Perhaps the most customer facing and public compliance requirements for the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are around the rights of the data subject / consumer rights, often referred to as individual rights. Both GDPR and CCPA significantly increase the requirements on businesses regarding how they address individual rights and related requests (e.g., to access or delete personal information) – specifically the type of requests they need to address and the timeline and process they need to follow to fulfill the requests. For example, GDPR requires that requests be addressed within one month, CCPA within 45 days (with some exceptions and extensions permitted).
Meeting these requirements is important because non-compliance may result in unhappy customers and fines. In addition, Forrester Research found that consumers are likely to exercise their rights around their personal information as shown in the below graph. For example, 63% surveyed by Forrester reported that they are likely to exercise their right related to GDPR to ask companies to delete their information.
The privacy experts at TrustArc recommend that you follow the following steps to comply with GDPR, CCPA and other privacy regulations’ requirements around data subject access requests (DSAR).
- Ensure understanding of what data you collect and process and where it resides.
- Establish a process to intake individual rights requests (that is easy on the individual) and ensure this process is well-communicated throughout the organization. A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law.
- Validate the individual’s identity.
- Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data and any exceptions.
- Have a response process.
- Put in place an appeals process for denied requests.
- Retain documentation throughout the process.
To learn more about CCPA and GDPR individual rights / DSAR requirements and best practices, tips and solutions to support compliance, read this Navigate Individual Rights Management Solutions Brief.
To learn more about TrustArc solutions to help you effectively manage CCPA / GDPR individuals rights and DSARs, contact us today.