Data privacy laws give people rights to access, delete, correct and move the data businesses collect about them. They also require businesses to promptly address their data requests without placing undue burden on consumers.
What they don’t say is exactly how businesses should go about managing consumer data requests efficiently and accurately. In fact, in our recent roundtable privacy expert Dan Solove said that lack of clarity on this issue is one of the major stumbling blocks in operationalizing CCPA.
In this post we’ll outline the challenges businesses face handling data requests and detail a five-step process to manage them at scale. This is the first in a series of posts about this complex and important issue, so stay tuned!
First, some definitions.
Data privacy terminology can be riddled with jargon and swimming in acronym soup. Take Data Subject Access Request (DSAR), Verifiable Consumer Request (VCR) and Subject Rights Requests (SRR). Are they the same, or just similar?
DSAR, VCR, SRR and other acronyms we’re going to talk about are related to the same thing: managing requests regarding consumer data. Some terms you’ll hear with respect to the request process are tied to specific privacy regulations and indicate different requirements. For example, GDPR uses the term Data Subject Access Requests (DSAR), as in GDPR-speak, a “data subject” is any person whose personal data is being collected, held or processed and that includes your employees. CCPA, on the other hand, uses the term Verifiable Consumer Request (VCR) and doesn’t include employees. You may also hear the terms Subject Access Request (SAR) or Individual Rights Request (IRR).
We prefer the term Subject Rights Request (SRR) because it covers all scenarios above, regardless of specific regulatory requirements. Subject Rights Request is the term we use within WireWheel because our data privacy platform allows you to address requests whether you’re working to comply with GDPR, CCPA or any other privacy law that evolves.
Whatever you want to call them, these data requests present a major challenge for many businesses.
Your level of effort and exposure to risk related to Subject Rights Requests depends on the type of business you run. B2B companies receive very few Subject Rights Requests. If you’re in a commercial relationship with B2B customers, you likely have a Master Services Agreement in place that covers data privacy requirements and allows them to access or remove their data whenever they want. To satisfy regulators, you simply need to show you have a basic, accessible SRR process set up.
For B2C companies, however, the scope of Subject Rights Requests and the associated risk are sky high.
WireWheel’s consumer-focused customers are currently receiving tens of thousands of SRRs each year and anticipate receiving millions as more regulations take hold and awareness increases.
With the power of modern marketing technology, B2C companies are tracking tons of data about known customers AND unknown users or prospective customers. Data stores are a mix of first-party data from different business units and acquired companies, as well as behavioral insights, purchased data, and other third-party data that could fall under the requirements for SRRs.
For a B2C company, handling Subject Rights Requests can become very costly. Your privacy and IT teams spend valuable resources fulfilling data requests instead of focusing on priority projects. Your company can be penalized by regulatory bodies if you can’t demonstrate a well-executed SRR process. In the worst-case scenario, mistakes in the SRR process – even unintentional ones – can cause a data breach, which will exponentially increase your liability.
The more efficiently you manage Subject Rights Requests, the better the privacy experience will be for your customers, the easier the effort will be for your internal team, and the more likely you are to meet expectations of auditors and regulators.
Before you can optimize an SRR process, you must first allow people to register a Subject Rights Request. You can offer this option on an external-facing privacy page to show customers and regulators that you’re doing the right thing with data. Your privacy page can also be turned into a portal to enable two-way communication with customers.
Let’s walk through the steps you need to take to build an efficient, compliant SRR.
If you receive a request for information regarding a person’s data, you need to be sure the person asking for it is who they say they are. If your customers already have password-protected accounts, you can require them to log in to your privacy portal so you can confidently match the person making the request to a specific individual.
But, if a Subject Rights Request comes from an unknown user, the situation is not so simple. To make this step even more challenging, you aren’t allowed to ask for any additional personal information from the consumer than what you’ve already got. This is where a third-party can provide verification and authentication to remove the burden.
Managing a large volume of Subject Rights Requests is a team sport. You’ll need to assign requests, or parts of requests, to different people and keep track of each task as the request progresses through your workflow.
To identify customer data related to a request, your systems and team members need to look into multiple data stores – customer databases, marketing databases, product databases, etc. The faster you can query your data stores automatically, the easier the SRR process will be.
When you get a deletion request, you should make every effort to remove that individual’s data from all the places where it’s being stored and processed. Make sure you have a way to prevent the reappearance of data about an individual who is opting out of your service.
The way you provide information in response to requests is another part of the SRR process you must handle with care to avoid a data breach. Only the sender of a request should be able to receive the data in return. Passing information via email may expose you to a data breach, which, as we’ve discussed, dramatically increases your liability. Therefore, you should make sure consumer information is sent securely, encrypted at rest and in-transit, all the way from request to delivery.
You can demonstrate compliance with privacy laws by recording all communications, reviews, and approvals that are part of your SRR process. Maintain complete audit trails of all the requests you receive and actions you take so that when an auditor asks, you have them at the ready.
WireWheel’s consumer-facing portal gives you the capability to receive Subject Rights Requests, whether requesters are known customers or unknown individuals. Our data privacy management platform helps you assign tasks, query data stores, and identify specific consumer data to respond to SRRs.
Most importantly, WireWheel solves the twin challenges of verification and authentication. As a third-party provider, WireWheel helps you verify that an email, driver’s license, or other asset a consumer provides as proof of identity is legitimate as well as authenticate that it’s connected to a specific individual. An additional option for an electronic sworn affidavit allows a user to certify their identity, giving you a legal document to support your SRR activity. Our encrypted environment secures the data and we never use data for any purpose other than verification and authentication of your company’s SRRs.
We’d love to show you how WireWheel enables Subject Rights Requests. Get in touch for a personalized demonstration.