If you take a look at the first 25 articles of the EU General Data Protection Regulation, you will see several address individuals’ data rights. Up until now, the march to the GDPR has been defined by organizations trying to make sense of the impending rules, but as deadline-day nears, compliance efforts to meet data subject access requests are starting to come into focus.
According to the IAPP-EY Annual Privacy Governance Report 2017, DSARs were among the top three most difficult GDPR obligations for those surveyed, specifically, data portability, followed by right-to-be-forgotten requests and gathering explicit consent.
TrustArc Senior Vice President of Marketing and Product Management Dave Deasy said clients have been approaching the company looking to find a way to address those consumer-facing obligations in an efficient manner.
The impending rules, particularly Article 12 and Articles 15-23, motivated TrustArc to release the Individual Rights Manager as part of its existing technology platform, a three-pronged solution designed to help companies ensure GDPR compliance when tackling the DSARs they will receive after the May 25 implementation date.
Deasy ran through the three pieces making up the IRM during a phone conversation with Privacy Tech.
Users will fill out their name and email address, then select the DSAR they wish to make, and, if they so choose, users can provide relevant comments. The form is then sent to the designated individual who is in charge of handling the data requests. The form will be timestamped, giving the organization a timeframe as to when the request must be completed.
“Based on the nature of the request, the ‘privacy analyst’ inside the company would be able to use one of the templates through our assessment manager product and quickly run the scenario through the template, which is going to help them figure out whether or not this a valid request or not, and what can kind of action the company should take,” said Deasy.
Those templates make up a part of the second aspect of the IRM. The solution offers specialized content in the form of assessment templates companies can use to determine how to handle each query based on the type of request that is being made. The content also includes recommended remediations for DSARs. As an example, Deasy said a remediation could explain to a company the legal reasons for denying a data subject’s “right to be forgotten” request.
After consulting the templates, the “privacy analyst” will locate the relevant information, then get in touch with the data subject who made the request and send them whatever they were asking for.
While the first two parts of the IRM are designed to go hand-in-hand, the third piece of the solution is an optional consulting service aimed at helping organizations identify who is the best person to handle DSARs, how to implement the technology, and help adjust expectations for the amount of requests they expect to receive.
TrustArc uses a consulting organization made up of 30 privacy professionals from around the world, the majority of whom are veteran lawyers with in-house privacy experience. “We’ve recruited across, pharma, financial services, telecom and consumer packaged goods,” said Deasy. “They are lawyers with a lot of experience managing privacy within a company, and almost always, they’ve got a wide variety of CIPP certifications.”
Since many companies are immature from a privacy perspective, Deasy said the consultants can help organizations define and design their strategy to ensure they are complying with the GDPR. Deasy also said many of the employees within the company do not use complex privacy-centric technology in their day-to-day activities. The consultants are there as an asset to help get the most out of the tech solutions.
“Technology is really good at helping you automate processes, but if you don’t already have the processes, then it is hard to get the full value out of the technology,” said Deasy. “In the case of individual rights, if you don’t have a process for how you are going to review and determine what kind of action that needs to take place, then the technology alone isn't going to solve everything for you.”
Solutions such as the IRM have not made their way into the mainstream as the GDPR implementation date draws closer. When talking to his clients, Deasy said many are considering building their own solutions to address the problem. Deasy advocates for TrustArc’s solution over in-house products, given his company’s long-standing work in the field of privacy addressing laws such as COPPA, and the EU-U.S. Privacy Shield agreement.
When asked why individual rights have not been addressed in many privacy tech products so far, Deasy points to the timeline companies have taken to prepare for the GDPR. For the first year, organizations spent their time trying to understand what the GDPR meant, while putting in place a plan to figure out how to attack the different aspects of the rules. Starting in May or June of last year, companies began to implement their plans, as building data inventories and mapping out information took over.
Now that the implementation date is only months away, Deasy said companies are now starting to focus on topics such as individual rights and consent.
“It’s more a reflection of the lifecycle of how quickly companies were able to respond to the GDPR once it hit, and then working through the different steps,” said Deasy. “Since the deadline is not until May, there was no incentive to put your individual rights solution in place last year because you didn’t have to. It’s a matter of sequencing the effort to coincide with the deadline requirements.”
The solution will be available for live implementation next month, as TrustArc continues to demo the product with its clients, many of whom will be testing it out over the upcoming months before May 25, although Deasy said most of the clients will only turn it on officially once the implementation date draws closer.
If you want to comment on this post, you need to login.