Recently introduced data privacy laws such as the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) give individuals rights to discover how organizations are using their personal information. Under these laws, individuals may submit a Data Subject Access Request (DSAR) to find out how an organization is using their data. They can also send a DSAR request to instruct an organization to limit how their data is used or stop using it altogether.
Implementing a program to handle DSAR requests should be viewed as more than just a way to comply with data privacy laws. When done right, it can also be a great way for you to let customers know that you are committed to maintaining the privacy of their data.
In this blog, we’ll focus on CCPA-related DSAR requirements and what to consider in implementing an effective DSAR program.
CCPA DSAR Rights
Here’s a summary of CCPA rights that impact DSAR requirements:
- Right of Access (Sections: 1798.100(a), 1798.110, 1798.130, 1798.145(g)(3) of the CCPA) —The right of Californians to access their personal information.
- Right to Data Portability (Sections: 1798.100(b), 1798.1110, 1798.130, 1798.145(g)(3) of the CCPA)—When a consumer expresses their Right of Access, the business must provide the data in a portable and readily usable format that allows for the transmission of this data to third parties without hindrance.
- Right to be Informed (Sections: 1798.100(b), 1798.130(a), 1798.135)—The right of Californians to know what personal information is being collected about them, the purposes for which the data is used, and if the business sells their personal information.
- Right to Opt-Out (Sections: 1798.120, 1798.135 of the CCPA)—Consumers have the right to opt-out from the selling of their personal information.
- Right to Deletion (Sections: 1798.105(a), 1798.130(a), 1798.145 (g)(3) of the CCPA)—The right of Californians to request the deletion of their personal information.
- Right to Non-Discrimination (Section: 1798.125)—The right to not be subject to discrimination for the exercise of CCPA rights.
Full details of the CCPA are available here.
Data Flow Diagrams
After reviewing the CCPA rights, we recommend developing data flow diagrams that depict customers or other individuals exercising those rights in the context of your company’s business and systems environment. Be sure to consider all possible scenarios in which the rights might be exercised.
The scope of the data flow diagrams may include employees, affiliates, and individuals or companies, including, but not limited to, external partners and suppliers that manage or administer systems involved in the collection, storing, or processing of personal information. In developing data flows, it’s common to consult with members of multiple in-house teams, including Legal, Human Resources, Marketing, business application/web developers, Product Development, Sales, Helpdesk, IT Security, Confluence/Jira, and Networking.
All systems that handle consumer data should be in-scope.
Below are a few examples of DFAR customer request scenarios for which you may need to develop data flow diagrams. We’ve used the fictitious name of ABC Restaurant Group.
- “I would like to know what categories of information ABC Restaurant Group has about me as well as the source from which the data was collected.”
- “I would like to receive all categories of data ABC Restaurant Group has about me.”
- “Does ABC Restaurant Group sell my personal information to a third party? If so, how do I opt-out?”
- “I recently placed an online order at ABC Inn restaurant in Fresno, California, and would like my information removed. In addition, I want to opt-out of receiving promotions.”
The International Association of Privacy Professionals (IAPP) is a well-respected data privacy industry association that has developed the following generalized DSAR data flow framework that can be a helpful starting point in developing your data flow diagrams.
Here’s an example of a specific data flow diagram addressing the Right to Deletion:
Implement Systems and Procedural Changes
Once you’ve defined all the data flow scenarios needed to support CCPA rights, you can begin developing requirements for systems changes to support any data flows that are not already in place. Were possible, streamline and automate DSAR functionality to minimize operational burdens for your company.
Next, you’ll need to develop, test, and implement the system changes; update operational procedures; train your staff; and inform your customers or partners of the changes. In informing your customers, be sure to highlight how the changes demonstrate your commitment to the privacy of their data. Turn this into an opportunity to build customer trust and loyalty.
In working with industry-leading companies to help them implement DSAR programs, Tevora has encountered many challenges and partnered with clients to overcome them. Here are some of the most common challenges you might face:
- Locating unstructured personal data (e.g., in emails or texts).
- Monitoring data protection/privacy practices of third parties.
- Ensuring data minimization.
- Developing an easy-to-use, centralized opt-out tool.
- Anonymization of data to obfuscate personal information.
- Understanding technical controls surrounding deletion requests (e.g., “if I delete this record from the database, will it negatively affect the database or other records?”).
- Determining who should be informed when a DSAR request is received, who should be involved in responding, and what content should be included in the response in different scenarios.
- Verifying a user’s identity without collecting additional information.
In our experience, meeting the following criteria will help to ensure a successful DSAR program implementation:
- Assign a dedicated team to handle DSAR requests.
- Deploy full or partial automation, or begin with an interim manual process that will later be transitioned to an automated process based on lessons learned and table-top exercises.
- Ensure you have a fully trained team with adequate resources to respond to DSAR requests promptly.
We Can Help
Tevora’s expert team has extensive experience partnering with clients to implement DSAR programs. We can help you define DSAR use cases and data flows, identify tools and technologies to use for your DSAR program, and conduct table-top exercises to test your ability to respond to DSAR requests. If you’d like to learn more about how Tevora can be a trusted partner to help you implement a DSAR program, just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
Upcoming Privacy Webinar
Live Webinar – CPRA: What Privacy Officers Need to Know Now
Tuesday, January 26, 2021 10 a.m. PST 1 p.m. EST
About the Author
Christina Whiting is a Principal | Privacy, Enterprise Risk & Compliance at Tevora.