Data privacy regulations like the newly-passed California Privacy Rights Act (CPRA) make events like Data Privacy Day—which in the U.S., Canada, Israel, and 47 other countries happens next week on January 28—particularly prevalent. Given the scope of new privacy regulations, countless companies and individuals have already been affected in one way or another, and many more will see impacts as jurisdictional provisions continue to kick in throughout the year.
The companies that have had to respond to consumer and employee requests for data know that these processes can create massive headaches. According to Gartner, the average cost to respond to just one request is about $1,400. Multiply this by the dozens of requests that some companies will see when the employee DSAR provisions kick in for CCPA- and CPRA-relevant businesses, and there is clear potential for a fresh set of problems.
Because Data Subject Access Requests (DSARs) can involve some complex workflows, we’ve created a visual guide that includes a process for how your organization can answer these requests. Many mid- and large-size corporate legal departments have access to e-discovery technology, which they can utilize to initiate and deliver DSAR requests within the 45-day time window required by California privacy regulations.
The Similarities Between E-Discovery & Privacy Processes
- Processing data from both an e-discovery and data privacy standpoint is very similar, but reviewing that data, along with redacting and monitoring changes to the data, might require different sets of eyes and skillsets.
- Searching for personal information that’s potentially relevant to a data request, along with having a data inventory integrated into this process, is essential to focusing your efforts so you can manage the process end-to-end while avoiding missteps.
- Thinking about how you handle your data from a business process standpoint is a big step for many companies to take. It’s also a beneficial exercise to get used to knowing which business units will be most affected by data privacy requests—and you may find that tweaking some business units becomes necessary from an efficiency standpoint.
The Differences Between E-Discovery & Privacy Processes
There will also be cases where e-discovery and data privacy processes clash. While data privacy regulations may be more centered around deleting data, businesses that face litigation may actually have a duty to preserve data if the possibility of litigation becomes apparent. In some cases, companies that don’t keep data that they had a duty to preserve could face sanctions. It’s a fine line for some companies to walk, but having a tight, reliable process is one of the first steps yours can take to help ensure defensibility with both privacy regulations and e-discovery requirements.
Want to learn more about building an effective DSAR response process? Click the banner below to read our full guide!