Thanks to police procedurals, most Americans have a pretty good understanding of their Miranda Rights.
“You have the right to remain silent. Anything you say can and will be used against you in a court of law. You have the right to…”
You can probably fill in the rest.
One of the more recent sets of rights codified by the GDPR and U.S. state laws are data subject rights, also known as privacy rights. These rights are relatively new, and as a result, they can sometimes catch you off guard.
For businesses, however, it’s not a good thing if a regulation “catches you off guard.” As far as the law goes, ignorance does not equal absolution.
So, what are the data subject rights, and what do businesses need to know about them?
Let’s get into it.
What are the most common rights of data subjects?
Privacy rights, also known as data subject rights, allow individuals to control what businesses and their partners know about them and how they use that information.
While rights vary by law, some common ones include:
- Right to access: Individuals have the right to request access to their personal data.
- Right to portability: Individuals have the right to request a copy of their personal data.
- Right to correct: Individuals have the right to request a correction of their personal data if it is inaccurate or incomplete.
- Right to object: Individuals have the right to object to some processing of their personal data, typically as it relates to the sale or sharing of their personal data and targeted advertising.
- Right to delete: Individuals have the right to request the deletion of their personal data from a business’s database.
- Right to restrict: Individuals have the right to restrict the processing of their personal data in certain circumstances.
- Right to limit the use of Sensitive Personal Information (SPI): Individuals have the right to limit the use of their sensitive personal data.
- Right to limit the use of automated decision-making: Individuals have the right to object to the use of their personal data for automated decision-making that significantly impacts them.
How can consumers exercise these rights with your business?
As a business, you should provide at least two designated methods for consumers to submit privacy rights requests, such as a toll-free number, website form, email address, or mail. Consumers can use these channels to request access to their data, request deletion, opt out of data sales/sharing, etc.
This information should be detailed in your privacy notice. Consumers shouldn’t feel like they’re trying to solve a detective mystery when looking for how to exercise their rights.
As part of this process, the consumer may need to provide information to verify their identity and prevent unauthorized access. This might include account details, address, date of birth, etc.
Managing these requests can be cumbersome for businesses, especially if they don’t have well-established privacy processes. (And even if they do, it’s not always a walk in the park!) Privacy rights automation software can be a helpful tool here. Although it doesn’t replace clearly documented policies, defined workflows, and trained privacy teams, it can reduce some of the tedious tasks involved.
Do businesses have to respond to these requests?
YES.
You must respond to a DSAR or risk significant fines (thousands of dollars per violation).
How businesses must respond to a DSAR can vary depending on your jurisdiction. For example:
- In Iowa, businesses have 90 days to respond to a consumer privacy rights request
- In California, businesses must:
- Acknowledge the request for the right to know/access, delete, or correct within 10 days
- Acknowledge the request for Sale or Sharing or to limit the use of sensitive personal information within 15 days
- And provide a full response within 45 days
On the other hand, GDPR has a response timeline of 30 days.
In some circumstances, a business can deny certain types of DSARs. In California, a business can deny a request to delete personal information if the information is reasonably necessary to:
- Complete transactions
- Fulfill product warranty or product recall terms
- Debug to ensure security
- Perform internal operations
- Identify and repair errors
Common mistakes to avoid for data subject rights
As data privacy experts, we’ve seen and heard it all. Here are some common mistakes we see in the realm of privacy rights, and how to avoid them.
1. Your business keeps consumer data you don’t need, “just in case”
We get the temptation to hold onto a perceived resource in case it could come in handy someday. Really. But collecting and holding onto unnecessary consumer data violates data privacy laws, and can make the DSAR process a huge pain.
Instead, focus on data minimization. It is one of the best ways to reduce operational risk, establish compliance with privacy laws, and streamline the DSAR process.
Don’t need it? Don’t keep it.
2. You don’t have a straightforward, step-by-step procedure for processing a DSAR
“We’ll cross that bridge when we get to it” is not an ideal way to handle DSAR protocols because:
- You only have a certain window to respond to DSARs.
- You may have to handle DSARs differently depending on their origin location.
- DSARs can be kind of tricky, and clear protocols can help your employees navigate the process.
Consider creating a yes/no flowchart or checklist for your employees to help them process the DSAR within the required response time. This will ensure that you account for every requirement.
But while we love a flow chart (really), we don’t want to risk oversimplification. Honoring DSARs can be a slog. Consider that you have to:
- Locate the data (sometimes across multiple departments or locations)
- Acknowledge both the request AND provide a full response to the data subject within the required timelines
- Facilitate the request across third parties to ensure you’re fully discharging your responsibilities to the data subject
These steps can be time-consuming and detailed. That’s why privacy rights automation software can be helpful. For example, the software can help discover and redact personal information. It can also automate responses to DSAR requests and facilitate identity verification.
3. You don’t verify identity for DSARs
A DSAR pertains to an individual’s personal data, so it’s essential to ensure that they are who they say they are. Ask yourself:
- How do we verify an individual’s identity?
- How will we ensure any third-party requests are authorized by the individual?
- Are there rules we need to follow for verification?
- Should we use a third-party technology for ID verification?
This, of course, is a general overview. The nitty-gritty of identity verification can become complex when you consider the different requirements of privacy laws. The CCPA, for example, mandates businesses to verify consumer requests (except opt-outs which are not required to be verified):
- With a reasonable degree of certainty for general information
- With a reasonably high degree of certainty for specific information, which may involve matching multiple data points or requiring a signed declaration under penalty of perjury
The CCPA also provides detailed guidelines on verification methods based on the type of request and data sensitivity. While email, photo ID, or multi-factor authentication might suffice for some situations, more sensitive data might require at least three data points to be matched or the subject to submit a signed declaration under penalty of perjury.
Identity verification processes can carry high stakes for businesses. Suppose your business accidentally shared personal information with the wrong person because identity verification wasn’t carried out correctly. This misstep would trigger a data breach, and you’d need to not only deal with the data breach but also address flaws in the process to avoid a repeat moving forward.
4. You don’t maintain proper records on rights requests
A state or other governance body may require information about your rights requests as part of an audit or impact assessment. In fact, they may require you to track and publicly report it (e.g., under the CCPA/CPRA, businesses that handle the personal information of 10 million or more California residents in a calendar year are required to track and publicly report specific metrics related to their DSARs)
That means you could be at risk of non-compliance if you don’t maintain up-to-date records on your rights requests.
Make sure you can answer these questions:
- What information do we need to record?
- How will we capture information?
- Where will we store request records?
- Do we need to publish metrics on our rights requests?
5. You don’t have an appeals process
Under most data privacy laws, individuals can appeal a denial of their DSAR. Additionally, businesses that fall under these laws must inform individuals how to submit an appeal.
If you deny a DSAR, you must inform the individual of your decision, your reasons for the denial, and how they can appeal it.
Get on the right track with our free Privacy Rights Roadmap
Red Clover Advisors’ Privacy Rights Roadmap is a free business guide designed to save you time, effort, and money on your compliance journey. Download the guide to learn about privacy rights, compliance steps, and practical actions you can implement today.