Data Subject Access Requests
The privacy regulations mandating companies to process individuals’ rights to make Data Subject Access Requests are growing at a rapid pace. Organizations are required to provide the right for individuals to access, correct or delete their personal data being processed by them as well as the right to obtain information about the purposes of personal data processing.
Data Subject Access Requests take many forms, depending on the individual's wants and the jurisdiction the company falls under.
Limit/Restrict/Opt-Out: Requests to restrict sharing of individual’s information with affiliates and partners or limit the use of their personal data
Summarized Categories: Requests for summarized categories of information an organization has about individuals
Copy of Information: Request for copy of all information organization has about the individual
Update/Change/Collect Information: Request to change/update information about the individual, particularly if it is inaccurate
Delete Data: Request to permanently erase or delete an individual’s personal data
The DSAR Process
With Data Governance Tool, DSAR requests can be handled manually or can be automated, based on the requirement. The steps involved in the DSAR process are listed below
Verification and Validation constitute the first stage of the DSAR process. It involves contacting the customer making the request via email to verify their identity and that they are the rightful owner of the data associated with the email address. This is an important requirement of the process as the request cannot proceed further without appropriate validation. Here, the customers' details are checked against the company's master database. In case additional information is required from the customer, a request for the same is made at this stage.
The second stage is the Processing of the request. Based on the customer’s requirements, their data is deleted, rectified, summarized, copied, or updated (customers can also request to restrict or opt-out of processing and sale based on their jurisdiction) from the respective department and business system. Action items pertaining to the request are created and used here to facilitate the processing.
The final stage is the Communication and Delivery of the information. Here, for delete, opt-out, and rectify, the request is completed and the customers and intimated regarding the same. For requests pertaining to a copy of or summarized versions of the data, the data is collected, and a report is built, which is then sent to the customer in an encrypted or password-protected format.
Why Automation is Important
The personal data collected is stored in multiple different data centers, within the organization and as well as with third parties. Processing these requests is not a linear function. It first involves accounting for all the data belonging to each person and then being able to identify all data stores and applications, identify what data is personal, to whom it belongs etc. Fulfilling these subject access requests at scale can be a challenging task for many companies. In order to build a scalable and sustainable DSAR system, a Robotic Process Automation system becomes critical.
Automation of response to DSARs improves efficiency and enables timely responses to all requests
Automation can be especially important if the organization has limited resources supporting Privacy
An automated implementation reduces the need for analysts to execute tedious and potentially complex steps there by improving quality and consistency
Automation also ensures security by eliminating insecure forms of communication (like emails etc.) with the requestor, internally with vendors, or during delivery of the requested data.
Automation ensures customer data is always in encrypted data stores and is transmitted only through secure channels as needed.
Make the DSAR Process an Asset
The aim of any organization should go beyond just compliance as the effects of an automated and sustainable DSAR processing system are far reaching and beneficial.
Data Maps and DSAR
For organizations to be able to respond to DSARs, they will need to discover and categorize all the systems where personal data is processed or stored. This data is often stored across different systems within an organization, in the cloud, and with external vendors and partners. A current and comprehensive Data Map will help to streamline this process. As more jurisdictions introduce privacy regulations that stipulate data rights for individuals, corporations will be facing the reality that they will need to build automation for managing DSAR activities that's more than just a form for taking requests. Automating DSARs at scale will require a detailed Data Map and DSARs will have to be fully integrated into the Data Map for maximum impact.
Meru provides built-in customizable workflows and automated APIs that can collect or delete necessary personal data from several systems. The workflows can also assign specific tasks that need to be handled manually or via API to individuals and third parties. Responses to certain questions can trigger additional workflows or alert process owners of potential issues ahead of time.
The world of Privacy is constantly evolving and complying with regulations is non-negotiable. The regulatory landscape has changed dramatically in a short period of time and will further evolve. Hence, it is imperative for organizations to plan their privacy programs and how they can respond effectively to DSARs. Designing and building a sustainable system for your organization that incorporates flexibility and reflects foresight is the step in the direction toward transforming the DSAR system into a company asset
Find interesting topics and news related to Privacy and Information Governance.