Three best practices for handling GDPR and CCPA ‘right of access’ requests

Among the most onerous requirements under the GDPR and the CCPA from a compliance and operational standpoint is responding to right of access requests from data subjects, including customers, clients, employees, and third parties. This has proven to be quite a costly endeavor for companies. According to a survey conducted by Gartner, organizations spend an average of $1,400 to manually process a data subject access request (DSAR), and it can take at least two weeks to respond to each one.

During a Jan. 20 Webcast, a panel of experts discussed common DSAR compliance challenges, as well as leading practices designed to best comply with DSAR requests. The following three tips were among their suggestions:

Verify the identity of the data subject. This is first important step to take when a DSAR comes in, said Adrian Palmer, an associate partner in the Forensic and Integrity Services practice at Ernst & Young UK. In its right of access guidance published in October 2020, the U.K.’s Information Commissioner’s Office (ICO) recommends “ask[ing] for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about.”

“Many organizations still don’t have policies that speak well to data protection. Data mapping is the start of it all.”

Adrian Palmer, Associate Partner, Ernst & Young UK

“The key point is that you must be reasonable and proportionate about what you ask for,” the ICO said. “You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.” One way to easily verify a data subject’s identity is to use verification methods already in place—for example, a username and password or verifying the email used to obtain the data in the first place was sent from the same e-mail address requesting the DSAR.

Design a proper workflow. “If you haven’t designed a proper workflow, you won’t be able to handle a DSAR request,” said Christian Volkel, chief privacy officer at Porsche. “Designing your DSAR workflow within your privacy management system has to be an integral part of it.” Without a software-based process, you’re not going to be able to satisfy thousands of requests at once, he said.

Additionally, within those processes, “you have to be able to describe the task of each department and their competences and responsibilities,” Volkel added. Another important measure is to train stakeholders regularly—at least once a year, Volkel advised.

Conduct a data mapping exercise. Systems and processes must be in place to quickly locate the data subject’s personal information and to more easily manage the additional administrative burdens created by both the GDPR and the CCPA. “The data mapping exercise is really tricky, and there are few companies that have actually nailed that down in my experience,” Palmer said.

A lot of it starts with a record of what you’re storing and holding and why you have that data in the first place. Do you have a legal basis for processing that data, or should you be getting rid of it? “Many organizations still don’t have policies that speak well to data protection,” Palmer said. “Data mapping is the start of it all.”

In many cases, the data will be structured, meaning it will be held in a database. “The difficulty will come in unstructured data,” Palmer said. This may include data contained in email or chat applications, where you then have to locate the data, filter the data specific to that data subject, and then redact any information that contains the personal data of other individuals.

“Most of my clients will tell me that it’s the redaction phase that is taking up so much time,” Palmer said. There is technology to help, but it still has been a major issue, he said.

Think about business units that most often handle personal sensitive information—HR, sales and marketing, finance, legal, etc. From there, the company can better start to analyze where these business units may have captured personal information.

In the run up to preparing to comply with the GDPR, a lot of companies went through a business flow process, but what many had forgotten about was legacy systems that weren’t part of their record of processing activities. So, it’s important to not forget about files that maybe haven’t been accessed in five years.

In sum, data mapping gives companies a degree of certainty as to which systems it has and which systems contain which data it can then pass along to data subjects in a timely manner. “If we don’t know that,” Palmer said, “we’re almost scuppered straight from the get-go.”