employee or consumer request. The nature and sensitivity aspects have been particularly interesting for GDPR-regulated companies because of the different situations in which employees make these requests.
With most [employee] DSARs, I think people are in a position where I think we accept that they’re probably a bit miffed about something and that’s why they’ve submitted the DSAR in the first place
And I think this is even more so when you have maybe disgruntled ex-employees who’ve been made redundant or whatever. Mainly, you need to be mindful that there might be a degree of distrust there, a perception that the organization may try and hide things. Then there’s the sheer challenge of the volume of data that you’ll be dealing with regarding employees, and the sensitivity of this information.
This is the number 1 miss that companies make, there’s a fundamental misunderstanding by a lot of people in HR and who they report to that this is just a consumer law that has nothing to do with employees. Let’s just stop calling them ‘employees’ altogether—they’re consumers. And when you start treating them like consumers, that’s when you really understand how big of a problem the CCPA/CPRA really is.
What Are the Challenges of Handling a DSAR?
- No data inventory. If the employees responsible for handling the DSAR aren’t able to identify where the data is—and they aren’t able to confirm that they have retrieved all of the data on a given data subject—it’s very difficult to legally fulfill the request. An up-to-date data inventory is required to respond (with confidence) to the request and successfully remediate the data.
- No workflow. Once you have identified where an individual’s data lives, the next challenge is ensuring that the request flows to the right areas of the business where it can be properly remediated. Workflows can become more challenging as enterprises increase in size and, presumably, collect and store more customer data in different areas of the organization.
- Manual collection process. “Manual” collection processes bring to mind old file folders with stacks of papers to sift through—but even for businesses that operate on a mostly digital basis, much of the data will be in ad-hoc forms, spreadsheets, files, and other data sources that are not easily searched. Manual collection process requires sifting through all this data, takes longer and leaves more room for error than an automated process would. Automated tools do cost money, and if the assumption is that you will not receive any DSARs, then having a manual process makes sense. However, most organizations have seen DSAR requests rise over the past year, and the inclusion of employees in California will accelerate this trend. Searching for data and collecting it is much like an e-discovery exercise: Many of the same processes and even technologies are involved in completing DSAR requests, and it’s difficult to accomplish without the use of technology.
- High request volume. When the GDPR launched in May 2018, Microsoft opened a self-service DSAR portal. In its first year, Microsoft received 18 million requests— with more than one-third coming from the U.S. Few organizations have the scope and reach of Microsoft, but most mid- and large-size enterprises with a consumer presence receive large and growing volumes of requests.
Using technology can save a lot of pain throughout the process. For example, utilizing an internally facing portal on your company intranet can help the individuals involved in fulfilling requests get oriented and moving in the right direction. This portal can be used to help gather the requests, automatically authenticate that request through HR and other technology integrations, and then routing that request through to the appropriate personnel. And externally, a single, consumer-facing unified platform to help communicate with the requestor throughout the lifecycle of the process can help maintain secure communication and delivery of the request as well as keep an audit trail of the process.
6 Steps for Creating an Effective DSAR Response Process
Once your organization has established a data inventory, it’s time to lay out a lean, effective, and efficient DSAR process. It helps to have a DSAR team that can own the process, but depending on the organization, it could make sense for the duties to be split among representatives in each division across the enterprise.
Step 1 – Identifying the Data Subject’s IdentityConsiderations:
- How is the individual making the request?
- How do you verify that it’s actually that person making the request?
- How can you automate the process as much as possible?
Organizations need to ensure that each request is genuine, or they open themselves up to more trouble. There are a number of ways to authenticate an individual’s identity via verification of an individual’s personal information. This can be a security measure that the individual filled out when they created an online profile with your company, a piece of government ID, or information that is specific to your organization (such as verification of banking or financial institution information).
Step 2 – Confirm The Type of Request and Route it to the Relevant Person(s)Considerations:
- What is being asked for?
- Where in the organization does the request need to go?
In order to route the request to the correct department or individual, you must know what information is being requested. If it isn’t a clear request, be sure to confirm the request with the individual. Then, based on the type of request it is, route the request to the correct team in the organization. That could be a DSAR-specific team, or an individual within a department that handles requests. For more sensitive information, like medical records or payroll details, it could be beneficial from a legal defensibility standpoint to allow access by privileged employees only.
