Is your company having trouble handling data subject access requests (DSARs)? Don't fret—you're definitely not alone. DSARs can be complex and time-consuming for companies to deal with. Fortunately, this short 'n' simple primer is here to help you manage data access requests effectively and efficiently!
In this guide, we'll cover everything from what a DSAR is and who submits personal data requests to how you should respond to a DSAR and the common challenges you'll encounter when managing data subject requests. We'll also answer one of the most elusive questions surrounding user DSARs: Can your company automate data subject requests? Let's dive right in.
‍
The global digital landscape is rapidly evolving. In an effort to bolster data transparency and privacy, the General Data Protection Regulation (GDPR) granted EU residents and anyone doing business with EU organizations new rights regarding how organizations collect and process consumer personal data. The California Consumer Privacy Act (CCPA) and the more recent Virginia Consumer Data Protection Act (VCDPA) established similar obligations to be transparent and respect information access requests to protect data subject privacy rights.
One of these privacy rights is called the right of access. his right empowers individuals (“data subjects” under GDPR) to submit a request known as a data subject access request to learn what information your organization has about them and how the company uses it. Besides discovering or accessing their personal data, subjects can also use DSARs to request correction or deletion of their personal data from the company records.
Recent data privacy legislation like the GDPR and CCPA have increased the power of  consumers to make these information requests, and the risk to companies of fumbling them. While this development of data subject request options certainly improves transparency for consumers, it also creates challenges for companies around the world that store personal data because they now have to manage the requests and stay compliant with legal requirements.
Anyone can submit a DSAR at any time. This access right includes but is not limited to customers, users, sales prospects, employees, contractors, job candidates, and donors. Individuals do not need to supply a reason for submitting a DSAR, and organizations can only ask questions that help verify the subject's identity or locate the requested data to protect privacy rights.
Individuals can also submit DSARs on behalf of others. Here are some examples of when a DSAR can be submitted for others:
In these cases, it's imperative to verify that the person submitting the DSAR is genuinely doing so on behalf of the data subject. Businesses can do this by requesting supporting information and evidence of their relationship (e.g., birth certificates, power of attorney documentation, etc.).
DSARs usually request a copy of all personal data you have on a data subject. Sometimes, the subject may only request access to specific details and information. Either way, you're obligated to provide any data that is relevant to the individual's request for access to their information.
Here are some examples of the information that data subjects can request from a company:
Generally speaking, you must take four steps to process and fulfill a data subject request.
Before your organization starts fulfilling a new DSAR, your company needs to register the request, log the request in a record system, and authenticate the user making the request.
Next, you must discover and categorize the subject's personal data that you process and store in your data management systems.
After collecting the subject's personal data, review or redact it to ensure that it meets DSAR requirements without disclosing any proprietary information or data of other subjects.
Once you've completed the previous three steps, you can now deliver the information to the data subject. Make sure you do this as safely as possible to protect data privacy—data breaches or leaks can be extremely expensive for companies, both in money and reputational damage.
Under the CCPA, you must respond to a DSAR within 45 days. The GDPR data privay regulations only gives you 30 days to respond to a DSAR. Although both laws offer extensions in certain cases, failure to respond to a DSAR within the proscribed timeframes can result in substantial fines and regulatory penalties. Failure to fulfill a request can also damage your organization's reputation by suggesting that you don’t value data protection and information transparency.
DSAR orchestration involves a complex workflow of verifying the information request, finding the data, reviewing it, and delivering it to the subject. Bringing DSAR automation to the process would be a boon for companies, but it’s easier said than done due to the following data privacy complexities:
Depending on the size of your organization, DSAR orchestration can encompass dozens, or even hundreds, of systems that collect and store data subject information. This means you have to go through all of the steps mentioned above for each system your organization relies on—in-house legacy, cloud-based, data warehouse, and third-party—to fulfill the information request.
This factor alone can exponentially increase the complexity of completing a single DSAR. Consequently, fulfilling DSARs can quickly become both time- and labor-intensive, costing you much more money and resources than your company had originally envisioned.
The bottom line? If you don't keep all of a subject's personal information in one convenient place, you'll probably have to implement a data mapping process and data privacy manager to keep track of all the requests and rely on a reporting tool to pull this information from several resources to generate a DSAR response efficiently.
No matter what business you’re in, this is a common conundrum you're likely to encounter when handling access requests. Personal data about your customers resides in more places than just your CRM—it's also in your financial and customer service systems, data logs, backups, websites, and many more locations across the cloud. Data processing inventory can be difficult to manage and keep organized across the company.
Besides existing in multiple systems, personal data also comes in multiple identifier formats, such as names, email addresses, accounts, and cookies, just to name a few. To make matters worse, your customer may be John Smith in one system, cookie AU9AtlDpEbAqfakUE in another, and reward member #59420392 in yet another. Before you can even think about fulfilling or automating DSARs to be in compliance with data protection law, you need to be able to find and align all of this data—a heavy lift.
For example, let's pretend you've received a DSAR based on an email address. If this isn't the system identifier, you'll need to request more information from the data subject or try to figure out the correct data format by delving into your information management system. The latter option isn't always available since some systems only hold obscure user identifiers. Without this information, not only is DSAR automation impossible, but your compliance with governance policy is now at risk.
