I have a simple question for all the GCs, CPOs, and CISOs out there: Are you ready for the California Consumer Privacy Act (CCPA)? Because it’s coming, whether you’re ready or not, on January 1, 2020. (And ten other states will soon follow suit with similar, but different, regulations.)
Depending on the timing, polling group, and survey methodology, reports suggest somewhere between 45% and 86% of companies will not be ready or do not even plan to be ready by then.
If you ask me, those figures are probably optimistic. I suspect that most organizations who expect to be ready aren’t as close as they think. Why? Here’s my thought process.
Do you know how long it will take to fulfill a single data subject access request (DSAR)? They require more resources than you might think. You’ll need to verify the data subject’s identity, access and search a comprehensive and accurate data inventory, collect the resulting data, review and redact confidential information about other subjects and deliver it to the subject within 45 days. According to a Gartner survey cited in its white paper How to Prepare for the CCPA, 83% of respondents “needed a full working week or more time to respond to each single request.”
What will you do if you get 10 requests? 100? 1000? With 240 working days in a year, you would need to process 4.1 complete requests per day to meet the demand from 1,000 requests. How many FTEs can you dedicate to fulfilling DSARs?
Consider what happened to Microsoft when it opened its self-service DSAR portal in compliance with the EU’s General Data Protection Regulation (GDPR). In its first year, it received 18 million data requests.
Guess how many came from the United States. 6.7 million. How many DSARs can organizations expect in response to the CCPA, the most stringent privacy law in the US so far? What will happen when more states and the federal government enact privacy laws based on the CCPA?
Of course, there are only a few organizations with the client base of a Microsoft, Google, or Facebook. What would be a reasonable figure for number of DSARs you’d receive? We had a client who received 15,000 requests in the first month after GDPR took effect.
I don’t want to do the math to figure out how many FTEs you’d need to fulfill those DSARs manually. Frankly speaking, I don’t think you want to do that math either.
I will do a little math for you, though. That same Gartner study found that organizations were spending “on average $1406 per SAR.” At that price tag, the cost of a mere 15,000 requests would run to approximately $21 million in one month!
But it’s not just about cost. It’s also about time. Organizations are under the duty to respond to a data subject access request in just 45 days. 45 days! Legal departments will hard pressed to meet that deadline for 15,000 requests, but can you image 50,000?!
It’s fair to say such an expense and risk is not sustainable. Organizations must be ready with a scalable, defensible, automated solution to this looming crisis.
There is uncanny amount of similarity between the e-discovery and privacy worlds. If you’ve never seen a data subject access request, just ask your e-discovery team. They are essentially fulfilling DSARs but just in a different form, via the e-discovery production request, which makes it even simpler to solve the privacy and DSAR problem via technology. Re-purpose e-discovery technology for the privacy world.
Here’s the requirements as I see them for a technology solution to solve the DSAR problem.
First, you’ll need a portal for requestors to file DSARs. But it should be more than just a user-friendly online interface. It needs to route as many requests as possible directly into the fulfillment workflow.
Next, you’ll need to automate (as much as possible) and manage this workflow, from authenticating the requestor’s identity to finding, reviewing, and producing their data to them. This automation isn’t really optional; it’s a necessity given the volume of requests you can expect. Your database may not be as large as our client’s, but is it really reasonable to expect less than 1,000 requests a year? What happens if you suffer from a data breach? How many requests do you anticipate getting then, when compliance is going to be all the more critical to your reputation and your bottom line?
Importantly, you’ll need an accurate, comprehensive data inventory. This, after all, is the foundation of the entire process. It gives you the ability to find all responsive information in your control. You should be able to easily update this inventory as your company evolves. It should find not just where data belongs—but also where it actually is. After all, if a birthdate is tied to a name, it is considered “personally identifying information.” So if an assistant somewhere has a spreadsheet of employee’s birthdates for party planning, you’ll need to know that—or at least be able to find it.
