In 2021, Gartner predicted that three quarters of worldwide consumers would be subject to one or more privacy laws offering data subject access requests. Privacy laws and regulations will soon affect everything that private enterprises and public organizations are doing almost everywhere and all the time.
If the laws were consistent, this might be a relatively manageable task. But clearly, they are not. While the basic principles are consistent, the actual responsibilities and requirements can differ significantly across various jurisdictions. As more and more states pass laws, and more and more regulations go into effect, organizations must lay the technology and process groundwork in place to meet these requirements. Two areas where organizations can and should get ahead of the game are in managing consumer consent and data subject access requests.
The Essentials of Informed Consent
The notion of informed consent underpins almost every modern privacy law. Broadly speaking, implementing an informed consent policy means organizations must obtain affirmative, explicit consumer consent to the collection of their data, to what it is used for, and how widely it is shared.
In the US, lacking a comprehensive federal privacy law, legal requirements are governed by a patchwork of legislation. In most states and under most circumstances (except for California, Colorado, and Virginia), consent is not required by the law. But with consumer expectations around privacy changing, many organizations are evaluating new ways to collect, manage, and leverage consent across all the channels they use to interact with their customers.
Historically, consent requests “popped up” in front of websites because organizations needed to layer informed consent on top of already existing websites. Today, consent should not function as a gate to limit access, but rather a lightweight broker that provides universal consent across multiple channels (from the web to multiple owned and third-party applications, for example) and delivers a uniform user experience to consumers based on their preferences.
We’re at a point where consent can no longer be “layered on” to existing consumer experiences. Organizations need a consent mechanism that governs all channels of consumer interaction, from the website to mobile applications to API-based technologies.
Privacy expert Justine Phillips of DLA Piper explains, “We’re at a point where consent can no longer be an afterthought to consumer experiences. Implementing privacy by design principles into how consumers interact with your website, app or products is fundamental to development. The laws and expectations around privacy are shifting to user-enabled control over their personal information. Getting ahead of the shift will put organizations in a better position as these laws continue to emerge.”
The Essentials of Data Subject Access Requests
Under GDPR, CCPA, and other consumer privacy regulations, individuals have the right to request organizations to produce, correct, and potentially delete all data associated with them. While some regulations exempt employees from this right, that is changing in California with CPRA—and may change in other jurisdictions in the future.
When an employee asks for records containing their personal information, the scope of the request is more akin to an e-discovery request. It’s not stored in one place; it’s scattered across multiple systems and platforms. Organizations need to be able to find the data everywhere it exists, review it, redact confidential business information and personal information associated with other employees, and produce that data in a cost-effective, timely manner.
Gartner estimates the cost of manually retrieving consumer data at $1500 per request. It doesn’t take long before the cost of data subject access requests (DSARs) eats up multiple full-time employee salaries. At that cost, many organizations see the value in investing in technology to support their DSAR fulfillment process.
Peter Stockburger, Partner at Dentons, explains, “DSARs are becoming increasingly commonplace. Manually responding to DSARs as they come is not an ideal state for most organizations. Automation is one way organizations can stay ahead of the curve. Although the volume of DSARs may not be outrageous, the scope of data subject to the requests will continue to change, as will the types of individuals capable of making such requests. Automation drives the cost down in responding to DSARs and makes operations more efficient, more effective, and a better experience for the consumer.”