Extract from IPRO’s article “DSARs Demystified: What Corporate Counsel Need to Know About Data Protection Laws”
Data protection laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are a major cause for concern for organizations.
While the biggest fines garner headlines, such as the €746 million fine issued against Amazon in July 2021 for failing to process personal data in compliance with the GDPR (which the company is appealing), enforcement isn’t limited to the big players. The GDPR Enforcement Tracker website reveals a wide range of fines and penalties imposed for violations of all sizes.
While the CCPA targets the big players more and only California residents can exercise its rights, it still casts a wide net. The CCPA applies to for-profit businesses that do business in California and meet any of the following criteria:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Companies have had to create new systems and establish new protocols and policies to manage data compliance under these laws. One system that companies must have in place is a means of responding to data subject access requests or DSARs.