As organizations prepare for January 1, 2020 – the California Consumer Privacy Act (CCPA) commencement day – there are a number of nuances of the legislation that companies must navigate. The one I am hearing the most about (and talking the most about, myself) is how best to manage Data Subject Access Requests (DSARs).
Here, the CCPA distinguishes itself a bit from the European Union’s General Data Protection Regulation (GDPR). Under Section 1798.130 of the CCPA, businesses in scope need to:
(1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed…including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
The GDPR is less prescriptive than the CCPA, where the methods to submit a request include writing, orally and by other electronic means when appropriate. While not easy, what’s involved to deliver on this CCPA requirement is clear. It requires an organization to work with its internal, and potentially outsourced, team on the implementation of a dedicated telephone number and an online form that are both available and operative to consumers. While this will require time and effort, the CCPA gives businesses the opportunity to not only operationalize DSARs, but to get it right for these individuals. The real work comes in the processing and fulfilling of these requests. This challenge is not unique to the CCPA, but is going to be a continual hurdle for companies as we venture deeper into the era of heightened data privacy requirements. For this we need to become masters of the full life cycle of the PII (personal identifiable information) our organizations touch.
Understanding the Full Life Cycle of PII for DSAR Processing
The CCPA not only sets forth the minimum intake channels organizations must provide for data subject access requests, it details the next steps necessary to follow through on those requests. Businesses in scope are required to:
(2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request.
With expectations clearly outlined, now is the time to square away all your internal processes for efficient response, disclosure, and delivery. This is not something you want to think about for the first time when you get your first data subject access request. Forty-five days can go by very quickly when you have no idea where data lives, who has it, how and where it is collected from, and where and to whom it has been disclosed and for what purpose.
Datasheet: Data Subject Rights Solution
First, everything starts with mapping your data flows. Outlined below, these CCPA data buckets require the business to understand the where, what, why and how for the data it collects.
- Categories of personal information the business collected about that consumer
- Categories of sources from which the personal information is collected
- Categories of third parties with whom the business shares the personal information
- Purpose for collection and if applicable, the purpose for selling the personal information
- The specific pieces of personal information it has collected about that consumer
Second, we must inform consumers about the data above as well as their rights to that data. Businesses must therefore update and/or implement privacy notices across the various collection points.
Third, organizations need to provide the methods for consumers to exercise their data rights. For the CCPA, this is the creation of a toll-free phone number and web portal discussed at the start of this blog.
Finally, we need to ultimately respond to, verify and fulfil a data subject’s access request. This requires planning and establishing processes for identity verification, obtaining the requested information from all locations within your organization, and providing the requested information. If you have not taken the time in step one to map your data flows, each DSAR will likely result in a series of one-off wild goose chases, frantically trying to track down consumer data from all around the organization. With the new headlights on data privacy, the volume of requests could quickly make this unsustainable.
Data mapping is key here and requires you to understand what data types you collect, where you store it, who processes it, where the access points are, and what your data retention practices are. Data handling practices should then be formalized throughout the organization by codifying data privacy best practices through updated privacy policies and data privacy compliance training designed to educate the critical personnel who collect, manage or process data within the organization.
With your data properly mapped, consumers properly informed, and intake channels active, DSARs should only trigger a preplanned response and data retrieval exercise rather than a data panic.