Skip to Main Content
Main Menu
Articles

Without a Data Inventory, Companies Will be Overwhelmed by Data Subject Requests

Casey Kuktelionis

Why Should You Know Where Data Is?

A centralized data inventory is critical for your organization’s security and privacy compliance. It’s the starting point for understanding what and how data is collected and used across the organization.

Using data inventory and data mapping, you can pinpoint exactly where data is located and stored and draw connections between complicated data flows.

Having an easily accessible inventory enables quick identification of the assets or systems that process an individual’s data and which jurisdictional requirements apply throughout the data lifecycle.

As more data privacy laws are enacted worldwide, understanding your organization’s data inventory and mapping is necessary to meet compliance requirements.

Organizations both big and small should expect to respond to a significant number of consumer requests about their personal data – if you’re not already getting them.

Are You Compliant with CCPA and GDPR DSAR Requirements?

Perhaps the most customer-facing and public compliance requirements for the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are around the rights of the data subject or consumer rights. Also referred to as individual rights.

Both GDPR, CCPA, and other data privacy laws significantly increase the requirements on businesses to comply with individual rights requests. These requests include the rights to:

  • Access information
  • Ratify or update efforts or incomplete information
  • Be erased/forgotten, withdraw consent, and have their data removed
  • Restrict processing or limit use and disclosure
  • Object to processing
  • Data portability

Requirements dictate how organizations address individual rights and related requests. These requests are called Data Subject Access Requests (DSAR).

Most commonly the laws address the type of requests businesses can expect to address and the timeline for which they will need to respond or fulfill the request.

For example, GDPR requires that requests be addressed within one month. CCPA requires requests to be addressed within 45 days – with some exceptions and extensions permitted.

Other laws have similar requirements to GDPR and CCPA.

Meeting these requirements is important because non-compliance can result in fines and angry customers. Furthermore, failure to meet these requirements is a violation of individual rights.

Forrester Research found consumers are likely to exercise their rights around their personal information. 63% reported that they are likely to exercise their right related to GDPR to ask companies to delete their information.

However, if your company is unsure of what information it’s collecting, where it lives, and the processes surrounding data use, responding to DSARs will quickly become a burden.

Before your team is overwhelmed with DSARs, ensure you have an accurate, centralized data inventory.

What Happens When a Data Subject Requests a Copy of Their Data?

GDPR Article 15 grants data subjects the right of access giving individuals a right to obtain confirmation as to whether personal data is being processed about them or to request a copy of that data.

The 5 state privacy laws (California, Colorado, Connecticut, Virginia, and Utah) also include the right of access for consumers.

As mentioned above, along with the right to request a copy of their data, it’s required by law for organizations to respond to the request within a specific number of days.

For example, your organization collects data about customers to enhance the customer experience.

If a customer requests a copy of their data, will you know where to find it? If they ask additional questions about their data, will you be able to answer them?

Now, what would happen if thousands of customers made this request around the same time? Could your IT department handle that volume of requests?

DSARs are just one of the many reasons why your business needs a data inventory.

What Does Data Inventory Have to do with Global Business Transactions?

GDPR Article 46 allows for data transfers to non-EU countries through mechanisms that provide appropriate safeguards.

Appropriate safeguards include Binding Corporate Rules (BCRs), Model Contract Clauses (MCCs), also known as Standard Contractual Clauses (SCCs), and legally binding documents and enforceable instruments between public authorities or bodies.

If you’re about to close a global deal and personal data will need to be transferred out of the EU to the US based on a subsidiary that uses a vendor in Asia to process that data.

Are any measures in place to ensure your team will not overlook specific requirements as the data travels across countries?

International data transfers are a highly discussed topic in data privacy, with many regulations and differing opinions.

Even though it’s not explicitly stated in GDPR, companies are required by Article 30 to produce “records of processing activities” to demonstrate to regulators that the organization is adhering to GDPR.

Implement a data inventory process that focuses on how data is collected and why it is collected to respond to both DSARs and maintain privacy law compliance.

Documenting the Data Lifecycle

The process of documenting this lifecycle is referred to as a data flow analysis or data mapping. Data mapping requires collaboration between those who know where data is at each stage across the enterprise and with third parties.

Data lifecycle stages include collection, storage, usage, transfer, processing, and disposal.

Comply with Data Privacy Law DSAR Requirements

  • Ensure understanding of what data you collect and process and where it resides.
  • Establish a process to intake individual rights requests (that is easy on the individual) and ensure this process is well-communicated throughout the organization.
  • A request may come in from many routes, and the person receiving that request needs to understand that a request is being made.
  • Individuals typically won’t understand or use the exact verbiage in the law.
  • Validate the individual’s identity.
  • Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data, and any exceptions.
  • Have a response process and an appeals process for denied requests.
  • Retain documentation throughout the process.

Get the latest resources sent to your inbox

Subscribe
Back to Top