Privacy Rights

Fiber optic strands
Privacy Rights

How Red Clover Can Help Your Organization

Privacy Rights

The Red Clover Way

Global business
Privacy Rights

How We Help

Privacy Rights

Managed Services

Privacy Rights

Key Activities

Scoping & discovery
Develop policies, process, and procedures
Software implementation
Maintenance, updates, and ongoing assessments

Frequently Asked Questions

What are Individual Rights Requests (IRRs)?

Individual Rights Requests (IRRs), also called Privacy Rights Requests or Data Subject Access Requests (DSAR), are requests from Individuals asking you about their Personal Information. The main types of requests are below.  Note this is not a complete list of privacy rights requests.

Know (Access) my Personal Information

Correct my Personal Information

Delete my Personal Information

There are also opt-out requests, such as:

Opt out of the sale or sharing of my Personal Information

Opt out of targeted advertising, profiling and/or automated decision-making

Limit the use or disclosure of my Sensitive Personal Information

Do I need to respond to IRRs?

Most privacy laws state the threshold requirements for when you need to honor IRRs. For example, under many US state laws, you need to process the Personal Information of a certain number of that state’s residents and/or meet a revenue dollar amount. Under global privacy laws, such as GDPR, you will need to respond if you are collecting or using the Personal Information of residents of those countries.

Do I have to tell people how to submit a request?

Yes. You will need to provide a way to submit a request based on how you typically do business with them. For example, if you have a website and a physical location, you need to provide a way to submit a request in both places. This could be a link to a webform on your website, and a posted notice with a QR code to the webform at the physical location. Some jurisdictions, like California, also require you to provide a toll-free number in most circumstances unless the company operates solely online.

How long do I have?

The jurisdiction sets the timeframe to respond. US state laws typically give 45 days to fulfill a request, with an additional 45-day extension if needed. Global privacy laws most often provide 30 days to fulfill a request, with an additional 60-day extension if needed. For those jurisdictions offering an extension, you must give notice of the extension and the reason for it within the initial response due date.

What are the key steps?

The key phases in an IRR process are: intake, verification, validation/exemption, fulfillment, response, and recordkeeping.

  • Intake: Provide a way for Individuals to submit a request, such as a webform, dedicated privacy email address, or toll-free number.
  • Verification: Verify that the Individual submitting the request is who they say they are, and you actually have their Personal Information.
  • Validation/Exemption: Validate the request is in-scope for your privacy program (e.g., meets jurisdiction requirements) and review for any legal exemptions (e.g., data or entity level exemptions may be available for health or other types of data if covered by another protective law) or exceptions (e.g., you may not have to delete an Individual’s data if you need it to honor an existing contract with them; however, you still would need to correct it or give access to it).
  • Fulfillment: Process their request by providing access to, creating a report about, correcting or deleting/anonymizing Personal Information.
  • Response: Respond to the Individual letting them know you fulfilled their request or telling them why you couldn’t fulfill their request (e.g., an exemption applied). Some jurisdictions also require you provide information about appeal the denial of a request.
  • Recordkeeping: Keep records of the requests, including date of receipt, type of request, results, and date of response. Some jurisdictions require you keep these records for two years.
Are there any other key requirements I should know?

Yes. Privacy training is now required. You need to train all employees responsible for handling consumer questions about your information practices and privacy compliance, including (1) privacy law requirements and (2) how to direct consumers to exercise their rights under the applicable laws.