Risks to Be Considered When Responding to DSAR

Magnacrest, a Buckinghamshire-based housing developer, was fined for failure to comply with data subject access requests. This incident serves as a fresh reminder for businesses about the public’s right to review all the personal data that gets processed.

While the Magnacrest investigation predated the General Data Protection Regulation and resulted in a small fine, the Information Commissioner’s Office has issued a warning that such leniency will not be granted later. The regulation strengthens the rights of individuals as well as the punishments for neglecting the same.

Simplification of the DSAR Response Method

According to a September 2018 report published by Talend, only 30 percent of businesses are equipped to fulfill DSARs within the given 30-day time frame. This makes it challenging to stick to an effective process for every Data Subject Access Request (DSAR). The problem is compounded by the fact that DSAR requests have increased considerably since the GDPR came into effect.

Thus, it is not surprising that organizations are seeking assistance with the process. They are turning to data protection officers and data privacy lawyers for managing the process and ensuring requests get completed in accordance with the requirements established by the GDPR.

This involves:

● Reviewing and evaluating the validity and nature of the DSAR

● Finding the relevant data

● Verifying the identity of the individual

● Documenting all facts pertaining to DSARs

● Formally disclosing the details to the individual

● Getting consent from third parties in cases where personal data is present in the search results and where it is unattainable due to lawful exemptions

Businesses cannot afford any shortcuts or setbacks in the DSAR process since it could lead to various risks and penalties.

Common Risks

Unauthenticated or Missed Requests

Organizations can miss out on essential requests unless they have the right automation setup. Also, it is impossible to verify the identity of the requestor and trust him/her without proper authentication.

Security in Data Tracking

All data subject access requests need to efficiently managed by the company to meet the given deadlines. Systems responsible for managing the DSARs need to keep the personal data encrypted and centralized.

Security in Data Audits

Approvals need to be tracked and audited by the businesses.

Security During Authentication

If data is delivered to the wrong person, it could have dire consequences for the business as well as the original requestor.

Email is a Risky Way to Manage DSARs

Many businesses opt to manage DSARs via email, but moving personal details into unencrypted formats is a recipe for disaster. Organizations should not be tempted to use existing systems when they manage customer DSAR requests. So, CMS and email options are off the table.

The truth is, transferring personal details or customer information out of encrypted data storage spaces and into other systems involves a great deal of risks. It is essential to secure and control the data sets at all costs. Unencrypted systems are high priority targets for a data breach of some kind. The chances of suffering a data breach involving at least 10,000 records are higher than contracting the flu in winter.

Given how it takes businesses an average period of 196 days to detect a data breach, you could already be experiencing one without even being aware of it. So, it is essential to select a system that encrypts all the necessary information during transit and rest and controls where it is going to be safely stored for managing the DSARs.

Response to Access Requests

Once a consumer submits a verified DSAR request, it is important to offer detailed answers as fast as possible, maximum within 45 days in a transferable, electronic format. However, your obligation to respond to the request may vary, based on what is being asked by the consumer and how they handle their information. This presents a bit of an operational challenge.

Manage Requests for Deletion of Data

DSARs for deletion of data involves not just the team members of business but even the partners and vendors with whom the company shared personal details. If you share personal information with various internal systems and teams, you should be able to track back the information to data store sources and honor the request for the deletion of personal data.

When disclosing personal details to third parties like partners or vendors, you must be able to send deletion requests automatically when you receive a deletion request to every downstream party in possession of the information.

When a business gathers personal data from consumers, they need to submit:

● Assurances that they will honor all requirements for deletion

● Submit certain pieces of personal data that has been collected by the business

● Disclose categories of personal data that has been gathered by the business

Companies gathering personal information on a particular consumer need to provide the following:

● Categories of sources from where they collected the personal data

● Categories of personal details collected by the business

● The commercial or business purpose for the collection

● Specific personal data pieces collected by the business

● Categories of third parties with whom the company shared personal data

Organizations that disclose or sell personal data about consumers need to provide:

● Categories of personal data disclosed regarding the consumer for business purposes

● Types of personal data collected about a specific consumer

● Types of personal data about the consumer that have been sold

● Categories of third parties who bought the personal information

Communicating with Consumers

Both CCPA and GDPR involve the disclosure of communication and rights when it comes to DSARs. However, the reasons themselves are not the same, and you should modify your communication accordingly.

Under the CCPA guidelines, organizations need to inform consumers during or before collection about the categories of personal information to be collected as well as the purposes for which the information will be used. Moreover, the GDPR does not include any right to opt-out of the sale of PI while the CCPA does.

For compliance with the CCPA, you must add a “Do Not Sell My Personal Information” link to your home page. Provide a minimum of two methods for submitting disclosure requests, including an online mechanism on your website and a toll-free number.

You must publicly share a list of personal information categories collected from consumers and disclosed in the past 12 months. The information should be updated every 12 months. Give consumers a chance to opt-out at any point without having to create an account.

Concluding Remarks

While compliance with DSAR requests is mandatory under CCPA and GDPR guidelines, there are several risks if you fail to do it right. That is why businesses should have specific measures in place to manage all DSAR requests effectively without putting themselves or their consumers at risk.