‍
Even if you can locate all of a data subject's information, fulfilling the DSAR requires you to know and implement all of the steps of your workflow for each management system. Tools like ticketing systems have proven to be valuable in helping customer service and IT help desks organize their DSAR workflows. And many have even added support for managing GDPR and CCPA DSARs. But they can only automate part of the access request process.
Ticketing systems can take care of tasks like ticket creation, receipt acknowledgment, and due date alerts. But they can't find, delete, or change all of the formats of a subject's personal data across all of your systems—that task falls to you. In other words, your ticketing system can tell you what to do, but you're still on the hook to actually orchestrate the DSAR and ensure that every step you take satisfies GDPR and CCPA policy requirements. This actually comprises the bulk of complexity, time, and effort within your DSAR response workflow.
Regardless of the ticketing solutions, spreadsheets, and documented procedures you employ to streamline your DSAR response workflow, the actual process required to account for, modify, or remove personal data from each of your systems will still be manual to a significant degree.
So can DSAR orchestration ever be truly automated? Luckily, that's exactly what Ketch is for. Ketch can automate your DSAR response process.
GDPR and CCPA compliance doesn't only let you avoid policy penalties; it's also a prime opportunity to establish and build trust with your customers. Quick, efficient responses to DSARs can elevate your brand by showing your clients that you take their data privacy seriously. But as you now know, accomplishing DSAR automation and staying in line with policy laws isn't an easy feat.
If you're wondering if there's a better way to automate your DSAR response workflow, Ketch has got you covered. We built our platform from the ground up to automate the fulfillment of data subject access requests. And when we say "fulfillment," we really mean your entire DSAR workflow—not just ticket creation.
Want to remove compliance headaches and avoid hiring a costly data compliance analyst? Robust, automated DSAR orchestration is just a few steps away. Schedule your Ketch demo and learn how our platform can simplify your DSAR response workflow to help you stay in compliance with current data subject legal policy.
To learn more about Ketch's innovative approach to Privacy Orchestration, download our white-paper.
Data transparency and personal information privacy have become top of mind for both consumers and businesses. This is in large part due to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) establishing rules regarding how organizations collect and process personal data. One of these policy rules focuses on consumer data deletion rights and requests.
‍
The GDPR grants EU residents and anyone doing business with EU organizations the right to be forgotten. Also known as the right to erasure, it allows individuals to ask organizations to delete their personal data from information management systems. An individual has the right to request their information to be deleted if:
Similar to the GDPR's right to be forgotten, the CCPA's right to delete information allows individuals to ask organizations to erase their personal data if:
It's important to note that data deletion rights differ from data access rights. The latter requires organizations to create a report that outlines what information they have about a person and how they use the information. Fulfilling data deletion requests usually requires more specificity, insight, and context into how you process the data in your management systems.
To put this in perspective, an organization could manually fulfill DSARs for the most part if they only receive a low volume of them and only deal with few data sources. But doing so for data deletion requests is more complex.
Want to efficiently respond to data deletion requests? Then you should prioritize these two factors when managing deletion requests:
This sounds simple enough, right? Well, it quickly gets complicated! For this reason, we advise you to have a plan in place for managing data deletion requests.
Here are the steps you should include in your process for taking care of data deletion requests:
Note that this outline doesn't include details like how to respond to the request, who manages the request process, and which management team is accountable at each step. It's also crucial to remember that policies and reports alone can't solve data deletion requests. To effectively address requests, you need a technical solution that fits into your broader privacy management program.
Due to their complexity, data deletion requests can be more time-consuming and overwhelming to deal with than regular DSARs. Many ticketing-based solutions promise a seamless way to automate requests. But like typical DSARs, this can be difficult (if not impossible) to do with these tools.
In truth, ticketing systems only automate tasks such as ticket creation, receipt confirmation, and deadline alerts. An individual's personal data often exists in several formats across numerous in-house, cloud-based, and third-party systems. Ticketing systems can't find, change, or delete all of these different data formats across your systems. That will still depend on you and your management team.
Essentially, a ticketing system can tell you what to do to handle the request. But actually orchestrating the request and ensuring your process meets GDPR and CCPA compliance is still on you. Unfortunately, this constitutes the majority of the work involved. So, is automating data deletion requests actually viable? It is with Ketch.
Taking care of data deletion requests offers two main benefits:
But manually addressing these user requests is often easier said than done. Ketch is here to change this. Our information request solution empowers you to automate your response workflow for DSARs by leveraging tools such as open-source APIs, syntax command templates, and system integration in conjunction with a central control system. As a result, you can automatically record, track, and respond to DSARs like data deletion requests faster and more effectively.
When it comes to privacy data compliance, Ketch puts your data systems to work so you don’t have to. Real automated orchestration of DSARs and data deletion requests is finally here to put an end to the confusion and headaches that usually accompany data compliance.
Schedule your Ketch demo and learn how our platform can simplify your response workflow for DSARs and data deletion requests.
‍
‍