Improving the DSAR Process — Simplify, Secure and Scale to Sustain
Most privacy regulations provide the right for individuals to submit Data Subject Access Request (DSAR) to organizations. Individuals can use the DSAR to access, correct or delete their personal data being processed by the organization. Individuals also have the right to know and obtain information about the purposes of personal data processing. Often, the term DSAR can also refers to a variety of requests around Privacy including consumer requests, subject access requests and do not sell requests. Generally, DSARs can be submitted on a web browser, by email or mail, or over the phone. DSAR non-compliance is a growing risk.
I have worked with several organizations in the last few years helping them to respond to DSARs. Organizations are still figuring out how to efficiently manage their DSAR response processes in a standardized and consistent manner. There are many learnings to be shared on how organizations should design and implement their DSAR response processes. Cases around DSAR will be discussed in a later article
Regulatory context: Multiple bodies are regulating how Privacy rights should be protected. The two most significant regulations active currently are the European Union’s General Data Protection Regulation (GDPR, effective 2018) and the California Consumer Privacy Act (CCPA, effective 2020). Already enacted upcoming regulations include the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA) and the Virginia Consumer Data Privacy Act (VCDPA) — all three will be effective from 2023. Similar bills are being considered in Utah, New York, New Jersey, Minnesota and other states. Consumer privacy protection is here to stay. The regulatory landscape changed dramatically in a short period of time and will further evolve. Hence, it is imperative for organizations to plan their privacy programs and how they can respond effectively to DSARs.
Key Learnings
Organizations can learn from how various industries and companies have navigated DSARs within the changing privacy landscapes especially in the last 18 months. This can help with the design of new DSAR processes and the modification of their existing ones. Adopting the learnings shared below can help organizations build flexibility into their implementation and execution plans.
Clearly define Roles and Responsibilities: Though this sounds simple, this is a very critical part of the process. If roles and responsibilities are not clear, steps can be easily missed and processes fail. Fully define all the different roles in the process. Make sure all stakeholders are trained and have the necessary authority, data and ability to effectively complete the process that has been delegated to them. To ensure all requests are fulfilled in the time window specified by the regulations, review your contingency plans for continuity — during staff vacations or when personnel change happens (especially at your vendors who maybe managing some of the responsive data).
Ensure responsibilities are clear and lead to consistent decision making. Integrate the roles and responsibilities with your Data Map to ensure your process stays current. The Data Map can also be used to streamline the process by eliminating unnecessary touch points.
Design for Regulatory Expansion: Retain some flexibility in process designs for the inevitable regulatory expansion. Processes will need to manage different requirements, timelines for responses etc. For instance, in 2023, CPA, VCDPA will take effect along with the expanded rights under the CPRA. Case law and regulatory comments will continue to clarify grey areas and require revisiting previous assumptions. It is never easy to design for constant change but that is the reality of the current environment.
Be clear on how you will manage the multiple requirements and multiple jurisdictions. Some aspects of the process can be common, but it will be important to clearly define the aspects that may be different. Consider whether these rights under these regulations should be expanded to all customers or should customers be treated separately based on their jurisdiction. Frame decisions in the context of the organization’s overall privacy roadmap and define clear milestones (e.g. technology or capability triggers) when decisions should be revisited.
DSAR validation: Regulators have cautioned against request of extensive personal information to validate a request but have also stressed the need to ensure a request is legitimate to avoid data breaches due to a DSAR response. Validation should be proportional to the sensitive data at stake. It might vary depending on the type of data, the governing regulation, and the industry sector of the organization. The data infrastructure within an organization will also determine the depth of the validation effort. Principles around validation should include
· Obtaining all data needed at the beginning of the validation process — this saves time and effort in validation. The response fulfillment clock starts as soon as the request is submitted. Completing the requests in a timely manner is critical to building trust with current and prospective customers.
· Having a secure and non-manual process to interact with the requestor during validation. Ensure data is returned in formats that aid processing and automation. Avoid open ended user input that can be misinterpreted
· Planning for significant increase in number of daily requests at short notice — ensure validation process can scale quickly
· Early identification of the type of request or the data subject (for example employee vs. customer)
· Having feedback loops to address validation bottlenecks (e.g., requestors may be valid but not present in main customer master databases, etc.)
Automate and reduce manual interventions: Understand the number of steps needed to fulfil a DSAR and evaluate if any of these can be eliminated or automated. Focus on automating the parts that take most time or the type of requests that are more frequent. Define and track metrics around your processes that can help highlight these aspects clearly. Your process should be able to retrieve, update or delete data from different parts of the organization depending on the type of request or type of requestor (employee vs. customer etc). As these steps mature, it should be possible to automate much of the process. An automated implementation reduces the need for analysts to execute tedious and potentially complex steps there by improving quality and consistency.
Automated process also ensure security by eliminating insecure forms of communication (like emails etc) with the requestor, internally with vendors or during delivery of the requested data. Automation ensures customer data is always in encrypted data stores and are only transmitted through secure channels as needed.
Track key metrics around efficiency and quality: Each organization is different, with its unique sets of goals, objectives, and challenges. Develop metrics that focus on critical activities in the DSAR response process. Metrics should track quality, consistency, and timeliness of the response. Also include metrics that track the attributes of the program such as training, transparency, and coordination. A good set of metrics can provide a consistent view of any element of the program over a period. By maintaining a balance between the strategic, tactical, and operational metrics, you can identify systemic and operational shortcomings in your program.
Summary
The learnings shared here provide good foundations for defensible and robust processes for responding to DSARs. It is important to regularly review the DSAR response process to identify the weak points. Limiting ad-hoc decision making or reliance on human intervention during the execution will improve consistency. Automating the execution as much as possible will also improve consistency and efficiency. Finally, it is very important to ensure your Data Map is current and dovetails with your processes. Its impossible to have an efficient DSAR workflow without a detailed DataMap.