2B Advice
TEL: +1 (858) 366-9750
FREE DOWNLOAD
DSAR

Data Subject Access Requests

DSAR Software for CCPA & GDPR

Privacy Law and Right of Access

Consumer right of access is a core component of many privacy laws in effect around the world today. Privacy laws in Canada and the EU go back several decades, but changing consumer sentiments around privacy have driven updates to existing laws as well as motivated more countries to enact comprehensive data privacy laws. In the US, several states, including California, are considering or have implemented privacy laws, and the US is considering a federal level law as well. In addition, Brazil, Singapore, and China have all put new privacy regulations into effect that mirror many of the tenants of the EU’s GDPR.

Individuals have the right to access their personal data, and this is commonly referred to as subject access. A number of privacy laws such as the GDPR or CCPA give individuals the right to obtain a copy of their personal data as well as other supplementary information. This helps individuals to understand how and why businesses are using their data, and checks that they are doing it lawfully.

The right of access also allows the data subject to exercise further rights such as rectification and erasure. In most cases, the right to access is afforded to customers as well as company employees.

Lack of compliance with subject rights can have significant impact on a company. Under the GDPR and other similar privacy laws, an omitted or incomplete disclosure is subject to fines.

How 2B Advice PrIME Supports Subject Access Management

DSAR management is part of the 2B Advice PrIME end-to-end privacy compliance platform that ensures timely and compliant subject access management. Designed to be flexible enough to support one or more privacy regulations, the DSAR management elements work seamlessly together to support your data subject requests and reduce human intervention to a minimum.

Brandable Templates

template_list@80

Brandable, customizable online web intake forms to capture requests

Easy Communication

Ticketw80

Communications and Ticketing to log and track requests

Automated Workflows

workflow@80

Automated Workflows to schedule tasks and reminders

Count-Down Clock

Clock@80

Count-down clocks to keep responses on track

Compliant Reporting

Ansicht_Berichte_anzeigen@80

Reporting to support auditing and demonstrate compliance

Detailed Records

Verarbeitungsverzeichnis@80

Detailed records of processing activities (RoPA)

REST API

rest_api@80

REST API for integration with call center or service desk applications

Contact 2B Advice Now for Help With Data Subject Access Requests

Subject access requests are one of the most important parts of a privacy compliance program. As more privacy laws go into effect around the world, handling customer and employee subject access requests has become a priority for a growing number of companies.

Handling Data Subject Access Requests

Handling data subject access requests requires an intensive amount of time and effort, especially if data is distributed across multiple systems.  The time-consuming cost of manually handling a single data subject request has been estimated to be anywhere from a few hundred dollars to a thousand or more, depending in the number of systems and the level of infrastructure and automation the business has in place today.

Many companies are finding ways to automate and streamline the process with privacy management software that includes workflows, communications, and count-down clocks.

USA EU Cookie Regulations

To be ready for incoming data subject access requests, a company should have a process in place that begins with a data mapping exercise to understand what personal data is collected, how it is shared, and where it is stored by the company or any third parties or service providers.

Because individual right of access also allows the data subject to exercise further rights such as rectification and erasure, it’s important to have a formal structure established for handling all of these rights. Being able to process these types of data subject requests promptly and completely is important because an omitted, delayed or incomplete disclosure is subject to fines.

An important step in subject rights management is establishing a preferred method or methods of receiving and handling data subject requests from customers, employees, and vendors. Methods may include a dedicated hotline, online web form, an internal email address, customer portal, etc. Make sure to check your applicable privacy regulations as some have specific requirements for options.

In addition to capturing and logging a request, it is important to be able to verify the identity of the requestor.

 Overall, right to access management should involve these key aspects:

1

Identifying and tracking the information held on individuals (including what data, categories, planned duration of storage, if transmitted to a third country, etc.)

2

Having the capacity to respond to inquiries, correct the data, erase, the data, or restrict processing

3

Maintain detailed records to assess and demonstrate compliance

Data Subject Access Requests (DSAR) Under the GDPR

Article 15 GDPR describes the right of access by the data subject, employee or consumer. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. In addition, the controller must provide additional information including:

  • Purposes of the processing
  • Categories of personal data
  • Recipients to whom the data will be disclosed
  • The period for which the data will be stored
  • The existence of automated decision-making

The controller shall provide a copy of the personal data undergoing processing.

Under the GDPR, individuals may make a DSAR verbally or in writing.

Subject access response time is a critical aspect of handlining request. Article 12 GDPR stipulates that the business has one month to respond to a DSAR request. Extensions may be granted under certain conditions.

Whilst most attention is paid to the ability for consumers to make data subject requests, under the GDPR, so may employees. According to a PrivSec report, around three-quarters of EU firms (71 percent) have received DSARs from their staff since the introduction of GDPR.

Given that larger businesses in consumer industries can receive up to 500 DSARs a month, research shows there is a huge potential financial cost in having to respond to them. For example, UK businesses spend, on average, £1.59 Million and 14 person years annually processing DSARs.

Right of Access Under the CCPA

Under the CCPA, consumers (and employees) have the right to request a copy of personal information collected about them in the last 12 months. Consumers have the right to request a business disclose the categories of personal information collected, the business or commercial purpose, and the categories of third parties with which they share personal information. In addition, they may request to have a copy of the specific pieces of information the business holds about them, within certain limitations.

Consumers may make a subject access request verbally via a toll-free number or in writing via a web-form.

Subject access response times under the CCPA allow 45 days for businesses to respond to a request.

Penalties for Lack of DSAR Compliance

Can you be fined for failing to respond fully or promptly to a data subject access request? In a word, yes. Remember, EU regulators can impose the maximum 4% GDPR for violations of privacy requirements and this includes data subject requests pursuant to Articles 12 to 22. Under the GDPR, already we have seen businesses being fined anywhere from a few hundred dollars to tens of thousands of dollars for failing to fully respond to data subject access requests.

Under the CCPA, for fines and enforcement, the maximum penalty of the CCPA is $7,500 for intentional violations of the CCPA. Other violations lacking intent are subject to a $2,500 maximum fine.

In other countries with GDPR-like privacy regulations, such as Brazil’s LGPD, the fines may be less severe. Article 52 of LGPD states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals”. However, it should be noted, that the timeframe for time to respond is 15 days, which is much shorter than either the GDPR or CCPA. The bottom line is prompt and complete subject access response for consumers and employees is an imperative.

Whether you are complying with EU, US or any other regional regulation, the 2B Advice PrIME DSAR management tools will provide an automated way to handle requests and ensure you are compliant with legal requirements for response time.

Euro Prise Privacy Seal

CERTIFIED EXPERTS

EuroPriSe Certified & Accredited
Legal & Technical Experts

Since 2003

SINCE 2003

We are one of the providers with the longest experience in the market.

International Team

INTERNATIONAL TEAM

Our data protection expertise is transnational and we work internationally.

Questions? Contact Us Today! SEND MESSAGE or call +1 (858) 366 9750
IHK

2B Advice is ISO/IEC 27001:2013 Certified

IAPP Gold Member

2B Advice is an IAPP corporate Gold member

Gold Microsoft Partner

2B Advice is a Microsoft Gold-Certified Partner

Our Clients (Selection)

our Clients

Questions?

CONTACT

2B Advice LLC
7220 Avenida Encinas #208
Carlsbad, California, USA

Tel: +1 (858) 366 9750
Email:
sandiego@2b-advice.com