Think of all the “personally identifiable information (PII)” that roams in the systems and shares of your organization. PII about your customers. Your colleagues. Your business partners. Many terabytes of documents, emails, recorded telephone calls and online meetings. Now, imagine you receive a written request from a former colleague who wants to know exactly what PII you keep about him. Would you know? And would you be able to hand-over all that PII to him within 30 days? Without compromising the privacy of anyone else? You’d better be able to do just that. Because this is exactly what Article 15 of the General Data Protection Regulation (GDPR) demands of you.
Article 15 of the GDPR provides people the “Right of Access”.This right of access means that any data subject - meaning "every identifiable natural person" - can ask your organization whether or not it is using or storing their personal information. And they can ask you for copies of this personal information, to be handed over within one month.
Handling these so called “Data Subject Access Request” (DSARs) are very labor-intensive and costly for organizations that are unprepared.
Why do people issue a Data Subject Access Requests?
Sometimes the reason for a DSAR is simple. A customer is switching to a different provider/supplier/dealer. He, therefore, requests to retrieve and delete all his personal data related to his purchase and shipping history with the company of which he is no longer a customer.
Sometimes, a request is made out of privacy concerns. The number of organizations that are involved in data privacy issues and scandals is increasing. Concerned consumers submit DSARs to see what data of theirs is being collected, what data is potentially at risk and whether they should follow the right to access with the right to be forgotten.
There is also an increasing number of DSARs being used where an individual is involved in employment related conflicts or other forms of legal matters and wants to cause problems for the organization or to get advance disclosure prior to raising a claim.
The Access Request
The first thing you receive from the data subject is a written request. Regulatory agencies advise citizens to submit access requests in writing, so they always have a clear trail of the steps taken. Many European governments now offer sample letters on their websites.
In most cases, the requester will ask you to tell them:
- What personal data concerning him/her you have stored;
- What is the purposes of the processing;
- Which categories of personal data are concerned;
- Who are the (categories of) recipients to whom the personal data have been or will be disclosed;
- What is the foreseen period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of automated decision-making, including profiling, and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.
The right of access is an important part of the GDPR and the number of access requests has increased dramatically over the past year as a result. Every organization is obliged to comply with this right as well as possible and within the strict period of 30 days. Fortunately, there are steps that you can take to limit the impact of DSARs for your organization.
- Determine and limit the scope of the Access Request
The requester must in his or her request indicate as precise as possible to what information the data access extends. If this is not entirely clear or if the application is too broad, you can (after mutual consultation) try to (re-)determine the size of the application and, if possible, narrow the scope. In this conversation, you can also discuss what to look for exactly and agree on key words.
By using the agreed key words and "search queries", you get a quick first insight into the scope of the request.
If the request is still complicated or if the applicant has sent several requests, it might be possible to extend the response period by two months. You do, however, need to notify the requester within the initial thirty day deadline and give them clear reasons why you are postponing your response.
- Prepare standard responses for Access Requests
For the answers to many of the general questions, you can refer to your retention policy and privacy statement. These should contain what data you keep and destroy for what reason and for what (lawful) period. This should also describe your policies and procedures for data and privacy protection.
The preparation of standard answers will already saves you a lot of time. However, the greatest timesaving is in using the right technology.
- Use technology to collect PII
Retrieving personal data from structured systems will not be the problem. The challenges are caused by information in e-mails, recorded telephone and online conversations and all other forms of communication. And not just the correspondence with your own colleagues. You will also have to look in conversations and communication with regards to the requester that your organization has had with employees of other organizations.
Using advanced search technology is the only way to collect this information completely and quickly. After you have determined the search terms (if needed after additional consultation) and selected the data sources (email boxes, SharePoint libraries, home and department shares, etc.), you can start searching for entities such as name, email addresses, and telephone numbers. Do not forget to include possible nicknames and spelling errors.
Technology has very clear advantages:
- Collect information directly from the relevant sources (Microsoft Office 365, email boxes, file shares, projects in SharePoint);
- De-duplicate the information: up to 80% of all documents are duplicates, eliminating those automatically saves a huge amount of work;
- Automatically unpack containers of files (ZIP, PST, NSF) and make every individual component searchable;
- Enrich non-searchable data such as images, scans, non-searchable PDFs or media files, so every component can be truly searched;
- Analyze, classify and organize information for fast review;
- Use automatic redaction technology (“Find and Redact”) to anonymize or pseudonymize personal and confidential information;
- Automatically convert all electronic file formats to one common format for production to requested with burned-in redactions.
- Use technology to protect PII
When answering an Access Request, the privacy of people other than the requester, must always be guaranteed. The requester is only entitled to see his or her own PII. All personal data of others and possible confidential information must be redacted.
This can be done in different ways (anonymization or pseudonymization), but it is important that it is done efficiently and quickly. Automatic redaction of selected entities such as names, telephone and ISBN numbers, email addresses etc.) is perhaps the most valuable functionality of an eDiscovery solution.
The remaining data set is now ready for a final review by the in-house counsel or other lawyer. Make sure you have scheduled him or her in time to avoid unnecessary delays.
After the final review, the data set is ready and can be automatically converted to PDF so that all redactions are burned-in. The requester can now receive the information he asked for in a format that they can easily review.
The California Consumer Privacy Act (CCPA)
On June 28, 2018, California became the first U.S. state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act of 2018. The CCPA becomes effective January 1, 2020.The CCPA enhances the privacy rights and consumer protection for residents of California.
The CCPA provides individual rights to data access, erasure and to opt-out of data selling, similar to those of the GDPR. Under the CCPA, California residents have the right to know what personal data is being collected and the "right to access".
Companies that are already prepare for GDPR, will have an advantage in addressing CCPA, but the CCPA is not just an American version of the GDPR. This short “cheat sheet” compares the main aspects of the two regulations.