Blog Post

The Route to an Automated Data Subject Request (DSR) Process

Aug 19, 2022

When California passed the California Consumer Privacy Act (CCPA) in 2018, it put data privacy on the map in the U.S. But many companies quickly realized their data was all over the map, creating challenges to meet compliance obligations of the new law.

One of the basic rights of the major privacy laws around the world is the ability for consumers to submit a request – known as a Data Subject Request (DSR) – to see the data a company holds about them, as well as the ability to ask for their information to be deleted. While the request may seem straightforward, the process becomes more complex when considering a simple fact of business today: Data can be anywhere and everywhere within a company’s electronic systems and databases.

The typical business, regardless of size, collects data in one or all of three ways: from customers themselves, such as when they sign up for a newsletter or marketing offers; by tracking customers online; and by adding data from third-party sources to build a more personalized profile of customers. This data, then, can be held in multiple repositories across multiple departments of an organization.

Anyone with any kind of relationship with a company can submit a DSR, including existing and prospective customers, employees, contractors, job candidates, donors, and in some cases, “authorized agents,” such as a parent or guardian requesting information on a minor, or a friend or family member assisting an older relative. According to a leading technology research and consulting firm1, it costs a company on average $1,500 to process a single DSR, raising the cost of compliance from an avoidable penalty to a financial burden. At this rate, organizations that processed DSRs manually during the first year when CCPA was implemented spent approximately $192,000 per million identities to process and fulfill DSRs.

As companies collect more data, retain data for longer periods of time, and are subject to a growing number of data privacy laws, one solution has emerged to control costs and ensure compliance with the growing number of requests: an automated DSR process.

Two Sides of the DSR Process

Depending on the jurisdiction of the privacy law, data subjects may make a DSR by almost any method, including online, email, letter, or phone. Most DSRs are initiated through a link from a company’s privacy policy or website. From the perspective of the consumer, the process seems simple and transparent:

  • A consumer makes the request through their preferred channel.
  • The company receiving the request will verify the identity of the individual, frequently through a multi-factor authentication process.
  • The consumer selects the type of DSR they’d like to make: see the data the company holds about them (“access”) or delete their data.
  • The company responds with a confirmation that the DSR has been received.
  • The consumer receives a report within the timeframe established under the specific regulation.

On the side of the company processing the DSR, however, the situation is more involved, with added layers of complexity depending on the amount of data a company holds, the number of databases where the information resides, and the web of third parties with which the company has shared or sold data. For example, one financial services company disclosed2 that it shares customer data with hundreds of entities around the world.

At the heart of the automated process is an Administrator Console, which serves as the hub to provide visibility into the DSR journey. A basic automated DSR process generally follows this path:

  • When the consumer submits the request and specifies the type – access or delete – the workflow to process the request is defined by the system.
  • Because each privacy law regulates the length of time in which the request must be completed, the workflow adjusts for compliance.
  • Then the system must collect the data from internal databases, as well as every third-party with which the company has shared or sold data.
  • Once the data is collected, the information is collated into a report delivered to the consumer.

While the basic steps of an automated process may be similar among platforms, the value of automation lies in its ability to reduce or eliminate unnecessary manual processes, and some platforms perform much more efficiently than others. Notably:

  • A comprehensive data mapping system will provide visibility into how data flows in and out of a company’s databases, including the third parties receiving the data.
  • A highly effective automated DSR process will easily pull in personal data held by third parties, rather than requiring a company either to reach out manually or develop computer code for this purpose.
  • Any data subject request typically will require some type of human intervention at certain points in the process, so an automated system should have “pauses” built in to check for exceptions. For example, companies don’t typically need to provide every piece of information about the data subject, such as any internal notes about a subject’s account with the company, so a pause allows for a manual review to remove this data.

In all cases, by automating the DSR process, your company also is creating a trail of activity to demonstrate compliance with privacy regulations.

The Relyance Difference

The Relyance AI platform provides a level of visibility into a company’s data flow that is unmatched in the industry. This data mapping is the foundation of the automated DSR process, ensuring a company can identify and collect the required data to complete the request, whether it’s for access or deletion. And unlike other automated DSR platforms, customers can customize the DSR workflow, rather than relying on add-on – and added-fee – services to complete what should become a routine process.

In addition, our automated DSR process significantly streamlines the collection of information from third parties, requiring just checking a box to select this part of the process rather than creating new code or manually contacting these outside sources. And built-in “pauses” deliver a level at checkpoints along the process so you can deliver not only an accurate report to your customer, but also a level of satisfaction that builds trust – and loyalty – to your business. Book a demo with us, or contact us here.

----------------------

  1. https://www.gartner.com/en/documents/4007899
  2. https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/#:~:text=But%20for%20companies%20that%20do%20sell%20their%20data%2C,issuer%2C%20car%20dealership%2C%20online%20shopping%20site%20and%20others.

