As we mark the fourth anniversary of the GDPR, we have seen so many positive advances by businesses and other covered entities investing in privacy. Organizations have transformed their IT infrastructure and improved their security and data governance posture to mitigate data privacy and protection risk. Despite these gains, demands made by data subjects and consumers seeking to act upon their exercisable rights – mainly subject right requests (SRRs) – continue to expose many businesses on their inadequacies in managing this process. That is why automation and workflow management remain top data privacy technology capabilities being pursued today.
The world community demands control over their data
In an earlier blog, I indicated that the world community is now, more than ever before, seeking to reclaim power over personal data and hold organizations accountable for their behavior. How nations, their regulators and courts interpret the scope of coverage and adequacy of responses to SRRs will continue to evolve. Nonetheless, it is undoubtedly clear that global adoption of privacy and protection laws is accelerating rapidly and awareness is increasing. Look no further than what is happening in the United States; since the California Consumer Privacy Act (CCPA) went into effect in 2020, four other states (Virginia, Colorado, Utah and recently Connecticut) have passed similar comprehensive privacy laws protecting and providing consumers with subject rights. More are on the way.
Under most of these regulations, individuals have the right to know what data an organization is collecting about them, why the organization is in possession of that data and to whom their information is disclosed. These rights include, but are not limited to, requests from consumers to access, correct, delete and port their data. Perhaps the most critical focus area is the ability to respond to SRRs and meet prescribed deadlines from intake through fulfillment.
Subject rights request fulfillment challenges
Despite privacy laws in place, many organizations’ processes for responding to SRRs are still immature. In the IAPP-EY Annual Privacy Governance Report 2021, privacy professionals surveyed indicated that more than half of their organizations handle subject rights manually, while about 1 in 3 have either partially (32%) or fully (3%) automated the process. With the rise in awareness and steady influx of requests, organizations will find it extremely difficult to fulfill requests with the resources available. Personal data is difficult to identify and collect, not all information is digital, redactions are performed manually and deadlines are hard to meet. Of course, operational costs are significant as well. According to the Gartner® 2021 Security and Risk Management Governance Survey, the average cost for processing one SRR was $1,524 with half (50%) of the respondents indicating their organization received 51 to 100 requests per month.[i]
Meeting demands through technology
When addressing how to accurately respond to SRRs, we need to focus on automation. Specifically, automating the response process is key to shorten lead times, drastically reduce the risk of human error and minimize operational costs.
In the context of access requests, which along with right-to-erasure are the most common, here are five key principles to automate your response process:
Case management: A critical first step is having a process in place to handle incoming requests. Actions (fully automated where possible) will be taken to verify, validate and respond to the access request. Centralizing the management of everything related to the request, such as all performed activities, audit entries and approvals allow for easy tracking and audit readiness. It also establishes a strong workflow for a coordinated response.
Digitization: Not all personal information exists in a digital format. To automate the entire response process, it is necessary to digitize physical assets, such as paper, when they contain personal data. Addressing this consideration will have a significant impact on the speed to expedite the collection of data to meet deadlines.
Data discovery and collection: Most organizations have put a substantial effort into identifying, protecting and classifying personal data that resides in their core business applications (e.g., HR, marketing, finance). But personal data residing on file shares, inside SharePoint sites, on people’s hard drives or in emails can also be subject to access requests. To ensure completeness of the response, data discovery tools can be used to crawl uncontrolled data sources. A discovery tool will identify personal data and help collect it so it can automatically be included in the response.
Automated redaction: Redacting information that should be eliminated from the response can require substantial manual effort. To minimize this labor, consider using text analytics to detect and automatically redact terms and phrases from the response. This still requires a manual review step but having an automated first pass allows for much faster and more accurate redaction of sensitive information.
Secure sharing: When sending the response, use a tool that minimizes the risk of the data being breached, such as a password protected link pointing to a secure location with tracked downloads and access expiration (e.g., after 10 days).
The SRR request fulfillment process is expensive, time-consuming and difficult to manage without automation and strong data-management technologies. Leveraging technology to automate and streamline request lifecycles and workflows will not only reduce operational costs and non-compliance risks but also help to maintain the trust and confidence of individuals seeking to act upon their privacy rights. Establishing trust may also help to reduce the volume of requests as consumers increase their confidence in how their personal data is being managed and used.
[i] Gartner, Survey Analysis of Security and Risk Governance – The Privacy Office, Bernard Woo, Bart Willemsen, Nader Henein, 14 January 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. And/or its affiliates in the U.S., and internationally and is used herein with permission. All rights reserved.