Privacy Law and Right of Access
Consumer right of access is a core component of many privacy laws in effect around the world today. Privacy laws in Canada and the EU go back several decades, but changing consumer sentiments around privacy have driven updates to existing laws as well as motivated more countries to enact comprehensive data privacy laws. In the US, several states, including California, are considering or have implemented privacy laws, and the US is considering a federal level law as well. In addition, Brazil, Singapore, and China have all put new privacy regulations into effect that mirror many of the tenants of the EU’s GDPR.
Individuals have the right to access their personal data, and this is commonly referred to as subject access. A number of privacy laws such as the GDPR or CCPA give individuals the right to obtain a copy of their personal data as well as other supplementary information. This helps individuals to understand how and why businesses are using their data, and checks that they are doing it lawfully.
The right of access also allows the data subject to exercise further rights such as rectification and erasure. In most cases, the right to access is afforded to customers as well as company employees.
Lack of compliance with subject rights can have significant impact on a company. Under the GDPR and other similar privacy laws, an omitted or incomplete disclosure is subject to fines.
Handling Data Subject Access Requests
Handling data subject access requests requires an intensive amount of time and effort, especially if data is distributed across multiple systems. The time-consuming cost of manually handling a single data subject request has been estimated to be anywhere from a few hundred dollars to a thousand or more, depending in the number of systems and the level of infrastructure and automation the business has in place today.
Many companies are finding ways to automate and streamline the process with privacy management software that includes workflows, communications, and count-down clocks.
To be ready for incoming data subject access requests, a company should have a process in place that begins with a data mapping exercise to understand what personal data is collected, how it is shared, and where it is stored by the company or any third parties or service providers.
Because individual right of access also allows the data subject to exercise further rights such as rectification and erasure, it’s important to have a formal structure established for handling all of these rights. Being able to process these types of data subject requests promptly and completely is important because an omitted, delayed or incomplete disclosure is subject to fines.
An important step in subject rights management is establishing a preferred method or methods of receiving and handling data subject requests from customers, employees, and vendors. Methods may include a dedicated hotline, online web form, an internal email address, customer portal, etc. Make sure to check your applicable privacy regulations as some have specific requirements for options.
In addition to capturing and logging a request, it is important to be able to verify the identity of the requestor.
Overall, right to access management should involve these key aspects:
- Identifying and tracking the information held on individuals (including what data, categories, planned duration of storage, if transmitted to a third country, etc.)
- Having the capacity to respond to inquiries, correct the data, erase, the data, or restrict processing
- Maintain detailed records to assess and demonstrate compliance
How 2B Advice PrIME Supports Subject Access Management
DSAR management is part of the 2B Advice PrIME end-to-end privacy compliance platform that ensures timely and compliant subject access management. Designed to be flexible enough to support one or more privacy regulations, the DSAR management elements work seamlessly together to support your data subject requests and reduce human intervention to a minimum.
- Brandable, customizable online web intake forms to capture requests
- Communications and Ticketing to log and track requests
- Automated Workflows to schedule tasks and reminders
- Count-down clocks to keep responses on track
- Reporting to support auditing and demonstrate compliance
- Detailed records of processing activities (RoPA)
- REST API for integration with call center or service desk applications
Subject access requests are one of the most important parts of a privacy compliance program. As more privacy laws go into effect around the world, handling customer and employee subject access requests has become a priority for a growing number of companies.
Data Subject Access Requests (DSAR) Under the GDPR
Article 15 GDPR describes the right of access by the data subject, employee or consumer. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. In addition, the controller must provide additional information including:
- Purposes of the processing
- Categories of personal data
- Recipients to whom the data will be disclosed
- The period for which the data will be stored
- The existence of automated decision-making
The controller shall provide a copy of the personal data undergoing processing. Under the GDPR, individuals may make a DSAR verbally or in writing.
Subject access response time is a critical aspect of handlining request. Article 12 GDPR stipulates that the business has one month to respond to a DSAR request. Extensions may be granted under certain conditions.
Whilst most attention is paid to the ability for consumers to make data subject requests, under the GDPR, so may employees. According to a PrivSec report, around three-quarters of EU firms (71 percent) have received DSARs from their staff since the introduction of GDPR.
Given that larger businesses in consumer industries can receive up to 500 DSARs a month, research shows there is a huge potential financial cost in having to respond to them. For example, UK businesses spend, on average, £1.59 Million and 14 person years annually processing DSARs.
Right of Access Under the CCPA
Under the CCPA, consumers (and employees) have the right to request a copy of personal information collected about them in the last 12 months. Consumers have the right to request a business disclose the categories of personal information collected, the business or commercial purpose, and the categories of third parties with which they share personal information. In addition, they may request to have a copy of the specific pieces of information the business holds about them, within certain limitations.
Consumers may make a subject access request verbally via a toll-free number or in writing via a web-form. Subject access response times under the CCPA allow 45 days for businesses to respond to a request.
Penalties for Lack of DSAR Compliance
Can you be fined for failing to respond fully or promptly to a data subject access request? In a word, yes. Remember, EU regulators can impose the maximum 4% GDPR for violations of privacy requirements and this includes data subject requests pursuant to Articles 12 to 22. Under the GDPR, already we have seen businesses being fined anywhere from a few hundred dollars to tens of thousands of dollars for failing to fully respond to data subject access requests.
Under the CCPA, for fines and enforcement, the maximum penalty of the CCPA is $7,500 for intentional violations of the CCPA. Other violations lacking intent are subject to a $2,500 maximum fine.
In other countries with GDPR-like privacy regulations, such as Brazil’s LGPD, the fines may be less severe. Article 52 of LGPD states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals”. However, it should be noted, that the timeframe for time to respond is 15 days, which is much shorter than either the GDPR or CCPA. The bottom line is prompt and complete subject access response for consumers and employees is an imperative.
Whether you are complying with EU, US or any other regional regulation, the 2B Advice PrIME DSAR management tools will provide an automated way to handle requests and ensure you are compliant with legal requirements for response time.
Schedule a Demo of 2B Advice PrIME today and see how Subject Rights Request Automation can empower your consumers.
The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.How to Become A Certified Data Protection Officer?
It is required by law to appoint a data protection officer in your company. Read all you need to know for your organization.Zoom Data Privacy
Which data privacy guidelines do you actually have to observe when using the Zoom software? Is your company Zoom compliant?