In the world of data privacy, data subject rights are the hot topic for Chief Data Officers, Data Protection Officers, and all people who work with data right now. Data subject rights, also known as consumer rights and individual rights, refers to a person’s control over how their personal data is used by businesses. Businesses are required to fulfill those rights to demonstrate sufficient management and protection of personal data and adherence to global privacy laws, such as the General Data Protection Regulation (GDPR).
After months of anticipation, the newly enforced California Consumer Privacy Act (CCPA) is officially here and adding complexity to data subject rights.
As you can probably tell by the name, the CCPA centers on giving power to the consumer; the law gives consumers the right to know how and why their data is being collected and used. This law is a win for consumers because awareness about personal data use has skyrocketed among the general public and consumers have become increasingly skeptical about the growing use and misuse of personal information (PI). However, now businesses fear the potential flood of data subject requests from consumers.
The CCPA is just one of many regulations that should be on privacy and data professionals’ minds. The GDPR was enforced just two years ago and we know that dozens of data privacy legislations are in draft across the United States and around the world. Organizations need to equip themselves to handle data subject requests for the CCPA and every consumer privacy regulation to come, but to do so, they need to have a strong grasp of what PI they possess, how it’s being used, and where it’s stored. In order to swiftly and thoroughly respond to the anticipated influx of data subject rights requests with the CCPA, organizations need to take a data-centric approach to privacy compliance.
What are data subject rights?
So let’s give a little bit more context on data subject rights. Data subject rights may go by various names, such as DSRs, data subject access rights (DSARs), individual rights, consumer rights, etc. But all these terms essentially mean the same thing; data subject rights denote a person’s right to know and impact how their personal data is used. The GDPR popularized data subject rights among data professionals and the European public alike, but now California legislators have outlined their citizens’ power over personal data.
Under the CCPA, these rights include:
- Right to be informed – Consumers can ask businesses what categories of their PI is being collected
- Right to opt out – Consumers can ask businesses to stop selling their PI or using it for business benefit
- Right of deletion – Consumers can ask businesses to delete their PI
- Right of access – Consumers can ask businesses to provide the list of actual PI values collected
- Right to non-discrimination – Businesses must provide equal services, meaning they cannot discriminate against a consumer for exercising their rights
When a consumer exercises a data subject right under the CCPA, organizations have 10 business days to confirm receipt of the request and 45 calendar days to respond to the request. This sounds straightforward, but in practice, managing these requests can be quite convoluted.
Why are data subject rights so difficult?
Although solving the challenge is complex, identifying the root cause of the problem is pretty straightforward: it’s the data.
Data privacy teams have struggled with data subject rights with the GDPR for a number of reasons, and we foresee organizations facing similar difficulties with the CCPA. These challenges include:
- Manually managing the request workflow across teams
- Difficulty locating PI
- Sifting through an excess data to find the relevant information
- Difficulty documenting the response history for compliance auditing
- Managing volume of incoming requests
- Responding to requests on time and in full
All in all, it comes down to the fact that organizations have a lack of knowledge about what data they have, where the data is, how the data has been used, who has access to the data, and what governance policies apply to the data.
What happens if organizations don’t comply properly?
Handling these requests is hard. Is it really a big deal if organizations don’t complete all the data subject rights or do so in a timely manner?
Yes, failing to complete these requests can have negative consequences for your team and the whole company.
The most obvious and most tangible consequence of noncompliance is financial penalties.
- CCPA: Penalties for CCPA noncompliance can cost up to $2,500 per unintentional violations and $7,500 for intentional violations. The law also allows for consumer lawsuits of $100-$750. These numbers may seem small for large enterprises, but if you consider the facts that many companies hold the PI of millions of people and that some companies have received over 500 data subject rights requests in just one week since January, those penalties can rack up really quickly.
- GDPR: The GDPR fines violators up to €20 million or 4% of annual revenue, whichever is greater. The largest fines since the GDPR went into effect in 2018 are:
- British Airways – €204.6 million
- Marriott International Hotels – €110.3 million
- Google – €50 million
- Austrian Post – €18.5 million
- Deutsche Wohen SE – €14.5 million
Loss of consumer trust
Consumer trust in businesses is waning and data privacy and protection can either make or break a consumer’s confidence in purchasing products from or doing business with a company. A PwC survey found that only 25% of consumers believe businesses handle their data responsibly and a whopping 71% would stop doing business with a company for sharing PI without permission.
Wasted time and resources
One of the greatest challenges and consequences of failure to fulfill data subject rights is wasted time and resources.
Managing data subject rights involves understanding the requests, searching for the data, notifying the consumers, documenting the responses for audits, and the list goes on. All of these tasks require knowledge of the regulation, multiple stakeholders across teams, time, and money. Data professionals spend 80% of their time just finding, cleaning and organizing data and can spend days resolving simple data issues; imagine if these tasks could be handled automatically and that saved time and energy could be spent on other revenue generating activities.
What’s needed to manage data subject rights?
The answer: know your data!
In order to efficiently manage data subject rights requests, organizations need to put data at the center of their privacy strategy. Organizations that implement a data-centric approach must rely on several data competencies. By putting Data Intelligence at the center of a privacy program, organizations can more easily answer these foundational questions for fulfilling data subject rights:
- What PI do we have?
- Where is the PI?
- How is the PI used?
- What policies and controls apply to this PI?
The two most important technological capabilities for managing data subject rights are:
- PI discovery and classification to help you know where data is, classify your data, and systematize your data. Strong technologies will automate PI discovery and classification for scalability.
- Process register to give context to your data. A process register maps out business processes associated with PI so that your organization understands the purpose behind the processing of such information, the data categories in question and the legal basis under which this information is being processed.
Establishing a foundation of intelligent and governed data will enable any organization to swiftly manage requests and transform its data privacy program.
Simplify data subject requests fulfillment with Collibra
For those on the lookout for privacy enhancing technologies, Collibra offers an approach that delivers privacy from a foundation of Data Intelligence. Collibra Data Privacy offers PI discovery, data classification and process register capabilities to put data at the center of privacy compliance programs.
Moreover, we recently unveiled our new Individual Rights Requests feature that simplifies collaboration for data subject rights fulfillment. Highlights of the feature include:
- Centralized dashboard
- Regulation-specific content
- PI automation
- Role-relevant content
- Embedded privacy guidance and data workflows
Collibra Data Privacy enables our customers to automate data privacy workflows and turn their data into a strategic asset.
Teresa is a data professional passionate about Privacy and Change Management