Skip links
dsar or data subject access request under ccpa

Data Subject Access Request under CCPA: How to manage DSARs efficiently.

Following the implementation of GDPR on May 25, 2018, many business owners, compliance professionals, and I.T. security staff have tirelessly tried to deal with its effects.

In the first year, more than a dozen significant fines totaling €359 million were imposed on organizations.

Marriot, British Airways, Lithuania, and Google in France are just a few well-known companies that have paid hefty fines for breaches or mismanagement of confidential customer data.

When imposing fines for noncompliance with the strict guidelines of the law, the CCPA is influenced by GDPR.

The first comprehensive data privacy law in the USA, the California Consumer Privacy Act (CCPA), was approved by voters in California in 2018.

The CCPA strengthened consumer protections and privacy rights for Californians when it went into force in January 2020.

Eleven months later, Californians approved the California Privacy Rights Act (CPRA) to give customers more privacy rights.

CCPA is not just a state law. Because most U.S. companies will have to comply due to the sheer number of Californians, it is to become the de facto national standard for the foreseeable future.

Therefore, most firms will have some Californians and their PII in their databases, CRMs, or other systems due to the state’s almost 40 million residents.

Source – Securiti.ai

What is CCPA?

The California Consumer Privacy Act (CCPA) is a law that aims to improve Californians’ consumer protection and privacy rights.

The CCPA aims to give several rights to residents of California, which are as follows:

· Know what personal information is being collected about them.

· Know whether and to whom their data is sold or disclosed.

· Say no to getting their data sold.

· Access their data.

· Request a company to delete any personal data they may have collected about you.

· Not face discrimination for using their privacy rights.

Privacy and security professionals have been asking many questions about how the law will affect their handling of sensitive data and the variety of requests they might get from seeking further information about their personally identifiable information (PII), known as DSAR.

What is a DSAR?

With the introduction of GDPR, the term “Data Subject Access Rights” first became widely known.

Although it is sometimes used to refer to Data Subject Access Requests, the acronym DSAR stands for Data Subject Access Rights.

To be clear, a Data Subject Access Request is a consumer request for information or deletion, whereas Data Subject Access Rights are the legal rights provided to the consumer.

Furthermore, you will come across businesses and even legal entities using DSR, SRR, VCR, IRR, and SARs interchangeably.

A SAR is an actual consumer request for information or deletion, whereas Data Subject Access Rights are the legal rights provided to the consumer.

· DSR – Data Subject Request –same as a DSAR

· SAR – Subject Action Request – same as a DSAR

· SRR – Subject Rights Request – same as a DSAR

· IRR – Individual Rights Request – same as a DSAR

· VCR- Verifiable Consumer Requests are like DSARs, SRRs, SARs, IRRs, and DSRs, although some organizations consider them the initial stage of DSAR completion. In other words, VCR verifies that your request came from a legitimate system data source and wasn’t just spam.

According to laws such as CCPA, people have the right to know how businesses handle their personal information.

A data subject can submit his request by email, online form, or any other means of communication that the company and the law provide.

The company must then verify the requestor’s identity and existence in their database and follow the request through to resolution.

This process must be finished within the period of 45 days to ensure compliance with the CCPA/.

DSAR Requirements for CCPA Compliance

The California Attorney General’s office published the regulations that offer instructions on how to comply with Data Subject Access Requests (DSARs), a crucial component of the CCPA that gives customers the right to know:

· What personal information does the company collect about them?

· PII categories collected, which include birthdate, gender, and social security number.

· Purpose of collecting data.

· Who was the data shared with outside the company?

· Request for their data to be deleted.

· Request to have the option to opt out of having their data sold.

As mandated by the legislation, an organization must provide customers with two ways to submit those requests; one must represent the company’s primary means of customer interaction (an online portal, a paper form, or a toll-free phone).

In a nutshell, the law was created to simplify consumers’ requests for their data.

Effective Data Governance with DSAR Requests

Managing and responding to DSARs

It would be wise for organizations to cooperate with SAR requests without compromising on quality.

The public’s most significant concern regarding data protection is the improper management of DSARs, according to official figures from the ICO.

42% of the 18,000+ data protection-related complaints lodged with the ICO in 2016 were about people’s rights to access their data collected and retained by the company.

Source – Securiti.ai

Any company that wants to accurately, economically, and broadly comply with DSARs must possess the following six capabilities:

· Requests for Submission Forms

Customers should be able to choose from a list of clearly defined options on request forms to identify themselves and the nature of their request.

Compared to having general or vague requests, this makes it much easier to respond, route, and manage requests.

· Automated authentication

Businesses can use PII already on record to authenticate the requestor if they have an established online account with their customers.

· Automate Data Collection & Search

This will be the most time-consuming part of complying with the CCPA for businesses without an automated, intelligent solution.

Doing this process manually involves finding the owner of the data in the organization and then manually assembling the data from various databases.

· Deletion

In addition to carrying out customers’ requests for PII to be deleted, organizations will ensure that no PII has been mistakenly kept on file by other systems and confirm as such with the customer.

· Align Legal Concerns with PII Retention Requirements

Sometimes, a customer’s request to delete their data may be impacted by legal hold requirements.

Companies are required to store purchase records that have customer PII.

· Document and Maintain a Record of Every Step and Timeline

This is the best method to legally ensure compliance and chain of custody, as well as a requirement of the CCPA.

These six specifications clarify the importance of a PII data discovery solution that manages the DSAR procedure from start to finish.

The solution should automatically and quickly search across various and dissimilar systems worldwide for personally identifiable information (PII).

Benefits of DSAR Automation

Companies have used eDiscovery, data governance, classification-based security, and digital forensic techniques to locate and handle PII.

These programs use pattern magic, Regular Expression, GREP, or other search functions to locate keywords or personally identifiable information (PII) in files, emails, and databases.

They found a solution, although ineffective, for use cases in compliance laws such as PCI or HIPAA when precise search criteria were available with a small amount of data and few devices to scan.

The tools used were slow, complex, or ineffective in addressing use cases involving privacy, such as DSAR.

eDiscovery and data classification tools are often unreliable in accurately collecting personal information.

They are also limited in matching the data to an individual because they are not designed to search multiple databases for specific information like personally identifiable information (PII).

Organizations can save time and money by using technology that automates the DSAR process within the required response timeframe, provides workflows to assist staff members in finding data, and finally provides the data to the requesting user.

Conclusion

If an automated, intelligent solution is not implemented, CCPA will come with additional risk, expenses, and inefficiencies for the organization.

When companies manually fulfill a customer request, it is projected that doing so will cost $1,400 per request for DSARs.

Ways to minimize expenses, maximize efficiency, and eliminate risk are by implementing a solution that will:

· Automate DSAR management

· Secure Fulfillment of DSARs

· Periodic Request Tracking and Monitoring

· Automating PII data linking

· Monitor and track the consent of customers.

· Evaluate your CCPA readiness.

· Evaluate the compliance of third parties.

· Map PII data flow.

Intelligent solutions may empower a process and DSAR workflow that significantly lowers costs, eliminates errors and offers a more seamless and engaging customer experience using DSR Robotic Automation and Artificial Intelligence.