We’re now more than a year into the official implementation of the General Data Protection Regulation (GDPR), set into motion on May 25, 2018.
If the legislation affected your business, how are you keeping up with the stringent data protection and privacy rules? What about new data protection rules outlined by the California Consumer Privacy Act (CCPA)?
One of the changes enacted by both laws is the ability for customers to submit Data Subject Access Requests (DSARs) to learn more about how your organization is collecting, using and sharing their personal information.
Unless you have robust reporting procedures in place, fielding these requests can be a laborious manual effort.
As detailed in Article 15 of the GDPR, data subjects have the right to submit a SAR to data controllers, inquiring if and how the controller processes their personal information. They can also obtain a copy of that personal data where applicable.
Specific details that controllers must include:
The purpose of the information processing
The categories of personal data involved
Recipients to whom the controller discloses (or will disclose) the data
How long the controller will store the data
Steps to rectify, erase, restrict or object to data collection
The right of the subject to submit a complaint with a supervisory authority
Information on the source of personal data derived indirectly from the subject
If the controller uses the data to automate decision-making (i.e. profiling), the logic used and subject consequences involved
Under the GDPR, you only have 30 days to respond. If a subject submits the request under the CCPA, you’ll have 45 days.
This is where automation comes in. Let’s review some key benefits that a privacy rights platform can provide and how it makes SAR compliance easier.
Consolidate Disparate Data
The most challenging part about responding to a SAR isn’t creating the response itself. If these laws apply to you, you should have steps in place that ensure access to the information requested.
The difficulty lies in mining these insights from multiple back-end systems. For most companies, privacy data isn’t consolidated to a central location.
Rather, it’s spread out among these different types of in-house systems:
Customer Relationship Management (CRM) platforms
Enterprise Resource Planning (ERP) systems
Help desk and ticketing systems
Applicant tracking systems
Especially if you have more than 10 different back-end systems and anticipate at least one SAR per week, it’s smart to invest in an automation platform that makes the process more efficient. Our platform uses more than 100 pre-built connectors to provide seamless integration with your existing systems, leveraging flexible API builders for special customizations.
When all of your key data points are stored in an accessible portal, you aren’t spending money, time and resources on manual data retrieval.
Even if you aren’t ready to integrate your internal systems yet, the first level of automation alone is enough to cut overhead and simplify SAR responses.
At this base level, you can relieve much of the administrative burden associated with making sure that each SAR is valid and authentic. Imagine the time saved if you could automate the following tasks:
Data subject identity validation
Productivity logging and reporting
Freeing up your teams from tracking and storing this data manually cuts operational overhead. It also enables a more accurate response and saves your organization from spending time on inauthentic SAR requests.
Subject Identity and SAR Validation
How does it work?
When a data subject sends an email or SMS endpoints as part of a SAR, our software sends a verification link to that location before approving it as verified and actionable. You can also request photo IDs for each data subject. Also, our software integrates with other verification methods, including third-party tools or your organization’s authentication systems.
And, your verification abilities aren’t limited to identities.
You can also validate every SAR request that comes through via a branded, multilingual Data Subject Portal. Following the portal’s instructions, data subjects can provide relevant, actionable details on the data they’re seeking. Then, using this information, you can act on the SAR promptly without further interaction.
Task Generation and Reporting
Responding to a SAR is often a team effort. To this end, it’s important to know where your employees are in the process to ensure delivery by the required deadline. This is why, in addition to your Data Subject Portal, you’ll also have access to an Administrator portal.
Here, you can manage unlimited SAR requests and generate individual tasks for your team as they come in. Then, using the portal’s secure and permanent ledger, you can track, log and timestamp all SAR-related activities. This way, you can monitor the progress of every SAR from initial request to final fulfillment.
Also, reporting and filtering features make it a breeze to create the data forms you need to support in-house analytics or external requirements.
SAR Compliance Made Easy
While the GDPR and CCPA are two of the most recent and prominent laws focused on data privacy and protection, similar regulations, such as Nevada SB220, are soon to follow.
As such, if you aren’t already responding to Data Subject Access Requests, you likely will be in the future. Investing in an automation platform now can make it easier to respond to new and existing inquiries.
Looking for a solution robust enough to meet your needs? That’s where we come in.
Our end-to-end platform helps you automate workflow, data, and change requests to help your teams stay compliant, efficient and productive. Request a demo today and see for yourself the difference it makes.