6 Steps to Processing DSAR’s Under CCPA & GDPR
by Robert Bond
A Framework to Processing DSAR’s Under CCPA & GDPR
We continue to dig into the topic of privacy, GDPR, and CCPA in this blog to clarify the requirements of current compliance legislation as well as new legislation that may impact organizations. As a matter of fact, this is our fifth “privacy compliance” post and one that we will use to focus on one of the most critical problems organizations are facing – Responding to DSAR’s under CCPA & GDPR effectively and efficiently.
Our previous blog post, Executing DSAR’s Under CCPA & GDPR dealt with executing or responding to DSAR’s to meet the requirements of the compliance legislation. In addition, previous blog posts discussed the elements of the legislation itself including taking the opportunity to break apart the legislation, define it and explain it as clearly as possible. This blog post will deal with processing DSAR’s under CCPA & GDPR.
OUR BLOG POST LIBRARY OF PRIVACY LEGISLATION TOPICS
Blog – Executing DSAR’s Under CCPA & GDPR
Blog – Are Organizations Ready for The California Consumer Privacy Act (CCPA)?
Blog – How the California Consumer Privacy Act (CCPA) Will Impact Business
Blog – Four Data Protection and Privacy Laws You Must Know
Service Page – CCPA Guidelines and Requirements
Processing DSAR’s Under CCPA & GDPR Cost-Effectively
Data Subject Access Rights or DSARs under the CCPA & GDPR legislation allow an individual can make a data subject access request to you, the organization verbally or in writing. The request can also be made to any part of your organization including through your Twitter, Linked-in or Facebook pages and does not have to specify a person or contact point. In addition, organizations operating under both the GDPR and CCPA are no longer entitled to charge a fee for a single processing request of personal information. Additionally, organizations operating under both the GDPR and CCPA now have a shorter period to respond to requests for personal information. The GDPR specifies 30 days and CCPA – 45 days.
Fines for Not Responding to DSAR’s Under CCPA & GDPR
Companies have an enormous incentive to respond to DSAR’s as a failure to respond to a Data Subject Access Request within the regulatory timeframe can expose organizations to a higher level of administrative fines. In the case of a GDPR violation, the organization could be subject to a 20 million euro or up to 4% of annual global turnover, whichever is the greater amount Under the CCPA the fine is $7500 for “intentional” violations of the requirement.
Thus far, breaching DSAR rules has led to more than a dozen fines so far under the European Union’s General Data Protection Regulation (GDPR). The Berlin Commissioner for Data Protection and Freedom of Information has imposed fines in excess of €195,407, including fees, on Delivery Hero Deutschland GmbH. According to Netzpolitik.org, this is the highest GDPR fine ever imposed in Germany. Other common reasons for DSAR fines have included failure to respond to requests in time and failure to provide complete personal information to DSARs excluding video, audio, and phone recordings.
In total, the Berlin Commissioner for Data Protection and Freedom of Information has imposed 27 fines under the GDPR since it came into force, and two under the new Berlin Data Protection Act. It recommends that Berlin founders attend the twice-monthly start-up consultation hour so that questions can be clarified at an early stage.
We provided examples from the Berlin Commissioner for Data Protection and Freedom of Information however there are dozens of organizations levying fines across Europe and each has its own interpretation of the law to some degree. The website www.enforcementtracker.com has 262 entries of fines that can be searched by country and violation.
What Type of Fines and Enforcement Can We Expect from CCPA
The new California Consumer Privacy Act (CCPA), which came into force on January 1st, 2020, is set to be at least as tough on penalties as the GDPR. As we suggested, the CCPA provides that companies will be subject to a civil penalty of between $2,500 and $7,500 per violation of the CCPA, which includes the DSAR mandate.
Compliance with the CCPA has a massive reach as there are over 40 million Californians. This means most organization’s databases will have at least a few Californians in their systems and databases and will have to abide by CCPA. Furthermore, it is expected that at least 19 other states including New York, Washington, and Illinois will use the CCPA as a blueprint and implement legislation that is already in the works.
CCPA and GDPR have a variety of differences which we have touched on in earlier blog posts, however, for a snapshot of the differences, Baker Law has a fairly comprehensive downloadable PDF which I promise is virus and malware-free.
Now that we have laid the groundwork, let’s walk through the steps to implementing an efficient and cost-effective DSAR process.
The Cost of Handling DSAR’s
Personal information also known as ‘Personally Identifiable Information’ or ‘PII’ is an extremely broad category of information. The CCPA defines personal information as information that: “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier perhaps a login name, an online identifier such as an IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
While the request to access this information is somewhat commonly called a DSAR, as we said in our previous blog post, other acronyms and names for essentially the same request are:
• VCR – Verifiable Consumer Request
• SRR – Subject Rights Request
• SAR – Subject Action Request
• DSR – Data Subject Request
According to a recent Avepoint article, a single request (DSAR) could cost from $200 to $200K. Quite a range of costs, and a significant new item on the P&L for organizations who leverage e-mail marketing or other marketing tactics that may generate a large number of DSAR’s. PwC estimates that businesses have already spent more than $5 million on average preparing for the CCPA in the past two years.
