Numerous privacy laws are requiring that companies provide individuals with data rights — rights to access their data, correct their data, learn about uses of their data, delete their data, and more. Administering these rights can be quite complicated for organizations.
I recently had the opportunity to interview Heather Federman, the VP of Privacy & Policy at BigID, where she manages and leads initiatives related to privacy evangelism, product innovation, internal compliance and industry collaboration. Heather enjoys working with like-minded organizations and people to produce deep insights and bring rationality to the nexus of data, technology, business and law.
SOLOVE: For those who may not be aware, can you explain this new concept of “Data Rights” and what Data Subject Access Requests (DSAR) facilitate those rights?
FEDERMAN: “Data Rights” stems from European data protection law in which the EU’s Charter of Fundamental Rights, Article 8, states that: (1) everyone has the right to protection of personal data concerning him or her; (2) such data must be processed fairly for a specified purpose(s) and on the basis of consent or another legitimate basis. In addition, EU citizens have the right to access and rectify data that has been collected about them, and finally; (3) compliance with these rules is subject to control and enforcement by an independent authority. Essentially, this means that every individual has the right to have any personal data about them processed in a fair and legal way.
To ensure that individuals are protected when it comes to data processing activities, the General Data Protection Regulation (GDPR) codified eight specific individual rights: (1) the right to be informed, (2) the right to access, (3) the right of erasure, (4) the right to rectify, (5) the right to object, (6) the right to restrict processing, (7) the right to data portability and (8) certain rights regarding automated-decision making. All together, these specific rights are considered “Data Subject Access Requests,” or “DSARs.” DSARs are not considered to be absolute rights — controllers (and in several instances processors who process personal data for the controller) have some cases in which they might not be able to meet a DSAR, again with specific rules.
GDPR’s Data Rights has spurred other regulatory efforts for various jurisdictions to create their own version of DSARs upon which individuals can act upon their Data Rights. Most notably, California, one of the few US states that has its own constitutional right to privacy, created several individual “consumer rights” through the California Consumer Privacy Act, in which California residents now have the right: (1) to know what data companies have about them, (2) to have that company opt out of the sale of any data with any third parties, (3) and to request that data the company has about them be deleted. Pre-global pandemic, over 20 states had some version of these consumer rights in a privacy bill.
Other countries are paying attention as well. A year after GDPR went into effect — and enforceable this August — Brazil finalized its General Data Protection Law (“LGPD”). A main component of LGPD is its “Data Subject Basic Rights,” similar to those mandated in GDPR.
A central sticking point of these various DSARs is that they all include an extra-territoriality dimension. It doesn’t matter where the company is located – it matters what the residency of the data subject is. Therefore, your Data Rights follow you wherever you go as an individual – and you have to have the ability to access your DSARs from wherever you’re located.
SOLOVE: Part of the DSAR process is verifying the identity of the data subject. What sort of challenges has this brought up?
FEDERMAN: In order to properly validate and verify someone’s identity, the data subject needs to prove that she is who she says she is. This means that, in many situations, if the data subject does not have an account with the company, then personally identifiable information is going to need to be collected in order to do the verification. While some privacy advocates have argued that companies should avoid standard methods of collecting ID documents or passports, unfortunately this may be the best way to validate someone’s identity. It would be a real problem to provide an information report to the wrong person, for instance, or to allow a criminal to rectify someone’s contact information so that future communications with the company are sent to the wrong person.
But at the same time, the collection of such information presents an additional risk for companies and for their data subjects. Requesting this sort of information could end up turning off a data subject from wanting to complete a request when she sees the sort of data needed to complete the verification process, thereby exacerbating a company’s potential “creepy factor.” This is the sort of data that could be used for identity theft or fraud, and it comes with higher security protection measures in place than what might actually be present within the data subject report itself. Unfortunately, this becomes a catch-22 situation.
This is why we will likely see an increasing number of companies, especially SMBs, choosing to work with a third party provider that specializes in identity verification. First-party companies may not have the resources or in-house knowledge to make the call as to whether someone is who they say they are. And they may not want to take on that additional privacy and security liability that comes with processing identity validation data.
Ultimately, it’s important to understand the proportionality of the sort of data you would normally process. If the company only collects names and email addresses, then collecting national ID documents would be irrelevant and put the company and the data subject at risk. But if the company processes financial info or other sensitive information, then collecting more sensitive info for verification purposes — through a secure and efficient method — may well be worth the risk.
