The short answer is: Automate. To find out about the 10 steps of processing a data subject access request, and, what you should automate, read the long answer.
Table of Contents
The long answer
The cost and risk of manual DSAR processing
The 10 steps of DSAR processing
What should you automate?
The long answer breaks the process down into steps, and the specific challenges associated with each one. So, if you want do have a better understanding on what can, and should, be automated, read on.
Spoiler alert: The current automation tools in the market only automate a small part of the activities required in responding to a data subject access request.
What happens in an enterprise after a data subject enters a request to access their data and hits “Send”? The response time and effort depend on each company’s IT landscape. This landscape, with its disconnected data silos, is becoming even more complex, with disparate deployment environments on-premise, and in the cloud. So, each Data Subject Access Request (DSAR) can send troops of employees, from various departments, on a quest to locate and collect the fragments of customer data in time to meet the privacy regulation law’s deadline. DSAR processing is also quite costly. Gartner research found that the average cost of a manually-processed request is $1,400, but a recent survey reveals that many companies pay much more.
In addition to high costs, manual DSAR processing is incredibly error-prone. When so many people across the company are handling such sensitive data, mistakes are likely to happen – and it’s hard to prevent unauthorized personnel from accessing sensitive information. Ironically, the same DSAR processing designed to protect a user’s privacy, might actually lead to the opposite result.
Creating a pathway for requests: The first step is to enable users to file a request easily. Most companies dedicate an online form or email for this purpose, but DSARs can also be submitted via phone. It’s essential to make this process accessible and clear, ensure that each channel is fully functioning, and send requests to the right place.
Opening a request: This is the first formal step taken by the privacy steward. From this point on, the clock is ticking.
Validating the request: This process includes 2 stages. (1) The compliance professional should first verify the customer’s details to prevent identity theft and misrepresentation. (2) Then, the compliance team must also check for duplicate requests from the same user to save time, money, and trouble.
Discovering the data: Companies should map the requestor’s data across the organization. This is a challenging step for companies that keep this data in multiple databases. Without a universal data ID for each user across all enterprise IT systems, compliance professionals must work closely with their IT counterparts to identify and connect the data to the requesting individual.
This task is further complicated by unstructured data. According to the International Association of Privacy Professionals, 56% of organizations named “locating unstructured personal data” as the most challenging part of responding to DSARs.
Collecting the data: Even once all persona data has been located, collecting it can be a time-consuming process spanning many different systems. It includes opening a ticket, or asking the responsible IT team for assistance in running a query to extract the data. This step is likely to occur multiple times, based on the number of systems that hold relevant customer data. As increasing numbers of employees are involved in the process, there is a growing concern that personal data will be wrongfully exposed.
Processing the data: Now that (hopefully) all the user’s data is found, the many bits of information should be processed to fit in a unified format in the form of a single document. For too many companies, this process is also done using a labor-intensive, error-prone manual process.
Redacting the data: Some sensitive information, like account numbers and other personal information, requires protection, and should not be sent without masking. Someone needs to examine the data and edit the relevant parts. The step requires a certain level of legal understanding and, once again, is often done manually.
Reviewing the data: A privacy professional will take the time to go over the report and see if anything seems to be missing, out of place, or sensitive. Additional information may be added, or removed.
Sending the data: The approved data report, resulting from all previous steps, is sent to the requestor.
Closing the request: This is the final step. Along the way, compliance teams gather the approvals from all participating teams and parties, and document every step of the process, the processors, participants, and any other relevant information. This information should be saved for auditing purposes.
At the beginning of this post, we stated the obvious – that automation is the path to reducing the cost and time it takes to process a DSAR. However, automating the business process includes automating the workflow that notifies and reminds every relevant stakeholder. And this is only the tip of the iceberg. As you can see from the steps, most of the time and effort is spent on data processing.
If your company, like many others, operates siloed systems across disparate on-premise and cloud environments, you need to find CCPA compliance software that can manage the complexity. But, make sure that your data privacy management solution can automate the workflow AND the data processing.