Think about this, “If Fred Mertz makes a DSAR request today, how do I know which systems contain his data? If I find all that data, how can I make sure it’s accurate or properly redacted? What if there are e-mails about Fred Mertz that have his e-mail address and phone number in customer service personnel systems? Can I even meet the deadline to respond? I probably need at least 10 people dedicated to this activity.”
The Solution to Handling DSAR’s is Automation
Automating the handling of DSAR’s will result in:
- Financial cost savings in the DSAR Process
- Reduced risk of financial compliance penalties
- Reduced risk of brand damage
In addition, beyond the compliance issue, consumers are increasingly demanding transparency from organizations that collect their personal data – think Facebook over the past year. Just as with other consumer preferences related to their moral or personal convictions, consumers will increasingly pay a premium for a company that takes handles their personal information with care. Automation is crucial to bring those consumers the data they request, quickly, and in the format, they desire without bankrupting the organization storing the data.
Let’s go through 6 steps that we believe will fulfill the requirements of CCPA, the expectations of your customers while saving your organization time and money.
Step 1: Collect & Process DSARs
The first step for dealing with DSARs is the efficient collection of the consumer’s request. It is recommended that companies have a submittal data request form on their website to enable the ready acceptance of DSARs. Ideally, this form should:
- Be available on the company website and easily located (home page link to landing page DSAR form)
- Be customized, depending on regional requirements and the additional needs of the company. This may mean multiple forms for consumers from different regions
- Provide pre-defined choices (e.g., a drop-down box) to avoid overly general or vague requests. This is also useful for establishing if the consumer has a different, related, request such as a request to delete their personal information
- Include strong identity verification measures. These measures protect incoming requests, prevent fraud and eliminate those pesky bots.
Step 2: Collect the Personal Information (PII) and Identify the Owner
Once the request has been submitted, the company systems, software, and people need to locate the consumer’s information. Elements of collecting PII and tying it to a data source may include:
- Locating information from disparate systems. Personal information is often in different places and in various forms. As we suggested prior, it could be in e-mails, in structured and unstructured data and so on.
- Ensuring each required aspect of the personal information is collated. Under the CCPA, collated information must include the categories of PII collected, the categories of information sources, the commercial purposes for the information, the categories of third parties with whom the information has been shared and the categories of that personal information.
Step 3: Review & Approve the Customer PII Request Submission
While it is recommended that the collection of personal information in step two use an automated process, there may be manual steps along the way. DPO’s (Data Privacy Officers) and their team may need to follow up on unresolved issues from the automated collection. For example, if the system flags potentially duplicate information, this may need to be manually checked.
However, there are excellent software solutions that provide an administrative portal that can track, log and timestamp all requests and where they are in the process of being resolved. Many solutions allow teams to process DSAR’s as a team with chronology information, chain of custody data and notes.
Step 4: Documentation, Collaboration, and Confirmation
Once personal information has been identified, it will often be essential to collaborate across business units and with third parties to put the information together and complete the request. As we suggested in step 3, software solutions in the market are doing a much better job of creating secure portals to handle requests.
PII should never be stored or sent across insecure systems. Secure portals will allow for a secure space for team members to collaborate to discuss, coordinate and resolve DSAR’s as consumer responses are compiled.
Step 5: Provide Responses Quickly and Securely
Once the DSAR response content has been prepared, and a compliance report created, the final data report needs to be provided in a secure format to the requestor. The reports should be provided to the requestor:
- in an easy to transfer format
- in a secure format that is not vulnerable to alteration or tampering during transport
Due to the possibility of an audit or legal action, a company must also keep a chain of custody or records of where the PII was found, when it was compiled and when it was delivered to demonstrate compliance with GDPR or CCPA.
Step 6: Consider DSAR Exemptions and Refusals
In addition to requesting access to the information itself, a DSAR can also be accompanied by a request to delete PII. There is a range of exceptions and exemptions built into the DSAR rules which organizations must understand.
The exceptions to deleting PII in the CCPA include:
- Information required to complete a transaction
- Security. Sometimes information must be retained in order to detect fraud, prosecute those responsible and debug errors
- Errors. Some personal information may need to be retained to identify and fix program errors
- Free Speech
- CalECPA (California Electronic Communications Privacy Act) compliance. This means that businesses don’t need to delete certain information when state law enforcement has requested personal information
- Personal Information collated for the purposes of research in the public interest
- Expected internal uses
- Legal Compliance. Any personal information a business has to keep in order to satisfy a legal obligation is not subject to consumer deletion requests.
The financial costs of manually carrying out the 6 steps are significant. As we suggested earlier, a company could spend between $200 to $200K to compile DSAR information to a consumer. In all likelihood, the average cost of fulfilling a request is $1,400 according to a variety of sources we went through preparing this post.
Automating the 6 steps we discussed will reduce the cost of handling DSAR’s, help maintain compliance with GDPR, CCPA and the inevitable addition compliance legislation that will be coming and avoid brand damage that may result from poor handling and subsequent legal action.
We hope this process helps you and your organization get a handle on DSAR’s. If you have questions, you can certainly reach out and we’ll be glad to help you put a process or solution in place.
October 15, 2020
September 22, 2020