Exterro: A visual guide to Data Subject Access Requests (DSARs)
Data privacy regulations like the newly launched California Consumer Privacy Act (CCPA) make observing days like today—Data Privacy Day in the U.S., Canada, Israel, and 47 other countries—particularly prevalent. Given the scope of these new privacy regulations, countless companies and individuals will be affected by the CCPA in one way or another. That said, the international effort to empower individuals and encourage businesses to respect privacy and safeguard data is an honorable one.
But for many companies, these laws can create massive headaches. According to a Gartner study from last year, the average cost to respond to just one request is about $1,400. Multiply this by the dozens—or perhaps hundreds—of requests that some companies anticipate receiving in a given week, and you can see that this represents a significant potential impact on employee time and company resources.
Because Data Subject Access Requests (DSARs) can involve some complex workflows, we’ve created a visual guide that includes a process for how your organization can answer these requests. Many mid- and large-size corporate legal departments have access to e-discovery technology, which they can utilize to initiate and deliver DSAR requests within the 45-day time window required by the CCPA.
The Similarities Between E-Discovery & Privacy Processes
- Processing data from both an e-discovery and data privacy standpoint is very similar, but reviewing that data, along with redacting and monitoring changes to the data, will be more difficult.
- Searching for personal information that’s potentially relevant to a data request, and having a data inventory connected into this process, is essential to focusing your efforts so you can manage the process end-to-end while avoiding mis-steps.
- Data mapping/inventory: Thinking about how you handle your data from a business process standpoint is a big step for many companies to take. It’s also a beneficial exercise to get used to knowing which business units will be most affected by data privacy requests—and you may find that restructuring some business units becomes necessary from an efficiency standpoint.
The Differences Between E-Discovery & Privacy Processes
There will also be cases where e-discovery and data privacy processes clash. While data privacy regulations may be more centered around deleting data, businesses that face litigation may actually have a duty to preserve data if the possibility of litigation becomes apparent. In some cases, companies that don’t keep data that they had a duty to preserve could face sanctions. It’s a fine line for some companies to walk, but having a tight, reliable process is one of the first steps yours can take to help ensure defensibility with both privacy regulations and e-discovery requirements.