Laws like GDPR, CCPA, WPA, and others are springing up across the world giving citizens the right to request companies to disclose what personally identifiable information they store about the individual. For states, companies are required by law to respond to the submitted request within a day and they must to provide the requested information within a month. Scouring through petabytes of data for specific information can prove to be a challenge. Failing to respond on time can result in hefty fines, like in the Barnes v. Hanna Andersson case.
In this text, we’ll cover the six key steps in processing a Data Subject Access Rights (DSAR) request, what the main challenge is for each of these steps, and how DSAR software can make life easier for companies.
Step 1: DSAR Request Submission Portal
Companies should provide a DSAR Request Submission component linked to their corporate website where citizens can submit a DSAR form. This portal should be easy to use, secure, and if the portal supports creating and storing individual login credentials, tied with the login details of the person submitting the request.
The challenge in this first step is the ability of the company to capture the right information about the Requestor, so that the following steps are executed properly and on time. While this first step is not complex, people can easily mistype their name or their email or enter a different email address than the existing one in the system. This can cause problems later on as the request gets to next steps in the workflow.
An effective DSAR solution will have forms with field validations so that proper email formats are checked before submission. In some cases, form validation can go further and check for typographical errors. The benefit of form validation is that Requestors will ensure they are typing in the correct data, and when the form is behind an active login session, these fields can be pre-populated.
Step 2: Verification of Identity
When companies receive a data subject request, the first step is confirming the identity of the person by matching that identity to the requested content.
The challenge is verifying the identity of the Requestor remotely and securely. Chances are, that some of your customers, employees, etc. may need to provide additional information beyond their name, surname, address, telephone number to include login ID, email, IP address, etc. to identified themselves more precisely. In some cases, companies may need to collect a dozen other details to precisely identify who is submitting the request, and what personal data the company keeps.
The benefit of a good DSAR software platform is enabling corporations to quickly and even automatically identify any additional information the Requestor needs to provide in order for a proper and definitive identification. Automating this step is key in responding in a timely fashion and sending the right data to the right person within the 30-day timeframe.
Step 3: Searching for Personally Identifiable Information
As data storage becomes more and more affordable, companies are storing more of it. While this may be valuable for data-driven business decisions, each company’s vast data footprint is adding to the complexity of responding to DSAR requests.
The challenge: after a DSAR request has been successfully submitted, the DSAR software or with an integrated eDiscovery platform will need to search through all the repositories the company has, spread across different systems and potentially different locations to include SaaS based platforms. Companies may keep bits and pieces of personally identifiable data in dozens of locations:
- ECM system databases
- Office 365 / SharePoint folders
- Email servers
- Proprietary applications
- CRM systems
- Billing systems
- Internal chat systems
- External marketing platforms.
The solution will need to be able to securely connect to each of these data storage endpoints and quickly search through petabytes of data. These systems will need to be able to communicate via encrypted API endpoints at-scale, secured from interception or copying by hackers.
An effective DSAR solution makes all this possible. Without it, companies may not be able to respond to DSAR requests in a timely and a secure manner.
Step 4: Data Review and Approval
While companies can fully automate the data delivery, it is best if this data gets reviewed by a person before it is released to the Requestor. One risk is that a document may have PII about another individual that needs to be redacted.
The challenge of having the staff involved in DSAR review and approval is that people will need an intuitive user’s interface to do their job as well as assistive technology given the volume of information. In addition, the entire process needs to be audited so the organization knows how had access to the Requestor’s information.
The benefit of an integrated DSAR solution is the automation, collaboration, tracking, reporting and auditability.
Step 5: Timely Response
The key challenge of DSAR requests is that there is a strict deadline for companies to respond. Similar to Public Records / Privacy / FOIA requests where government have a statutory timeline to respond, companies have only 45 days to receive, verify, and respond to a DSAR request.
Even though many of these laws are fairly new, we already hear of lawsuits against companies who failed to respond properly and on time. Just recently we witnessed the Barnes v. Hanna Andersson case where Salesforce and Hanna Andersson LLC got fined for failing to comply with timely data disclosure under CCPA.
The benefit of using a DSAR application is that corporate staff will be able to follow these requests and get reminders of deadlines. To help assist with complying with the timeline, an integrated DSAR solution that includes eDiscovery and potentially RPA is recommended.
Step 6: Data Editing or Deletion
Under DSAR legal frameworks like GDPR, CCPA, or WPA, data subjects can request deletion or editing of the stored data. Ideally, an integrated DSAR software solution will be able to store the data sources of each piece of PII, tie it to a specific DSAR request, and have the ability to send Delete and Update requests through a secure API connection.
The challenge is twofold here. First, the DSAR software will need a way to send an Edit or Delete command to the exact data location for each DSAR request. Second, this data management will have to be auditable.
This means that qualified DSAR software solutions will have the ability to integrate with disparate data sources and have the ability to quickly respond to any Requestor’s demand for editing or deleting of PII.
Ideally, the DSAR software solution will be able to have a two-way communication with storage endpoints and fulfill a Delete or Edit request. This will allow the DSAR to track the communication that the request was fulfill and by which systems.
The benefit of a reliable integrated DSAR solution is clear. Without a software solution, companies will have a hard time adhering to the law and proving that it was accomplished if litigation arose. There is an added benefit too. While companies may have internal best practices for data management, de-duplication, etc., it is still helpful to have a visual map of all the locations that contain privately identifiable information.
As we already mentioned, companies need to be able to track how each DSAR case is handled, from the moment of its creation to the moment it was successfully processed. Every action done by the staff, every API call done by the software to send requests and receive encrypted information from external sources, every alteration of any data endpoint needs to be thoroughly documented.
Capable DSAR software solutions should have this auditing capability. In cases where the DSAR solution is built with proper case management capabilities, auditing should not be a problem. Most case management platforms on the market have this built-in.
One such solution is ArkCase, an open-source case management platform. ArkCase is built with auditing capabilities out of the box. Any time an action is done on a case, there’s an audit entry with a timestamp and clear details of who did what and where. Companies can extract the timeline for every DSAR form. These reports can contain timestamps, people involved, data sources, staff activities, IP address and even the Requestor’s responses.
The Data Subject Access Requests initiative, covered with legal frameworks like GDPR, CCPA, WPA and other variants, are enabling citizens to approach private companies and request data disclosure. Companies, under CCPA, have to respond to the request and disclose all personally identifiable information within 45 days. Failure to comply could mean hefty fines, as Salesforce already experienced first-hand.
Because of the complexity of what qualifies as personally identifiable information and the vast amounts of data that companies store, DSAR software is quickly becoming a corporate necessity. The only way companies can scour through petabytes of data spread across internal and external databases in a timely manner is by relying on an integrated DSAR software.
In most cases, DSAR software uses the same mechanisms as case management solutions. The forms, workflows, and user roles can all be pre-built and ready to be used out of the box.
The ArkCase team has implemented a DSAR solution that can be integrated within enterprises to automate this process. The ArkCase DSAR solution is a reliable option for any size organization that need to be ready to respond efficiently and effectively to Requestors.
For more information on this subject, feel free to reach out to us via the Contact form, or using the Comments below. And, please help us raise awareness of the DSAR Software option by sharing this text with your social media connections.