A simple request arrives in your customer service inbox: “Please tell me what data you hold about me and where you got it.” Short, sweet, and loaded with legal landmines.
Commonly called a Data Subject Access Request (DSAR), this seemingly innocuous message needs to be addressed promptly and prudently.
While businesses subject to the General Data Protection Regulation (GDPR) may already have familiarity with DSARs, their prevalence will become more widespread with the implementation of California Consumer Privacy Act (CCPA), Brazil’s General Data Protection Act (Lei Geral de Proteςão de Dados or LGPD), and similar data protection laws that grant individuals access rights.
In anticipation of the new wave of DSARs to arrive in 2020, here’s a short list of dos and don’ts for the uninitiated.
DO establish a process. If your organization doesn’t already have in place a process for handling access requests, consider creating a standardized intake form along with an internal workflow for the evaluation and fulfillment of such requests. The intake form may include a means for fulfilling and tracking other consumer rights (such as the right to delete), but establishing a protocol for responding to customer requests is key.
Even if you have a standardized process in place, train employees to recognize DSARs submitted through alternative channels (such as mail and telephone) and make sure that those non-standardized requests get funneled into the appropriate workflow in a timely manner.
Also, you may want to establish a separate process for DSARs from employees and ex-employees, as those requests may involve data that includes privileged communications, trade secrets, and the personal data of other employees.
DON’T ignore. DSARs are time-sensitive, triggering an obligation to respond within a certain time frame. The GDPR requires organizations to respond “without undue delay and at the latest within one month.” GDPR Art. 12(3). Businesses subject to the CCPA must respond within 45 days (Cal. Civ. Code § 1798.130(a)(2)), and the CCPA’s draft regulations propose an additional requirement confirming receipt of any request within 10 days (11 CCR § 999.313(a)). Brazil’s LGPD requires a response within 15 days. LGPD Art. 19.
Also, be sure know what action triggers the time clock by reviewing applicable laws and regulatory guidance.
The U.K.’s Information Commissioner’s Office (ICO), for example, notes that the GDPR’s one-month deadline is calculated from either (1) the receipt of the request or (2) the receipt of information that clarifies the request or confirms the identity of the requestor.
In contrast, the CCPA’s draft regulations propose that the 45-day period “will begin on the day that the business receives the request, regardless of time required to verify the request.” 11 CCR § 999.313(b).
DO know which law applies. While the GDPR, CCPA, and LPGD all create rights of access, not every privacy law does, and other laws may apply to certain data sets.
In France, for example, some requests for health data may be governed by Article L1111-7 of the Code of Public Health, which requires a response within eight days. And in the U.S., HIPAA’s Privacy Rule establishes that a covered entity must act on access requests within 30 days. 45 C.F.R. § 164.524(b)(2).
Nevada’s newly enacted SB 220, which grants consumers the right to block the sale of personally identifiable information by website operators, does not give consumers a right to access that information. But does that mean that businesses subject to the Nevada law should ignore access requests?
Probably not. Even though a specific response is not legally required, companies should consider providing a response that, at the very least, refers to the organization’s privacy practices as set forth in its privacy statement. Given consumers’ heightened sensibilities about personal data, even a limited response will go a long way to fostering good customer relationships.
DON’T hand over anything without verification. Disclosing personal information without first verifying the identity of the requestor could expose your organization to a data breach.
Perhaps in recognition of this potential liability, the CCPA requires a business to disclose information “upon receipt of a verifiable consumer request” (Cal. Civ. Code § 1798.100(c)), and the CCPA’s draft regulations propose rules governing verification. But not all privacy laws have verification built in.
While the GDPR does permit controllers “to request the provision of additional information necessary to confirm the identity of the data subject” (GDPR Art. 12(6)), businesses should be wary of collecting too much information. As the ICO advises, “it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.”
Also, it’s a good idea to know whether the requestor is an employee or former employee. Not only will it be easier for you to locate the pertinent information, but it will also alert you to follow an alternative, employee-specific response procedure.
DO request clarification. Upon receipt of a broad access request, it is permissible to request clarification or ask for a narrowing of the scope to a specific data set or time frame. This could be especially helpful in the context of an employee access request, as employees may be looking for information related to a specific issue.
Still, you are obliged to provide only what is requested. Even though GDPR Art. 15, for example, lists various types of information that data subjects are entitled to request, it does not say that controllers must provide all of that information in every instance.
Moreover, many of the items listed in GDPR Art. 15—such as information concerning the right to lodge a complaint with a supervisory authority—would likely already be included in your public privacy statement.
DO expect additional developments. While the U.K., Ireland, and France have already issued guidance on DSARs, look for forthcoming guidance from the European Data Protection Board (EDPB). Sidley Austin reported about a recent EDPB stakeholder event that raised concerns about access and other data subject rights.
In the U.S., it remains to be seen whether the final version of the CCPA regulations will contain significant changes to the draft version. But several bills recently introduced in the U.S. Senate (such as Consumer Online Privacy Rights Act and the Consumer Data Privacy Act) contain provisions that include consumer access rights. So perhaps a uniform federal standard may indeed be on the horizon.