Tips for Handling Right of Access Requests for CCPA and GDPR

Privacy laws such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) work by providing certain rights to individuals, formally known as “data subjects.” 

Those rights govern how businesses can use personally identifiable information that the businesses collect about data subjects; some of those rights include:

• Right of access
• Right to deletion request
• Right to correct inaccurate data
• Right to opt-in/opt-out
• And more

What are Data Subject Access Requests (DSARs)?

The Right of Access provides that data subjects may request access to all the data an organization has collected about the subject, in addition to any supplemental information on how that data is used. This allows consumers to have greater visibility into what personal data has been collected about them, and for what commercial purposes.

Data that can be included in a subject access request includes:

• Name and aliases
• Address and phone number
• Personal or online identifiers
• IP address
• Email address
• Social Security number
• Driver’s license number
• Passport number
• And more

Tips for Handling Right of Access Requests Under the GDPR

The GDPR became law across the European Union in 2018. The GDPR mandates the protection of personal data and privacy for citizens in the European Union and the European Economic Area (EEA). Should your organization do business with citizens or the EU/EEA, you need to comply with GDPR. 

Under the GDPR, consumers can submit a right of access request to your organization. You must then provide any data you have that pertains to that consumer, plus any other information pertaining to how that data is used. 

Here are a few tips for how you can handle right of access requests under GDPR:

• Include the purpose for collecting the personal data in the first place. 
• Explain how the data was collected, such whether from the data subject directly or otherwise.
• Disclose any parties that the personal data is shared with, including categories of those third parties.
• Disclose the timeframe for data retention and how that timeframe is decided.
• Explain the consumer’s right to correction or erasure of that data.
• Explain the consumer’s right to submit a complaint to the Information Commissioner’s Office (ICO) or another supervisory authority.
• Explain how decision-making about the use of personal data works.
• Disclose any safeguards in place for data portability and protection against a data breach.

Tips for Handling Right of Access Requests Under the CCPA

The CCPA is intended to protect the personal information of California residents, and extends to a large swath of Americans no matter where they live. 

It requires businesses to respond to a consumer’s right of access request, as well as to any “Do Not Sell My Personal Information” requests under the law. Moreover, the California attorney general has decreed that businesses must authenticate the request to verify that the request has been made by the consumer or an authorized representative. 

Personal information under the CCPA includes many of the examples we mentioned above for the GDPR. The law also specifically defines consumer data as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The following are a few tips to help your organization respond to a right of access request under CCPA:

• Disclose any personal identifiers you have on file associated with the data subject including biometric data.
• Share an audit of any electronic activity you’ve collected on a data subject including browsing history, search history, and so forth.
• Disclose any information on the subject’s activities including property ownership, products or services purchased or considered, consumption history, and behavioral patterns.
• Include any information collected regarding employment or education.
• Disclose any geolocation tracking data.
• Disclose any audio, visual, thermal, olfactory, electronic, or other information collected pertaining to the data subject.
• Any profiling information collected or determined about the data subject including consumer preferences, psychological data, beliefs, intelligence, abilities, and the like

It’s important to note that the CCPA provides an exemption for information that’s made lawfully available through any federal, state, or local government regulatory agency. This is also referred to as “publicly available information.”

How ZenGRC Can Help You Handle Right of Access Requests for CCPA and GDPR

Privacy laws and regulations aren’t just here to stay; they are going to keep proliferating in the future. As rights for consumers are more clearly specified, compliance with those requirements will become ever more complicated. 

Meanwhile, failing to comply with a data access request can infringe on the rights of consumers, which can result in lawsuits, hefty fines, and reputation harm for your business.

Many organizations currently use manual methods like spreadsheets to track the fulfillment of data subject access requests. While this may satisfy the requirements in the short run, this method isn’t sustainable long term. With the potential for zettabytes of data flowing into and out of organizations, you will need a more scalable method for the authentication of, and response to, consumer requests.

ZenGRC is a risk and compliance management platform that can help you establish, monitor, and manage your GDPR and CCPA compliance program, including your data access request workflows. 

ZenGRC eases the burden for your data controller by helping to automate the integration of regulatory requirements into your audit and monitoring programs and show you, at a glance, how your organization stands against compliance requirements at any given time.

Worry-free compliance is the Zen way! Get your free consultation today.