Step 3 – Gather the Necessary Personal InformationConsiderations:
- Is your data inventory up-to-date?
- How will collection from all enterprise data sources occur?
If the company’s data inventory is up to date, and the DSAR team has a platform with the capability to pull data from all of your organization’s inter-connected data sources (such as Office365 and Gmail, or instance), this could be a fairly simple exercise. Without a central data repository, or software that can pull data from disparate sources across the enterprise, the DSAR team or individual in charge will typically request the information from IT. It takes time and manpower to search for the data and fulfill the request, which pulls the IT team away from their business priorities.
Technology can make this process more streamlined and efficient by allowing the DSAR team to make data collections on their own without leveraging IT manpower. Presumably, the DSAR team also knows exactly what they need to find based on the request they’ve received, and technology allows those teams to have much more control over the process.
Step 4 – Review and Package the DataConsiderations:
- How will you redact documents with PII?
- Does the process harmonize with regulatory obligations and legal holds when remediating data?
- Do you have the capability to format the data as they request?
Without review technology that can help identify and redact sensitive information, this can be another onerous task. Once the data has been collected, it needs to be reviewed to ensure that the organization is returning the correctly requested information, as well as blocking privileged or company-sensitive information that may be part of the request. Review technology will allow the DSAR specialist to perform redactions or markups on the documents without ever having to leave the platform
Step 5 – Prove that Request Fulfillment is Complete
To protect your organization’s interests, and show good faith to your customers, there should be a method of proving that requests have been fulfilled, and validating that after the fact. Should any question arise, there will be documentation that states all of a subject’s information was indeed delivered, as requested. Having documentation on your data inventory can also help with that.
Step 6 – Send the Results to the Data SubjectConsiderations:
- Can you fulfill these requests securely?
- How will you notify the data subject?
- Keep a processing for closing the ROIR/DSAR
Once the documents have been reviewed and exported, they should automatically be made available to the data subject by the business’s website or online portal, and retrievable in an easy, secure way. If the data package has to be digitally sent to the subject, it should be encrypted or otherwise secured.
After the DSAR has been fulfilled, close it out and notify internal teams that the request has been completed.
Limiting the Scope of Employee DSARs
There are various ways that the teams performing DSARs can reduce the amount of information to be identified, collected, and reviewed—and doing so at the start of the process means much less time and effort required in the ensuing steps. Less data collected means less data for review; this is best accomplished through technology that can identify and collect only relevant documents across all enterprise data, as well as a robust data retention program that automatically deletes information that is no longer valuable. Integrating IT and HR systems within one platform allows you to run sophisticated assessments up front to see how many documents or emails you’re likely to produce based on the various search parameters. Technology will then allow you to hone in and surgically target the data you’re looking for, trimming the amount of data for collection and review, and making the tight fulfillment timelines more manageable.
Possible Exemptions for DSAR Fulfillment
While there are few ways for companies to avoid fulfilling DSARs, there are a handful of potential exemptions, including:
- Another identifiable individual’s information is made visible to the requestor without the individual’s consent
- The request is excessive or inaccurate
- The information is under a legal hold
- There are confidential references made within the data that aren’t redactable
- Information regarding business forecasting or planning is part of the request and not redactable
However, it can sometimes be difficult to determine what might fall within the scope of an exemption. For these grey areas, the company declaring an exemption will have to provide a justifiable reason for doing so.
Perhaps the most potent exemption for DSARs, which would be applicable regardless of the law, concerns data under a legal or litigation hold. Data that is requested for deletion that is already under a legal hold or other retention obligation should never be deleted, as the possibility of sanctions—or losing information that is critical to a court case—looms. While this is one of the most important exemptions to consider, others that also involve potentially business-critical information should be considered as part of a running checklist.
An Effective DSAR Process is Key for Organizational Efficiency
Taken together, an organization’s data inventory and DSAR process can become not only an effective tool for cost avoidance through fees, but also a competitive advantage by showcasing that personal privacy and data security are meaningful to the company.