You obviously also have to be able to act on the data. That starts with examining it before collecting it, but it also includes knowing retention schedules, data volumes across disparate locations, third parties accessing the data, and where duplicate data is stored. You’ll need to be able to remediate data, whether that means to move it to where it belongs, to delete it, or to lock it down for preservation due to an internal investigation or legal hold. The system will need to understand the complex, at times conflicting, requirements to retain, deliver, and dispose of data based on regulations like CCPA and HIPAA, the legal obligations of e-discovery under the Federal Rules of Civil Procedure (FRCP), and then act on those requirements accordingly.
Ideally, you’ll have time to use this inventory to get your house in order before the regulations take effect. So much of the data most organizations retain is ROT: redundant, obsolete, or trivial. The wealth of storage the cloud affords has created a massive digital landfill. While this data’s business usefulness may be debatable, it does increase cost and risk. A sensible program of data minimization, supported by ongoing data retention policies combined with the ability to cross reference all the litigation holds, can further reduce the risk posed by GDPR, CCPA, and all-but-certain future data privacy regulations in more and more jurisdictions.
The Future of E-Discovery and Data Privacy
Laid out this way, these challenges may seem daunting—perhaps even existential for an organization that has not adequately prepared to address them. And while they are very serious, by no means are they impossible to overcome.
In 2007, when I founded Exterro with three friends and colleagues, I saw a similar challenge facing legal departments at large, multinational enterprises. As a consultant helping clients like US Bank, Standard Insurance, and GM align their technology systems with their business needs and processes, I became more and more convinced that General Counsel’s offices had a near-universal need for better process management, supported by technology. I believed that process optimization and data science could fundamentally transform how in-house legal teams operate.
Thirteen years later, I feel vindicated. E-Discovery operations have increasingly moved in-house at these enterprises, and teams that embrace a proactive, data-driven, process-oriented approach are saving money, time, and achieving better legal outcomes. And Exterro has ridden this wave to achieve dramatic growth, as Global 2000 organizations have turned to us for their e-discovery technology.
But, even with our incredible and sustained success, I haven’t achieved my complete vision. Exterro has focused on e-discovery alone, which is one segment of the larger legal governance, risk, and compliance (GRC) sector we’re now addressing. In Legal GRC, I see three sets of challenges that are converging—and one solution that can address all of them.
Under governance, organizations must manage their retention and disposition of data. How much is to be kept? Where is it stored? What are the legal and regulatory requirements? How much data can be disposed of, once its business value is diminished and it creates more risk? How do organizations balance their regulatory and legal hold requirements?
As for risk, what are organizations’ capabilities to reduce the likelihood of data breaches? What is your ability to ensure third parties you share data with are compliant? Are your legal processes defensible according to the FRCP and case law?
In terms of compliance, do your business processes and systems comply with the FRCP, GDPR, and CCPA? What are the potential costs of non-compliance?
And what is the solution I’m proposing? All of these challenges can be met with technology that puts the appropriate capabilities into the hands of legal GRC professionals. Built on a foundation of an accurate, actionable data inventory, incorporating process orchestration and a workflow engine, technology currently in use for e-discovery operations and privacy can meet these needs. The Exterro e-discovery platform, with the addition of Jordan Lawrence’s technology, manages complex requirements for data retention and disposition; orchestrates workflows across disparate teams; provides deep, actionable insight into data; integrates with all common (and many uncommon) enterprise data sources; and allows for searching, collecting, reviewing, and producing data on demand.
CCPA and GDPR are just the starting point of a new age in terms of our relationship with data. State legislatures in Texas, New York, and many more states are actively debating consumer privacy laws. Being able to fulfill DSARs efficiently will be table stakes for companies in just a few years.
The challenges of this new age of data privacy are many. But for organizations with the right technology and processes in place now, they represent more of an opportunity than a threat.
I look forward to sharing more of my thoughts and vision for how Legal can more effectively manage your governance, risk and compliance challenges, and welcome your thoughts or feedback. Please reach out if you’d like to discuss this with me.
To learn more about how Exterro can help you address your DSAR challenges head on, click here.