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Title

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

The Route to an Automated Data Subject Request (DSR) Process

When California passed the California Consumer Privacy Act (CCPA) in 2018, it put data privacy on the map in the U.S. But many companies quickly realized their data was all over the map, creating challenges to meet compliance obligations of the new law.

One of the basic rights of the major privacy laws around the world is the ability for consumers to submit a request – known as a Data Subject Request (DSR) – to see the data a company holds about them, as well as the ability to ask for their information to be deleted. While the request may seem straightforward, the process becomes more complex when considering a simple fact of business today: Data can be anywhere and everywhere within a company’s electronic systems and databases.

The typical business, regardless of size, collects data in one or all of three ways: from customers themselves, such as when they sign up for a newsletter or marketing offers; by tracking customers online; and by adding data from third-party sources to build a more personalized profile of customers. This data, then, can be held in multiple repositories across multiple departments of an organization.

Anyone with any kind of relationship with a company can submit a DSR, including existing and prospective customers, employees, contractors, job candidates, donors, and in some cases, “authorized agents,” such as a parent or guardian requesting information on a minor, or a friend or family member assisting an older relative. According to a leading technology research and consulting firm1, it costs a company on average $1,500 to process a single DSR, raising the cost of compliance from an avoidable penalty to a financial burden. At this rate, organizations that processed DSRs manually during the first year when CCPA was implemented spent approximately $192,000 per million identities to process and fulfill DSRs.

As companies collect more data, retain data for longer periods of time, and are subject to a growing number of data privacy laws, one solution has emerged to control costs and ensure compliance with the growing number of requests: an automated DSR process.

Two Sides of the DSR Process

Depending on the jurisdiction of the privacy law, data subjects may make a DSR by almost any method, including online, email, letter, or phone. Most DSRs are initiated through a link from a company’s privacy policy or website. From the perspective of the consumer, the process seems simple and transparent:

  • A consumer makes the request through their preferred channel.
  • The company receiving the request will verify the identity of the individual, frequently through a multi-factor authentication process.
  • The consumer selects the type of DSR they’d like to make: see the data the company holds about them (“access”) or delete their data.
  • The company responds with a confirmation that the DSR has been received.
  • The consumer receives a report within the timeframe established under the specific regulation.

On the side of the company processing the DSR, however, the situation is more involved, with added layers of complexity depending on the amount of data a company holds, the number of databases where the information resides, and the web of third parties with which the company has shared or sold data. For example, one financial services company disclosed2 that it shares customer data with hundreds of entities around the world.

At the heart of the automated process is an Administrator Console, which serves as the hub to provide visibility into the DSR journey. A basic automated DSR process generally follows this path:

  • When the consumer submits the request and specifies the type – access or delete – the workflow to process the request is defined by the system.
  • Because each privacy law regulates the length of time in which the request must be completed, the workflow adjusts for compliance.
  • Then the system must collect the data from internal databases, as well as every third-party with which the company has shared or sold data.
  • Once the data is collected, the information is collated into a report delivered to the consumer.

While the basic steps of an automated process may be similar among platforms, the value of automation lies in its ability to reduce or eliminate unnecessary manual processes, and some platforms perform much more efficiently than others. Notably:

  • A comprehensive data mapping system will provide visibility into how data flows in and out of a company’s databases, including the third parties receiving the data.
  • A highly effective automated DSR process will easily pull in personal data held by third parties, rather than requiring a company either to reach out manually or develop computer code for this purpose.
  • Any data subject request typically will require some type of human intervention at certain points in the process, so an automated system should have “pauses” built in to check for exceptions. For example, companies don’t typically need to provide every piece of information about the data subject, such as any internal notes about a subject’s account with the company, so a pause allows for a manual review to remove this data.

In all cases, by automating the DSR process, your company also is creating a trail of activity to demonstrate compliance with privacy regulations.

The Relyance Difference

The Relyance AI platform provides a level of visibility into a company’s data flow that is unmatched in the industry. This data mapping is the foundation of the automated DSR process, ensuring a company can identify and collect the required data to complete the request, whether it’s for access or deletion. And unlike other automated DSR platforms, customers can customize the DSR workflow, rather than relying on add-on – and added-fee – services to complete what should become a routine process.

In addition, our automated DSR process significantly streamlines the collection of information from third parties, requiring just checking a box to select this part of the process rather than creating new code or manually contacting these outside sources. And built-in “pauses” deliver a level at checkpoints along the process so you can deliver not only an accurate report to your customer, but also a level of satisfaction that builds trust – and loyalty – to your business. Book a demo with us, or contact us here.

----------------------

  1. https://www.gartner.com/en/documents/4007899
  2. https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/#:~:text=But%20for%20companies%20that%20do%20sell%20their%20data%2C,issuer%2C%20car%20dealership%2C%20online%20shopping%20site%20and%20others.
Blog Post

The Route to an Automated Data Subject Request (DSR) Process

Aug 17, 2022

Get the whitepaper

Required field*

The Route to an Automated Data Subject Request (DSR) Process

When California passed the California Consumer Privacy Act (CCPA) in 2018, it put data privacy on the map in the U.S. But many companies quickly realized their data was all over the map, creating challenges to meet compliance obligations of the new law.

