Privacy and data protection laws give individuals certain rights over their personal information. These privacy rights, also known as data subject rights, allow individuals to control what businesses and their partners know about them and how they use that information.
How Red Clover Can Help Your Organization
Red Clover Advisors assists organizations in establishing streamlined processes for taking in and responding to privacy rights requests in compliance with applicable privacy laws, including:
- Right to access
- Right to portability
- Right to correct
- Right to object
- Right to delete
- Right to restrict
- Right to limit use of Sensitive Personal Information (SPI)
- Right to limit use of automated decision making
The Red Clover Way
The GDPR made popular the phrase “data subject rights” in 2018. CCPA has many of these same rights, but calls them consumer rights, adding to the confusion. We think it’s a great idea, but we’re not big fans of either name. So we use Privacy Rights instead, because it’s important to remember that people are at the heart of these rights, not data subjects or consumers. And these are people, who probably have a relationship with your company – your customers, employees, family, prospects, and stakeholders. It’s important to tell them what rights they have and make it easy and clear for them to exercise those rights.
How We Help
To comply with applicable privacy regulations, we help companies build streamlined processes, policies, and training programs to ensure compliance with privacy rights obligations. We help with:
- Privacy rights policy creation
- Privacy rights process (determine and create)
- Privacy rights playbook documentation
- Privacy rights privacy management software implementation
- Privacy rights Training
Managed Services
Our PrivacyOps® Managed Services Team can help you manage these processes, policies, and programs or support them on an ongoing basis.
Key Activities
Scoping & discovery
Develop policies, process, and procedures
Software implementation
Training
Maintenance, updates, and ongoing assessments
Frequently Asked Questions
Individual Rights Requests (IRRs), also called Privacy Rights Requests or Data Subject Access Requests (DSAR), are requests from Individuals asking you about their Personal Information. The main types of requests are below. Note this is not a complete list of privacy rights requests.
Know (Access) my Personal Information
Correct my Personal Information
Delete my Personal Information
There are also opt-out requests, such as:
Opt out of the sale or sharing of my Personal Information
Opt out of targeted advertising, profiling and/or automated decision-making
Limit the use or disclosure of my Sensitive Personal Information
Most privacy laws state the threshold requirements for when you need to honor IRRs. For example, under many US state laws, you need to process the Personal Information of a certain number of that state’s residents and/or meet a revenue dollar amount. Under global privacy laws, such as GDPR, you will need to respond if you are collecting or using the Personal Information of residents of those countries.
Yes. You will need to provide a way to submit a request based on how you typically do business with them. For example, if you have a website and a physical location, you need to provide a way to submit a request in both places. This could be a link to a webform on your website, and a posted notice with a QR code to the webform at the physical location. Some jurisdictions, like California, also require you to provide a toll-free number in most circumstances unless the company operates solely online.
The jurisdiction sets the timeframe to respond. US state laws typically give 45 days to fulfill a request, with an additional 45-day extension if needed. Global privacy laws most often provide 30 days to fulfill a request, with an additional 60-day extension if needed. For those jurisdictions offering an extension, you must give notice of the extension and the reason for it within the initial response due date.
The key phases in an IRR process are: intake, verification, validation/exemption, fulfillment, response, and recordkeeping.
- Intake: Provide a way for Individuals to submit a request, such as a webform, dedicated privacy email address, or toll-free number.
- Verification: Verify that the Individual submitting the request is who they say they are, and you actually have their Personal Information.
- Validation/Exemption: Validate the request is in-scope for your privacy program (e.g., meets jurisdiction requirements) and review for any legal exemptions (e.g., data or entity level exemptions may be available for health or other types of data if covered by another protective law) or exceptions (e.g., you may not have to delete an Individual’s data if you need it to honor an existing contract with them; however, you still would need to correct it or give access to it).
- Fulfillment: Process their request by providing access to, creating a report about, correcting or deleting/anonymizing Personal Information.
- Response: Respond to the Individual letting them know you fulfilled their request or telling them why you couldn’t fulfill their request (e.g., an exemption applied). Some jurisdictions also require you provide information about appeal the denial of a request.
- Recordkeeping: Keep records of the requests, including date of receipt, type of request, results, and date of response. Some jurisdictions require you keep these records for two years.
Yes. Privacy training is now required. You need to train all employees responsible for handling consumer questions about your information practices and privacy compliance, including (1) privacy law requirements and (2) how to direct consumers to exercise their rights under the applicable laws.