Can Orchestrating Privacy Data Subject Requests be Automated?

The complex, time consuming, and downright annoying process of exporting, erasing, or rectifying personal data to respond to valid data subject requests sanctioned under privacy data regulations like GDPR and CCPA likely has you wondering if there’s a better way. You’re not alone if you’re considering a ticketing-based solution touting the ability to automate this process. But can orchestrating data requests from customers be automated?

Personal data exists in multiple formats across multiple in-house, cloud-based, and third-party systems. It can be an email in one system, a rewards number in another, or a cookie in yet another. Before a data subject request can even be fulfilled, much less automated, you need to find the data. Easier said than done. Consider a request based on email address. If that’s not the system identifier, you need to either gather more information from the now-frustrated customer or delve into the system to try and determine the data format. That’s not always possible with systems that hold only obscure device identifiers or cookies. And by law, you can’t claim you don’t have the data just because you don’t have the identifier. Without this information, compliance is at risk and automation is not possible.

Even when the data is located, fulfilling the request requires knowing all the steps within the workflow of each system. For external systems, this could be sending an email or going through the user interface to generate the request. For internal systems, it means identifying the responsible system owner and operator. This is all compounded by the fact that you still need to determine if the request was even received and fulfilled—for every system.

Since the definition of personal data is broad, and it can reside in several linked systems and subsystems, the question also often remains whether the scope of all the data was even dealt with. You might think a data subject request only requires you to delete the customer table containing names, email addresses and account information. But if that customer’s data exists in other locations and formats like purchasing or browser history, you’re only in compliance if ALL the appropriate data is deleted. That also means you need to know what data is exempt and must be maintained for contractual, legal, or auditing purposes.

Considering the complexity of it all, don’t be fooled by ticketing-based system that have you thinking the actual work of fulfilling data subject requests will be automated. Sure, these systems may automate the creation of a ticket, an email response to the customer acknowledging the request, or the due date required by a specific regulation. They may even help you manage HOW to fulfill requests—that is once you’ve determined and set up all systems, identifiers and workflow requirements. But ticketing-based systems are simply not capable of automating orchestration.

So the question remains—can orchestrating data subject requests even be automated or is that just pie in the sky? That’s where Ketch come in.

Using technology rather than process, Ketch is working to solve the barriers of automation by invoking tools like open-source APIs, syntax command templates, and system integration in conjunction with a central control system that lets you automatically record, track, and respond to data subject requests. When it comes to privacy data compliance, our goal is to make data systems work so you don’t have to.

Complying with data security and privacy regulations like GDPR and CCPA isn’t just about avoiding penalties—it’s also about building trust with your customers. That means fast, effective response to data subject requests from individuals asking to discover, access, rectify, or delete their personal data that your company maintains.

With the data sitting in multiple systems and formats—from names and email addresses, to accounts and cookies—orchestrating data subject requests can be complex and labor-intensive, costing you money and tying up resources to respond by the deadline. Under CCPA, that’s 45 days. GDPR gives you just 30.

Ticketing systems make it easier for customer service and IT help desks to effectively respond to requests through an organized workflow. They’re a great tool for recording, assigning, prioritizing, and tracking support tickets. Many of these systems have now added support for managing GDPR and CCPA data subject requests. With features like tagging to ease searches, canned responses to prevent repetitive work, assignment rules to delegate responsibility, and customized reporting to help with audits, a good ticketing system can certainly make handling data subject requests more efficient. But if you think these systems will do the work for you, think again.

Ticketing systems can automate some of the workflow in responding to data subject requests. Think ticket creation, receipt acknowledgement, assignment, or due date alerts. But the actual work of fulfilling the request still must be done. Automation claims may give you the illusion that it will do it for you, but a ticketing system is never going to find and delete or change all the formats of someone’s personal data across multiple internal, cloud-based, data warehouse, and third-party systems. That’s up to you.

In other words, your ticketing system might tell you what to do, but you’re still stuck orchestrating the request through a combination of manual system hunt and peck, available data privacy APIs, and third- party requests—all of which then needs to be verified to ensure GDPR and CCPA compliance. This is what makes up the bulk of complexity and time within the workflow. But it doesn’t have to.

Ketch doesn’t just manage the workflow of responding to consumer data subject requests by creating and tracking tickets. We actually intelligently automate the fulfillment of those requests by directly integrating with the systems where the data resides. Instead of treating data privacy like help desk and investing in a ticketing system that at most creates a ticket, stop the manual, time-consuming process of closing that ticket with Ketch.

Click here to schedule your demo and learn how Ketch doesn’t just capture and track data subject requests but automatically orchestrates their fulfillment.