While the EU General Data Protection Regulation is in its second year and the California Consumer Privacy Act quickly approaches, privacy professionals still have a lot of questions about how to properly handle data subject access requests — a much-feared provision of both.
Privacy professionals have plenty to consider as they shore up their DSAR practices, including the level of automation implemented, getting teams what they need to respond to inquires and how to make the process as easy as possible for data subjects.
Coinbase Associate General Counsel, Global Data Privacy and Security Shahab Asghar, CIPP/US, said during a breakout session at the IAPP Privacy. Security. Risk. in Las Vegas, Nevada, this week that it's almost as important for companies to consider which tool they want to use to handle requests. And there are many. But there's also the option to construct an in-house tool of your own. Asghar said while an internal tool has its benefits, it also has its drawbacks.
"One question you want to ask is whether this something you want to build or something you want to buy from a third party," said Ashgar. "Building is great for a number of reasons, but they're hard to maintain. It's nice to have the support of the third parties."
Another question to weigh is whether to have a data aggregator act as an intermediary to handle the application. Ashgar said organizations can take this route, but they have to dictate who is in control of the proceedings. He added that aggregators may attempt to have an organization shift processes to match how they handle requests, which could lead to unnecessary risk exposure. It reality, it should be the opposite.
"What we do is reach out to aggregators to work them into our process," said Ashgar. "Rather than adjusting to their processes, they will refer the data subject to our process and that will make it easy for everyone."
A tool to handle the inquires is helpful. But it won't do an organization any good if a form is hard to find. PIP Consulting Principal Barbara Sondag, CIPP/E, CIPM, advises organizations to clean up and consolidate all of the different methods a consumer may use to submit a request, whether that's by web form, telephone or by traditional snail mail.
Should consumers go on their own hunt to submit a request, Sondag warns that those inquiries may end up in some strange places.
"Don’t make it so difficult for people to submit requests," said Sondag. "They are going to be looking on different websites and find random phone numbers and email addresses and submit their requests there. Prompt them to where they need to go."
Once the probe is submitted, Asghar believes organizations should automate as much of the DSAR process as possible. Automation can reduce the burden on whoever is in charge of the requests, but there are considerations privacy professionals should keep in mind.
A use-case example presented during the session found a person sought information about a streaming service's recommendation algorithms. He made the request because the service continued to suggest a song he hated. (The song? Boston's "More Than a Feeling.")
Under Article 15 of the GDPR, companies are required to produce "meaningful information about the logic" behind automated decision-making when such a request is made. In this example, the stakes are not very high. Asghar said should an algorithm request be made in the case of an employment or credit monitoring decision, an individual could decide to appeal whatever has been presented to them, which means a manual review of the decision would then take place.
All of the above may help privacy professionals with DSARs, but it will be tough to much off the ground without organizational buy-in. Sondag said it's important for those who are either building or refining their programs to display the value of properly handling the requests. She added obtaining organizational commitment will help privacy teams get the tools and resources they need for the DSARs they will face.
And, they should expect to see more and more requests as the CCPA arrives on the scene to compound an issue already in focus thanks to the GDPR. Of course, privacy legislation is not going to stop at those two four-letter laws. Privacy rules will continue to spring forward around the world and at the U.S. state level, and as they are written and passed, the list of DSAR-related considerations is only going to grow.
If you want to comment on this post, you need to login.