Over the past few years, data subject access requests (DSARs) have practically become universal requirements for privacy regulations around the world. But many organizations still do not know how to handle nuances of these rules, such as data deletion rights. In this article, we'll cover everything you need to know about fulfilling data deletion requests. We'll also discuss how you can automate them! Let's begin.
Need a quick primer on DSARs before reading this post? Check out our previous article!
Data transparency and privacy have become top of mind for both consumers and businesses. This is in large part due to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) establishing rules regarding how organizations collect and process personal data. One of these rules focuses on consumer data deletion rights.
The GDPR grants EU residents and anyone doing business with EU organizations the right to be forgotten. Also known as the right to erasure, it allows individuals to ask organizations to delete their personal data. An individual has the right to request this if:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay (...).
Extract from Art. 17 GDPR – Right to erasure ('right to be forgotten')
Similar to the GDPR's right to be forgotten, the CCPA's right to delete allows individuals to ask organizations to erase their personal data if:
Read more: Understanding the CCPA right to deletion
It's important to note that data deletion rights differ from data access rights. The latter requires organizations to create a report that outlines what information they have about a person and how they use it. Fulfilling data deletion requests usually requires more specificity, insight, and context into how you process the data.
Read more: CCPAÂ DSARÂ process
A data deletion request is a formal request made by an individual to an organization, asking for their personal data to be deleted. This right is part of privacy regulations like GDPR and CCPA, allowing individuals to have their data removed from company databases, ensuring their privacy and reducing the risk of misuse.
To put this in perspective, an organization could manually fulfill DSARs for the most part if they only receive a low volume of them and only deal with few data sources. But doing so for data deletion requests is more complex.
‍
‍
Want to efficiently respond to data deletion requests? Then you should prioritize these two factors:
This sounds simple enough, right? Well, it quickly gets complicated! For this reason, we advise you to have a plan in place for managing data deletion requests.
Here are the steps you should include in your process for taking care of data deletion requests:
Note that this outline doesn't include details like how to respond to the request, who manages the process, and which stakeholders are accountable at each step. It's also crucial to remember that policies and reports alone can't solve data deletion requests. To effectively address them, you need a technical solution that fits into your broader privacy management program.
Due to their complexity, data deletion requests can be more time-consuming and overwhelming to deal with than regular DSARs. Many ticketing-based solutions promise a seamless way to automate them. But like typical DSARs, this can be difficult (if not impossible) to do with these tools.
In truth, ticketing systems only automate tasks such as ticket creation, receipt confirmation, and deadline alerts. An individual's personal data often exists in several formats across numerous in-house, cloud-based, and third-party systems. Ticketing systems can't find, change, or delete all of these different data formats across your systems. That will still depend on you.
Essentially, a ticketing system can tell you what to do. But actually orchestrating the request and ensure your process meets GDPR and CCPA compliance is still on you. Unfortunately, this constitutes the majority of the work involved. So, is automating data deletion requests actually viable? It is with Ketch.
Taking care of data deletion requests offers two main benefits:
But manually addressing these requests is often easier said than done. Ketch is here to change this. Our solution empowers you to automate your response workflow for DSARs by leveraging tools such as open-source APIs, syntax command templates, and system integration in conjunction with a central control system. As a result, you can automatically record, track, and respond to DSARs like data deletion requests faster and more effectively.
When it comes to privacy data compliance, Ketch puts your data systems to work so you don’t have to. Real automated orchestration of DSARs and data deletion requests is finally here to put an end to the confusion and headaches that usually accompany data compliance.
Schedule your Ketch demo and learn how our platform can simplify your response workflow for DSARs and data deletion requests.
‍