Organizations are increasingly becoming aware of the implications of new data privacy laws and regulations. It seems that everywhere we turn, we see a new state come out with a regulation, oftentimes modeling their data privacy laws off of other states. To really understand the implications of these laws, organizations need to go back to some old information governance principles and remain proactive in the implementation and use of best information governance practices.
As these new regulations come out, organizations need to pay attention to the individual’s rights, particularly when they’re collecting personal and sensitive information and need to respond to a Data Subject Access Request (DSAR). What exactly is a Data Subject Access Request? Individuals in certain states and within Europe have a right to access, right to be forgotten (deletion), right to correct information, and the right for portability. With this comes a major challenge for those that collect this information. How are they going to respond?
If an organization collects, stores, and processes personal and sensitive information and they receive a DSAR, they will need to be able to locate information related to the individual requesting that information. That sounds easy and basic on its surface, but some organizations have numerous data sources and endpoints where this information is stored. Historically speaking, organizations have been data hoarding for years. How can an organization prepare for the inevitable request to come in?
Well, the answer isn’t necessary completely black and white, but performing data discovery and inventorying data, classifying it, and developing a data map workflow is a start. How is this information useful? A data inventory will show the various systems and sources that store information. Each one will show the stated purpose and who the business owner of that particular database is. If a DSAR comes in, knowing who to go to for certain data makes it much more efficient. If an organization further classifies the data stored on the various systems, they’ll know if a source contains personal and/or sensitive information, so the individual handling the request can gather the data even more efficiently. Lastly, with a proper data map workflow, individuals can view the flow of the information throughout its organization from a high level, so the individual responding to the request can view it.
As mentioned, proper data discovery can also yield other benefits. If an organization is looking to lower its risk, the implementation of data minimization and a defensible retention schedule makes that much easier. Understanding where certain information is stored and what type of information the sources contain makes identifying data privacy risks substantially easier. But don’t hit that easy button just yet!
We challenge individuals to ask this question: why are we collecting personal and sensitive information to begin with?
Depending on the organization and its business goals and objectives, that answer may come easy, but it leads to inevitable: Do we really want to deal with lengthy and costly Data Subject Access Requests?