SOLOVE: What are some interesting trends you’re seeing around Data Rights and DSARs?
FEDERMAN: The costs related to fulfilling a DSAR request are considerable – a study from Gartner found that the average cost is $1400. Just think about the manual hours required to process a single request — in which you would need to establish some form of consistent communication with the data subject, conduct extensive searches of the data held (and do double or triple checks) while also making sure to exclude any information that could fall under an exemption like attorney-client privilege, and present this to a data subject in an easily readable format — all within a predefined, limited amount of time. While there may be an upfront cost, companies would do well to save themselves the burden of manually processing and fulfilling DSARs through some sort of scalable and automated approach.
There’s been a significant rise in DSARs across all industry sectors — with companies of all sizes and revenues being affected. The trend veers more towards well-known brand names of consumer-facing companies, but this isn’t to say that non-consumer-facing companies that don’t regularly interact are not impacted. For instance, service-providers or data processors may not be the ones receiving the direct requests, but they still need to figure out a workable solution for helping the controllers interact with a means to timely and accurately respond to a DSAR request. Given that the clock starts running on the controller’s side, processors are left with an even smaller time period to find and deliver the right information than the controllers themselves are.
What’s been most surprising for me is how DSARs are being used increasingly by individuals in the context of a workplace issue under the GDPR and the UK Data Protection Act of 2018. This has been especially the case where an employee is facing a performance management issue or working on a separation package and wants to cause problems for the business or get more intel to help make their case. This trend is likely to grow, and once the employee moratorium is lifted off of CCPA, I’ll be curious to see if the same trend happens in California as well. Consequently, companies will need clear policies and procedures on how to handle workplace-related DSAR requests in accordance with the law while avoiding any sort of inquiry or enforcement action from regulators.
SOLOVE: As Data Rights become more intrinsic to current and upcoming privacy legislation, what do you recommend to help manage the influx of requests and the ensuing complexity?
FEDERMAN: While many companies have put in place new policies and procedures regarding Data Rights and how to respond to DSARs, there has been less of a push to hire personnel to handle the incoming requests and acquire the appropriate technology to handle the issue. But these companies do themselves a disservice in not having the right people and the right technologies in place.
The first step comes down to “knowing your data.” In other words, data discovery is increasingly becoming foundational to the privacy program. This can’t be done simply through a manual search or reliance on traditional survey-based methods, so companies may turn to us at BigID and look for an automated method to discover and classify all impacted data across various enterprise data sources. We also help organizations do a thorough data inventory and operationalize a data flow map with ongoing integration of findings. The focus we like to think of is: “data-driven privacy compliance.” Whether or not a company chooses to work with BigID or another appropriate technology, it is essential that companies have a method in place to automate data rights. Otherwise, the risks involved in a manual approach becomes too much to bear.
SOLOVE: Do you believe Data Rights have overall helped CPOs get more visibility in their organizations? Or is this now a double-edged sword where CPOs are primarily measured on their ability to adequately respond in a timely manner?
FEDERMAN: Traditionally, the Chief Privacy Officer (CPO) was often not the strongest voice or most valued stakeholder in broader discussions about enterprise data strategy, data governance, and data protection. What’s exciting is that Data Rights have created an opportunity to establish privacy as a critical element in how organizations both build brand trust and achieve key business objectives by extracting more value from their data. CPOs can use the legal requirement to fulfill data rights as a means to show how their role is actually a critical component in the broader corporate objective to establish consumer trust and extract real data insights. They can do this by establishing a common framework and shared language for effective collaboration with stakeholders. This requires a prioritizing of understanding or knowing the company’s data and building data privacy intelligence over just relying on process, manual reporting, and workflows alone.
Of course, there is always the challenge of being unable to meet deadlines required by law when it comes to DSAR fulfillment. This could present not only a regulatory risk with authorities, but also a reputational risk with customers. This is why CPOs must have an automated method in place to locate their data and fulfill individual data rights. BigID’s new data rights automation gives companies the ability to deliver their customers greater data transparency and accountability via smarter data discovery and accounting. This may not completely absolve a company of the associated risks of doing business, but it can certainly help, while simultaneously creating a data-driven approach to doing business in the first place.
SOLOVE: Thanks, Heather, for your great insights! There’s a useful whitepaper on the subject over at BigID’s website, Automate Data Access Rights Fulfillment, if you want to learn more about the topics in this interview.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.
Click here for more information about our GDPR training