Data Subject Access Requests (DSARs): As Important as Payroll? on Sep 23, 2019
A Big Deal for Companies
Managing Data Subject Access Requests (DSARs) is a global challenge that continues to grow as more privacy regulations give individuals the right to see what information companies keep about them and to request updates to it, or even its outright deletion—which is known as the right to be forgotten in the General Data Protection Regulation (GDPR). Like the GDPR, the California Consumer Privacy Act (CCPA) is a comprehensive data privacy bill that includes DSAR requirements for residents of California in the United States and becomes effective on January 1, 2020. Any company that holds personal data about a California resident must comply, no matter where in the world that company is physically located. The CCPA is a big deal for companies, since California has a population of nearly 40 million people and the world’s fifth-largest economy with a $3 trillion GDP. There’s a lot to gain by doing business in California, but companies have a lot to lose if they fail to comply with the CCPA.
As Fundamental to Doing Business as Payroll
Processing DSARs is a ubiquitous problem that is not going away. Just as every company, from start-ups to Fortune 500s, must process payroll, every company holding personal data about a California resident must be able to process DSAR requests properly and promptly in order to comply with the CCPA. Non-compliance can result in serious financial, regulatory and reputational consequences. Any company or individual violating the CCPA could be fined up to $2,500 per profile (or identity)—and up to $7,500 for intentional violations. The following example from the IAPP helps put potential damages into perspective:
To illustrate the implications of these penalties, consider its possible effect on Facebook, whose Cambridge Analytica scandal was one of the motivations for the citizen’s initiative inspiring the CCPA (see Section 1798.198(b)). According to publicly available data and some estimation, Facebook has approximately 24.6 million users in California. Using this number, were Facebook found to have violated the CCPA, it could face a rough full maximum penalty of $61.6 billion for an unintentional violation affecting each of its users and up to $184.7 billion for an intentional violation.
— Top 5 Operational Impacts of CCPA : Part 5 – Penalties and enforcement mechanisms, IAPP , August 21, 2018
Some companies will take a wait-and-see approach, and, of those, some will unfortunately become the publicized poster-child of non-compliance and ultimately hurt their brands. A day doesn’t go by without a data breach in the headlines. Why risk it? Companies should take DSARs as seriously as they do payroll. Without an automated, standardized process for handling them, the business won’t survive.
A Big Deal for Consumers
One of the reasons why DSARs are getting so much attention in recent years has to do with the growing concerns from consumers over the privacy practices of companies. Recent events have shed light not only on the broad scope of information collection by companies that combines personal information from various sources to create a highly personal and accurate profile, but also on the ease and frequency by which such sensitive information is shared to third parties—intentionally or unintentionally.
The power of the DSAR is that it provides a way for individuals to learn what information a company is collecting and how they are using and sharing it. Furthermore, GDPR, CCPA and other regulations allow individuals to ask companies to update their data if it is incorrect or even delete it altogether. For the privacy-aware individual, the DSAR can be a powerful tool for taking the first step in controlling how much of their personal information is “out there.”
A Simple Solution for Companies That Care About Consumer Trust
Since 2007, Dataguise has been protecting the data that matters most to people and organizations—personal data. Today, we are focused on helping organizations deserve the digital trust of their customers, employees, and partners. We believe that with personal data comes personal responsibility, and that by working together we can enable organizations to use personal data responsibly to deliver greater value for everyone.
We offer a seamless, end-to-end DSAR solution with flexible deployment options to fit the needs of any company. This allows our customers to focus more on using personal data to grow the business, and less on managing risk or compliance. We’re proud to serve responsible data stewards who know that personal data holds the keys to stronger relationships, greater loyalty, and sustainable business growth. It’s our mission to unlock that potential for our customers and partners, so they can deliver greater value to their customers.
Learn more on our webinar, “Trends in DSAR Compliance and Success Models”
DSAR, SRR, VCR, SAR and other acronyms are related to the same thing: managing requests regarding consumer data. Some terms you’ll hear with respect to the request process are tied to specific privacy regulations and indicate different requirements. Additionally, personally identifiable information (PII) and sensitive data can be used in lieu of personal information in some parts of the world.
About the author:
James Emmons, Vice President of Global Sales, Dataguise
Jim is a Certified Information Privacy Technologist (CIPT/US) with over 20 years of experience driving business growth in the SaaS and enterprise software space.