Depending on which surveys you read, somewhere between 45% to 86% of companies won’t be ready for the California Consumer Privacy Act (CCPA) when it launches on January 1, 2020. Given the scope of these regulations, there’s a good chance your company will be affected by the CCPA one way or another (or perhaps yours is one of two dozen other states looking to establish a copycat law). Furthermore, the average cost to respond to just one request is about $1,400. Multiply this by the dozens—or perhaps hundreds—of requests that some companies anticipate receiving in a given week, and you can see that this represents a significant potential impact on employee time and company resources.
Because Data Subject Access Requests (DSARs) can involve some complex workflows, we’ve laid out a process below that shows how your organization can utilize your current e-discovery software and processes to initiate and deliver DSAR requests within the 45-day time window required by the CCPA.
Data Subject Access Request Workflow
The Similarities Between E-Discovery & Privacy Processes
- Processing data from both an e-discovery and data privacy standpoint is very similar, but reviewing that data, along with redacting and monitoring changes to the data, will be more difficult.
- Searching for personal information that’s potentially relevant to a data request, and having a data inventory connected into this process, is essential to focusing your efforts so you can manage the process end-to-end while avoiding mis-steps.
- Data mapping/inventory: Thinking about how you handle your data from a business process standpoint is a big step for many companies to take. It’s also a beneficial exercise to get used to knowing which business units will be most affected by data privacy requests—and you may find that restructuring some business units becomes necessary from an efficiency standpoint.
The Differences Between E-Discovery & Privacy Processes
There will also be cases where e-discovery and data privacy processes clash. While data privacy regulations may be more centered around deleting data, businesses that face litigation may actually have a duty to preserve data if the possibility of litigation becomes apparent. In some cases, companies that don’t keep data that they had a duty to preserve could face sanctions. It’s a fine line for some companies to walk, but having a tight, reliable process is one of the first steps yours can take to help ensure defensibility with both privacy regulations and e-discovery requirements.