DSARs, IRRs, Consumer Rights’ Requests, Derechos ARCO – if you broke out into a cold sweat reading any one of those, then this blog post is for you. Privacy requests are complex and burdensome in daily operations today, and only getting more prolific.
fAdd in the nuance of different requestor types (consumers, employees, contractors, even other companies), different regulatory stipulations (45 under CCPA, 30 under GDPR, etc.) and the efforts of your operations can quickly end up working through a tangled mess that looks worse than a middle school food fight. Pile on new industry requirements like the ones put in place by Apple for automated in-app user deletion, and things get dizzying.
Getting this process right not only builds confidence in consumers and employees but helps organizations build more trusted brands and be on the right side of privacy.
How do you build a strategy that works?
- MAP AND INVENTORY YOUR DATA: Yes, this really is necessary. Not all privacy laws have strict requirements for a demonstrable mapping of data processing. Regardless, mapping helps you to better know and understand the data you process to respond adequately to requestors and will help you to better manage decisions around what you do and don’t have to honor. This can be based on things like the legal basis of data processing, legal disputes and even IP considerations.
Given that certain rights may not apply to all data subjects (such as erasure for former employees), organizations need to have a definite handle on how to proceed on those bases. This should be done through both semi-automated (mapping in centralized repositories for context-driven data) and automated (system and data discovery, in both structured and unstructured repositories). The discovery system should also be capable of “indexing”, or leaving a flag in those data schemas, to identify what types of data live where.
- AUTOMATE WHERE POSSIBLE: Full automation of requests is possible in some cases. Where automation is properly used and scoped for organizations, OneTrust has been able to reduce time to complete requests by as much as 87%. The question you should be asking: should we try to fully automate?
Of course, we all want to make request handling as efficient and automated as possible – most privacy, security and IT pros don’t have time to “herd cats” in other departments to satisfy requests. It should be noted, however, that full automation isn’t always the best course of strategy. If you aren’t factoring in things like legal reviews and holds to validate the necessity of honoring a request fully (like in the case of a deletion/RTBF request), you may miss important steps.
As part of the automation process, organizations should determine what types of requests they want to, and can, automate. Access requests (or the Right to be Informed) can typically be handled by integrating with various systems in the cloud or on-premises and querying for certain identifying details to tie together the data you have about individuals.
But what about deletion requests? Many systems, especially older on-premises systems, can’t handle an automated deletion of data without having damaging effects on the data set’s operational functions within a system. For most companies, manual steps or intervention from a DBA could be required. You may also need to ask a third-party to help you satisfy a deletion request, and in many cases, the level of automation you can expect there will vary.
In summary, it’s not reasonable for most companies to expect 100%. The processes you build should include structured stages and steps to follow so that scaled teams across departments and jurisdictions can repeat the playbook the privacy team builds.
- BE TRANSPARENT AND SECURE DURING THE PROCESS: Communication is essential throughout, and that starts with the way you notify individuals of their rights and how to exercise them. Most organizations have several methods including intake forms, call-in lines and email addresses – all disclosed in their privacy policies. In practice, the process can start in many ways and organizations should match where requests can be made, to the practical nature of your business (e-commerce channels, call centers, in-app requests, as examples).
It’s also incredibly important that organizations adequately protect data. This starts with making sure there is an effective and safe identity validation process, where only data that is strictly necessary to validate identity is requested or collected. Throughout the lifecycle of requests, companies should also ensure that all communication channels and portals are encrypted, and access to communications or files is limited to minimum necessary access controls (like tokenized access with expiring credentials).
- DON’T OVERSHARE OR VIOLATE THE RIGHTS OF OTHERS: Particularly in the context of employee requests, organizations need to be cautious to not share the personal data of individuals who are not the requestor themselves. As an example, in email correspondence, names, addresses and other details are examples of data that should not be shared – if not strictly necessary as part of the satisfaction of the request.
Organizations should consider processes and strategies around the redaction of data that will protect the rights of customers, employees and other individuals. By redacting sensitive or irrelevant data, you ensure adequate privacy protection.
Redaction strategies and processes can also benefit organizations in other ways including the protection of intellectual property. As an example, in the case of a portability request, a company may wish to redact sensitive algorithmic information that doesn’t impact the requestor but could accidentally divulge proprietary processing and automation.
- ADAPT: Your privacy rights request process won’t stay static. Individuals are getting savvier around exercising rights and the regulatory landscape is in constant flux. If you aren’t re-evaluating your processes for regulatory changes and trend analysis every 3-6 months, chances are you’ll miss the mark somewhere down the line.
Editor’s note: For additional data privacy insights from ISACA, visit our 2022 privacy resources page.
Author’s note: For more on how OneTrust can help you manage privacy rights requests, and stay ahead of regulatory changes, visit onetrust.com