Responding to subject rights requests for the CCPA and beyond

This blog is co-authored by Andy Teichholz and Gino Vicari. July 1, 2020 marks the start of enforcement of the California Consumer Privacy Act (CCPA)….

Andy Teichholz profile picture
Andy Teichholz

July 1, 20205 minute read

This blog is co-authored by Andy Teichholz and Gino Vicari.

July 1, 2020 marks the start of enforcement of the California Consumer Privacy Act (CCPA). COVID-19 did little to persuade the Attorney General of California to delay enforcement, instead, California residents (consumers) were reminded of their rights and even provided tips on how to stay secure online during these difficult times.

The CCPA went into effect on January 1, 2020, and provides, among other things, consumers with specific rights to control how businesses process their personal information. If you are a for-profit business that collects and controls the personal information of a California consumer and meet the thresholds defined, you will have to comply with and respond to specific requests relating to one of three categories: access, delete and do not sell (opt-out of sharing or selling their information).

To further complicate matters, the California Privacy Rights Act has been certified and will appear on the November 2020 ballot. If passed, the Act will expand consumers’ rights and provide greater control over the use of their personal information – moving California privacy law further in the direction of the EU’s General Data Protection Regulation (GDPR).

Privacy rights requests on the rise

Under most data privacy regulations, individuals are provided with the right to know what data an organization is collecting about them, why the organization is in possession of that data, and to whom their information is disclosed. Perhaps the most critical focus area for CCPA data privacy compliance and other data privacy laws is the ability to respond to rights requests and meet prescribed deadlines from intake through fulfillment.

Expected costs to be severe

GDPR readiness and compliance has already proven to be a huge challenge and financial burden. Processes for responding to data subject access requests (DSARs) have been very manual, slow, and error-prone often resulting in non-compliance. According to a Gartner survey, organizations are spending, on average, $1,406 per subject access request, and two-thirds of respondents indicated it takes two or more weeks to respond to a single request. With CCPA enforcement penalties ranging from $2,500 to $7,500 per violation, non-compliance with access requests could have a staggering financial impact for covered businesses. To reduce compliance costs, at-risk businesses will need to move quickly to assess their capability to address consumer request fulfillment activities and obligations.

Achieving compliance through technology

Often, when discussing how technology can support privacy compliance, the focus is on security and data governance principles. However, when addressing how to accurately respond to consumer or subject rights requests while ensuring minimal overhead and cost, the word that keeps popping up is automation. Specifically, automating the response process as much as possible can shorten lead times, drastically reduce the risk of human error, and minimize cost.

In the context of access requests, here are the five key principles to automating your response process:

  1. Case management: A critical first step is creating a case in a Case Management software for the incoming request. In this case, actions (fully automated where possible) will be taken to respond to the access request.  Centralizing everything related to the request, such as the shared personal data, all performed activities, audit entries, approvals, and participants allows for easy tracking and audit readiness.
  1. Digitization: Not all personal information exists in a digital format. To automate the entire response process, it’s necessary to digitize physical assets, such as paper, when they contain personal data or information.
  1. Information discovery and collection: Most organizations have put a substantial effort into identifying, protecting, and classifying personal data that resides in their core business applications (e.g., HR, Marketing, Finance). But personal data residing on file shares, inside SharePoint sites, on people’s hard drives, or in emails can also be subject to access requests. To ensure completeness of the response, data discovery tools can be used to crawl uncontrolled data sources. A discovery tool will identify the personal information and help collect it, so it can automatically be added to the response.
  1. Automated redaction: Redacting information that should not be included in the response requires a substantial manual effort. To minimize this effort, consider using text analytics to detect and automatically redact terms and phrases from the response. This still requires a manual review step but having an automated first pass allows for much faster and accurate redacting of sensitive information.
  1. Secure sharing: When sending the response, use a tool that minimizes the risk of the data being breached, such as a password protected link pointing to a secure location with tracked downloads and access expiration (e.g., after 10 days).

The subject rights and consumer rights request fulfillment process is expensive, time-consuming, and difficult to manage without automation and strong data management technologies ground in information governance. Leveraging technology to automate and streamline request lifecycle and workflow will not only reduce operational costs and non-compliance risks but help to maintain the trust and confidence of individuals seeking to act upon their privacy rights.

Learn how OpenText Privacy Management can help businesses automate the consumer and subject rights response process, and integrate an organization’s privacy processes to drive compliance.

For additional best practices guidance to support CCPA readiness and compliance activities you can also check out 5 things smart organizations can do to prepare for the CCPA.

Gino Vicari, Privacy Solutions Expert, OpenText

As OpenText’s privacy solutions expert and having certified as a Data Protection Officer, Gino Vicari is working with several customers, partners and the OpenText organization to address the different topics of privacy management and privacy compliance. As an IT professional with over 20 years of experience in ECM and EIM, Gino has helped organizations across many industries, including Financial Services, Public Sector, Energy & Engineering and Life Sciences to design and implement their critical content and information management solutions. Having come across many different business areas and technologies, Gino is now working as a Solution Expert covering the European territory, advising OpenText customers and mainly focusing on regulated industry and compliance.

Share this post

Share this post to x. Share to linkedin. Mail to
Andy Teichholz avatar image

Andy Teichholz

Andy Teichholz is the Sr. Industry Strategist for Compliance and Legal at OpenText. He has over 20 years of experience in the legal and compliance industry as a litigator, in-house counsel, consultant, and technology provider. Andy is focused on helping businesses succeed with digital transformation. In this capacity, he has served as a trusted advisor to customers by leveraging his business acumen, industry experience, and technical knowledge to advise on regulatory compliance, information governance, and data privacy issues as well as support complex litigation and regulatory investigations.

See all posts

More from the author

The evolving role of general counsel: Securing a seat at the table

The evolving role of general counsel: Securing a seat at the table

Technological, social, and economic events have changed the legal and regulatory landscape. There was a time when in-house legal departments and the general counsel had…

7 minute read

How today’s General Counsel is changing course to better manage risk on the new digital sea 

How today’s General Counsel is changing course to better manage risk on the new digital sea 

Any business that wants to survive and compete must acknowledge the risks it faces in the marketplace, and work within boundaries it considers acceptable to…

4 minute read

eDiscovery is not just for litigation anymore  

eDiscovery is not just for litigation anymore  

Organizations are facing an evolving legal and regulatory landscape involving everything from complying with stringent data privacy laws to combating sophisticated cyber threats that force…

5 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.