The Escalating Challenge for Businesses: DSARs and SRRs
How Automation and Records Management Can Alleviate the Burden…
As Data Subject Access Requests (DSARs) and Subject Rights Requests (SRRs) become increasingly prevalent, individuals are exercising their rights under the General Data Protection Regulation (GDPR) to access, rectify, or delete their personal information. While these requests are crucial for protecting individual privacy, they often present significant challenges for organizations in terms of response and compliance.
According to Gartner, it takes about two weeks to complete a DSAR or SRR, and the average cost of compliance is about $1,500. This is because DSARs and SRRs require companies to acquire, evaluate, and produce large amounts of data that can be dispersed across various systems and databases. Responses to these requests can be labor-intensive and time-consuming, particularly for large organizations with voluminous data.
Ok, how much time do you have when there is a legal DSAR/SRR request form an individual ?
Here are various DSAR/SRR mandated response times depending on regulation :
The General Data Protection Regulation (GDPR) — EU
- DSR Types : Access, Rectification, Erasure (Delete), Restriction, Data Portability, Objection, Stop Profiling
- Initial Request Response Time : 28 Days
- Max Time allowed if there is an extension: 89 Days
California Privacy Rights Act (CPRA) — USA
- DSR Types : Correct, Delete, Know (Access)
- Initial Request Response Time : 45 Days
- Max Time allowed if there is an extension: 90 Days
- DSR Types : Opt Out of Sale
- Initial Request Response Time : 15 Business Days
- Max Time allowed if there is an extension: 15 Business Days
Virginia Consumer Data Protection Act (VCDPA) — USA
- DSR Types: Access, Correct, Delete, Data Portability, Opt-Out
- Initial Request Response Time: 45 Days
- Max Time allowed if there is an extension: 90 Days
- DSR Types: Appeal
- Initial Request Response Time: 60 Days
- Max Time allowed if there is an extension: 60 Days
Lei Geral de Proteção de Dados Pessoais (LGPD) — BRAZIL
- DSR Types: Access
- Initial Request Response Time: 15 Days (very short time comparing GDPR)
- Max Time allowed if there is an extension: 15 Days
Kişisel Verilerin Korunması Kanunu (KVKK) — TURKEY
- DSR Types: Access
- Initial Request Response Time: 30 Days
- Max Time allowed if there is an extension: 30 Days
Is there anything we can do differently to fix this massive privacy issue?
Yes! Automation can drastically reduce the time and expense required to respond to DSARs and SRRs. Automated privacy tools can rapidly locate and aggregate data from multiple sources, eradicating the need for manual searches and minimizing the risk of errors. With automation, businesses can streamline their compliance processes and respond to requests more effectively, allowing them to save time and money while meeting their legal responsibilities. Record administration is a crucial aspect of DSAR and SRR automation management. Companies can ensure they have a complete and accurate inventory of all the personal data they collect, store, and process by properly managing their records. This inventory can be utilized to determine where data is stored and who has access to it, which is essential for responding to DSAR and SRR requests. This will lead companies to invest more in “Record Management” because it will be the key to solve most of the privacy problems, especially started after GDPR/CPRA/PIPEDA/LGPD/KVKK etc.
Record management can also assist businesses in meeting the documentation requirements of the GDPR. Under the regulation, businesses are required to maintain a record of their processing activities (GDPR — RoPA) , including the categories of personal data they process, the purposes for which they process data, and the recipients to whom data is disclosed. By maintaining accurate and up-to-date records, businesses can demonstrate compliance with the GDPR’s documentation requirements and ensure a swift response to DSAR and SRR requests.
Fortunately, privacy solutions designed specifically for DSARs and SRRs are beginning to emerge on the market, and they promise to alleviate the difficulties they pose. These purpose-built privacy solutions utilize the most recent technological advances to automate the entire process of responding to such requests. These solutions are intended to swiftly and precisely add privacy attributes during data collection, eliminate the need for eDiscovery, data classification, and manual queries, and reduce the likelihood of errors. With these new privacy solutions, businesses can streamline their compliance processes and respond to requests faster than ever before.
In conclusion, responding to DSARs and SRRs is an essential component of GDPR compliance. Automation can help companies streamline their compliance processes and respond to requests more quickly, despite the complexity and duration of the process. By investing in automated privacy tools, businesses can not only save time and money, but also demonstrate their dedication to preserving the privacy of individuals.
Tip : A privacy orchestration solution by GovernID offers a unique solution for self service DSAR/SRR with many other functionalities.
Entrepreneur & Founder, CDPSE (ISACA), Pilot — EASA CPL(A)
