10 Ways Data Subject Access Requests Will Alter Business As Usual

I read something surprising the other day. Only 14% of companies are compliant with the California Consumer Privacy Act. The surprise turned to shock when I learned that only 21% of companies that worked on compliance with General Data Protection Regulation are compliant with California Consumer Privacy Act (CCPA). Companies know there is a gap but there is a lot of uncertainty about how to fill it as states release new proposals and big tech companies lobby for their own terms. Luckily, the California bill clearly outlines the most important change in its first paragraph.

The bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.

With less than 9 months until the CCPA goes into effect, despite regulatory and political ambiguity, it is crucial for teams to start considering not only the rules themselves but how they will impact business as usual with the many players across the business. I suggest you start by outlining your current data sourcing and sharing culture, practices, and processes with your customers, IT teams, customer-facing teams, regulators, partners, employees, and competitors. Then consider the ways new regulation may alter them.

Here are 10 ways the CCPA will alter business as usual:

1. Customers will send your client success, account executives, and legal teams requests for full reports on their personal data. They may be California residents, they may not be.
2. Customers will expect a timely response about their request and the expected time to resolution.
3. Your customer-facing teams will submit these requests to IT (systems, engineering, data management) kicking off a chain of queries and data collection questions. This may be particularly difficult to manage if IT is outsourced or partially managed.
4. Your customer-facing teams will want to know which customers are requesting data and why. They’ll want to control this customer interaction and make it positive to prevent churn.
5. Regulators will expect to see a consistent and well-documented processes across your teams and the major systems they use to ensure responsiveness, transparency, and comprehensiveness.
6. Regulators will expect to see responsiveness matched with privacy protection through authentication of data subjects before responding to requests.
7. Regulators will audit the most obvious and vulnerable systems in your organization for the most sensitive customer data, but will most likely lack resources to scour 100% of your data footprint.
8. Partners will also expect to see consistent and well-documented processes across your teams. Not having these in place with jeopardize or slow b2b sales, partnership agreements, mergers, and acquisitions.
9. Current and former employees will also submit requests for personal data categories and reports stored in HR or ERM systems. They may want the data to ease a transition to a future employer, they may want it for more adversarial uses.
10. Competitors will find new and innovative ways to gather and use customer data. Under CCPA, businesses are able to offer discounts or incentives to customers willing to share personal data with them, either to improve their services or for the purpose of selling to advertisers. They will be looking for ways to win your customers’ trust and dollars.

You might read these, nod knowingly, and wonder, so what? Highlighting the risks and potential challenges is the easy part while putting together a prioritized, well-resource, timely, and actionable plan often seems nearly impossible. When I discuss this with legal councils, data managers, and security leads, I often hear the following anecdote…

I raised my hand in our team meeting and asked, ‘What are our plans to comply with GDPR?’ I was applauded for being forward thinking and identifying the risk. Then I was asked to lead an effort to create a roadmap to compliance. I’m pulling together trainings and tapping resources across the organization in order to best document progress in our knowledge management software. I’m not sure what to do next or how to stay on top of everything changing in the US. I might suggest we hire a consulting team to audit our systems and provide recommendations since I don’t have the time to fully dedicate myself or team to this.

So, what? At Fast Garden, we educate individuals about their personal data value and rights. More recently, we started working with companies to ensure their compliance efforts are prioritized to cover the largest risks and build trust with their customers. We’ve all seen the good and bad ways for companies to handle privacy policy changes, cookie requests, and email consent updates. We’re in the process of codifying the good stuff so that companies and customers can quickly get what they need from their data through safe and friendly software.

Reach out to me at rachel@fastgarden.io if you’d like to learn more or have questions.