One of the basic rights of the major privacy laws around the world is the ability for consumers to submit a request – known as a Data Subject Request (DSR) – to see the data a company holds about them, as well as the ability to ask for their information to be deleted. While the request may seem straightforward, the process becomes more complex when considering a simple fact of business today: Data can be anywhere and everywhere within a company’s electronic systems and databases.

The typical business, regardless of size, collects data in one or all of three ways: from customers themselves, such as when they sign up for a newsletter or marketing offers; by tracking customers online; and by adding data from third-party sources to build a more personalized profile of customers. This data, then, can be held in multiple repositories across multiple departments of an organization.

Anyone with any kind of relationship with a company can submit a DSR, including existing and prospective customers, employees, contractors, job candidates, donors, and in some cases, “authorized agents,” such as a parent or guardian requesting information on a minor, or a friend or family member assisting an older relative. According to a leading technology research and consulting firm1, it costs a company on average $1,500 to process a single DSR, raising the cost of compliance from an avoidable penalty to a financial burden. At this rate, organizations that processed DSRs manually during the first year when CCPA was implemented spent approximately $192,000 per million identities to process and fulfill DSRs.

As companies collect more data, retain data for longer periods of time, and are subject to a growing number of data privacy laws, one solution has emerged to control costs and ensure compliance with the growing number of requests: an automated DSR process.

Two Sides of the DSR Process

Depending on the jurisdiction of the privacy law, data subjects may make a DSR by almost any method, including online, email, letter, or phone. Most DSRs are initiated through a link from a company’s privacy policy or website. From the perspective of the consumer, the process seems simple and transparent:

  • A consumer makes the request through their preferred channel.
  • The company receiving the request will verify the identity of the individual, frequently through a multi-factor authentication process.
  • The consumer selects the type of DSR they’d like to make: see the data the company holds about them (“access”) or delete their data.
  • The company responds with a confirmation that the DSR has been received.
  • The consumer receives a report within the timeframe established under the specific regulation.

On the side of the company processing the DSR, however, the situation is more involved, with added layers of complexity depending on the amount of data a company holds, the number of databases where the information resides, and the web of third parties with which the company has shared or sold data. For example, one financial services company disclosed2 that it shares customer data with hundreds of entities around the world.

At the heart of the automated process is an Administrator Console, which serves as the hub to provide visibility into the DSR journey. A basic automated DSR process generally follows this path:

  • When the consumer submits the request and specifies the type – access or delete – the workflow to process the request is defined by the system.
  • Because each privacy law regulates the length of time in which the request must be completed, the workflow adjusts for compliance.
  • Then the system must collect the data from internal databases, as well as every third-party with which the company has shared or sold data.
  • Once the data is collected, the information is collated into a report delivered to the consumer.

While the basic steps of an automated process may be similar among platforms, the value of automation lies in its ability to reduce or eliminate unnecessary manual processes, and some platforms perform much more efficiently than others. Notably:

  • A comprehensive data mapping system will provide visibility into how data flows in and out of a company’s databases, including the third parties receiving the data.
  • A highly effective automated DSR process will easily pull in personal data held by third parties, rather than requiring a company either to reach out manually or develop computer code for this purpose.
  • Any data subject request typically will require some type of human intervention at certain points in the process, so an automated system should have “pauses” built in to check for exceptions. For example, companies don’t typically need to provide every piece of information about the data subject, such as any internal notes about a subject’s account with the company, so a pause allows for a manual review to remove this data.

In all cases, by automating the DSR process, your company also is creating a trail of activity to demonstrate compliance with privacy regulations.

The Relyance Difference

The Relyance AI platform provides a level of visibility into a company’s data flow that is unmatched in the industry. This data mapping is the foundation of the automated DSR process, ensuring a company can identify and collect the required data to complete the request, whether it’s for access or deletion. And unlike other automated DSR platforms, customers can customize the DSR workflow, rather than relying on add-on – and added-fee – services to complete what should become a routine process.

In addition, our automated DSR process significantly streamlines the collection of information from third parties, requiring just checking a box to select this part of the process rather than creating new code or manually contacting these outside sources. And built-in “pauses” deliver a level at checkpoints along the process so you can deliver not only an accurate report to your customer, but also a level of satisfaction that builds trust – and loyalty – to your business. Book a demo with us, or contact us here.

----------------------

  1. https://www.gartner.com/en/documents/4007899
  2. https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/#:~:text=But%20for%20companies%20that%20do%20sell%20their%20data%2C,issuer%2C%20car%20dealership%2C%20online%20shopping%20site%20and%20others.
Blog Post

The Route to an Automated Data Subject Request (DSR) Process

Aug 17, 2022

Watch the video

Required field*