Privacy Rights

Privacy and data protection laws give individuals certain rights over their personal information. These privacy rights, also known as data subject rights, allow individuals to control what businesses and their partners know about them and how they use that information.

Talk to an Expert
Privacy Rights

How Red Clover Can Help Your Organization

Red Clover Advisors assists organizations in establishing streamlined processes for taking in and responding to privacy rights requests in compliance with applicable privacy laws, including:

  • Right to access
  • Right to portability
  • Right to correct
  • Right to object
  • Right to delete
  • Right to restrict
  • Right to limit use of Sensitive Personal Information (SPI)
  • Right to limit use of automated decision making
Talk to an Expert
Privacy Rights

The Red Clover Way

The GDPR made popular the phrase “data subject rights” in 2018. CCPA has many of these same rights, but calls them consumer rights, adding to the confusion. We think it’s a great idea, but we’re not big fans of either name. So we use Privacy Rights instead, because it’s important to remember that people are at the heart of these rights, not data subjects or consumers. And these are people, who probably have a relationship with your company – your customers, employees, family, prospects, and stakeholders. It’s important to tell them what rights they have and make it easy and clear for them to exercise those rights.

Ready to Get Started?
Global business
Privacy Rights

How We Help

To comply with applicable privacy regulations, we help companies build streamlined processes, policies, and training programs to ensure compliance with privacy rights obligations. We provide privacy rights consulting help with:

  • Privacy rights policy creation
  • Privacy rights process (determine and create)​
  • Privacy rights playbook documentation ​
  • Privacy rights privacy management software implementation​
  • Privacy rights training
Privacy Rights

Managed Services

Our PrivacyOps® Managed Services Team can help you manage these processes, policies, and programs or support them on an ongoing basis.

Learn More

Key Activities

Privacy Rights Scoping & Discovery Involves working with business owners to understand how the company will honor or not honor privacy rights for individuals not in scope for privacy laws. It also includes identifying the different types of individuals in scope. For example, some laws include employees and others do not.
Privacy Rights Develop Policies, Process, and Procedures We will develop and document processes and policies on how to process all types of privacy rights requests. We will help companies determine what that process should be and document this process in a policy to establish clear procedures.
Privacy Rights Software Implementation For companies looking to implement and use a privacy rights software, Red Clover Advisors can help you set this up from start to finish. This may involve setting up web forms and connecting them to software programs, or it might involve just the web form and creating internal workflows to automate the communication to the individual and internal employees. This automation might extend to integrating other systems to streamline the deletion of information.
Privacy Rights Training We will provide training to help employees understand how to honor and execute on a privacy rights request that they receive. This is a requirement under CCPA. We can also train your team on how to use privacy rights software.
Privacy Rights Maintenance, Updates, and Ongoing Assessments We help companies manage privacy rights on an ongoing basis and help them execute when necessary. We also help companies review their processes, update any of their web forms, and workforce for upcoming privacy laws. For some companies, this might be an annual task, while for others, it could involve ongoing updates to capture all the new changes in regulations and in the business.

Frequently Asked Questions

What are Individual Rights Requests (IRRs)?

Individual Rights Requests (IRRs), also called Privacy Rights Requests or Data Subject Access Requests (DSAR), are requests from Individuals asking you about their Personal Information. The main types of requests are below.  Note this is not a complete list of privacy rights requests.

Know (Access) my Personal Information

Correct my Personal Information

Delete my Personal Information

There are also opt-out requests, such as:

Opt out of the sale or sharing of my Personal Information

Opt out of targeted advertising, profiling and/or automated decision-making

Limit the use or disclosure of my Sensitive Personal Information

Do I need to respond to IRRs?

Most privacy laws state the threshold requirements for when you need to honor IRRs. For example, under many US state laws, you need to process the Personal Information of a certain number of that state’s residents and/or meet a revenue dollar amount. Under global privacy laws, such as GDPR, you will need to respond if you are collecting or using the Personal Information of residents of those countries.

Do I have to tell people how to submit a request?

Yes. You will need to provide a way to submit a request based on how you typically do business with them. For example, if you have a website and a physical location, you need to provide a way to submit a request in both places. This could be a link to a webform on your website, and a posted notice with a QR code to the webform at the physical location. Some jurisdictions, like California, also require you to provide a toll-free number in most circumstances unless the company operates solely online.

How long do I have?

The jurisdiction sets the timeframe to respond. US state laws typically give 45 days to fulfill a request, with an additional 45-day extension if needed. Global privacy laws most often provide 30 days to fulfill a request, with an additional 60-day extension if needed. For those jurisdictions offering an extension, you must give notice of the extension and the reason for it within the initial response due date.

What are the key steps?

The key phases in an IRR process are: intake, verification, validation/exemption, fulfillment, response, and recordkeeping.

  • Intake: Provide a way for Individuals to submit a request, such as a webform, dedicated privacy email address, or toll-free number.
  • Verification: Verify that the Individual submitting the request is who they say they are, and you actually have their Personal Information.
  • Validation/Exemption: Validate the request is in-scope for your privacy program (e.g., meets jurisdiction requirements) and review for any legal exemptions (e.g., data or entity level exemptions may be available for health or other types of data if covered by another protective law) or exceptions (e.g., you may not have to delete an Individual’s data if you need it to honor an existing contract with them; however, you still would need to correct it or give access to it).
  • Fulfillment: Process their request by providing access to, creating a report about, correcting or deleting/anonymizing Personal Information.
  • Response: Respond to the Individual letting them know you fulfilled their request or telling them why you couldn’t fulfill their request (e.g., an exemption applied). Some jurisdictions also require you provide information about appeal the denial of a request.
  • Recordkeeping: Keep records of the requests, including date of receipt, type of request, results, and date of response. Some jurisdictions require you keep these records for two years.
Are there any other key requirements I should know?

Yes. Privacy training is now required. You need to train all employees responsible for handling consumer questions about your information practices and privacy compliance, including (1) privacy law requirements and (2) how to direct consumers to exercise their rights under the applicable laws.