Understanding Consumer Rights/DSAR Compliance
Recommendations and Solutions
The EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other privacy regulations seek to protect the personal data and privacy of consumers. These regulations significantly increase the requirements on businesses regarding how they address consumer rights/data subject access requests (DSAR) – for example, to access or delete personal information. Specifically these regulations define the types of consumer rights/DSARs that need to be addressed and the timeline and process that needs to be followed to fulfill the requests. For example, GDPR requires that DSARs be addressed within one month, CCPA within 45 days (with some exceptions and extensions permitted).
Sanctions for non-compliance can be significant. For example, under the CCPA, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. The CCPA also provides a private right of action to California residents where their personal information is subject to unauthorized access, theft, or disclosure. Businesses would face paying between $100 to $750 per resident or incident, regardless of whether actual damages are shown.
Consumer Rights / DSAR Compliance
The privacy experts at TrustArc suggest you follow the below steps to support compliance with regulatory requirements around consumer rights requests/DSAR.
- Ensure understanding of what data you collect and process and where it resides.
- Establish a process to intake individual rights requests that is easy on the individual and ensure this process is well- communicated throughout the organization. A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law.
- Validate the individual’s identity.
- Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data and evaluate any exceptions.
- Have a response process.
- Put in place an appeals process for denied requests. Retain documentation throughout the process.