To get insight into the effect data privacy regulations have on the compliance activities of organizations, we conducted a short survey* at the end of 2019. In the previous blog, we have already talked about the high number of companies that - although they do collect data on EU citizens or do business in California - are still not compliant with the 20-months-old GDPR and the recently implemented CCPA. In this blog, I will dive a little deeper into the specific challenges that come with these privacy regulations.
Companies overall seem to struggle to remain compliant in an evolving regulatory landscape. Updating corporate policies to comply and improving security controls are named as challenges.
Interestingly, more than 12 percent of the respondents identify responding to requests as one of the biggest challenges to maintain a state of readiness to privacy regulations.
In both privacy regulations, the “Right of Access” (GDPR) or “Right to Know” (CCPA) and the “Right to be forgotten” (GDPR) and “Right to Delete” (CCPA) are important rights and as a result, these requests have increased dramatically over the past year. Every organization is obliged to comply with these rights as well as possible and within the strict period of (usually) 30 days. In a previous blog, we have already discussed the steps that you can take to limit the impact of DSARs for your organization.
We also asked the respondents how they handle access requests. Almost half of the respondents seem to use a combination of manual and technology solution.
On average, technology-using respondents rate the performance of their current solution with 3.8 out of 5.
Twenty percent of the respondents have just manual processes in place. And an alarming 11% have no (clear) idea on how data privacy requests are being handled within their organization.
As a technology vendor, I only see one future-proof way to effectively handle access requests. Using advanced search technology is the only way to collect the necessary information completely and quickly. Technology is also needed to protect the privacy of people other than the requester. The requester is only entitled to see his or her own Personal Identifiable Information (PII). All personal data of others and possible confidential information must be redacted completely.
If you want to view all stats of our survey, you can follow this link to download the full info-graphic with all survey results. In the next blogs, I will discuss more details on how legal professionals deal with the challenges of privacy regulations.
* The outcome of this survey is provided for informational purposes only, and should not be construed as (legal) advice on any subject matter. ZyLAB expressly disclaims all liability in respect to actions taken or not taken based on any or all the outcomes of this survey.