June 02, 2022

data privacy DSARs GDPR privacy Data Subject Request

As 2023 approaches, organizations must again address new and modified laws governing Data Subject Requests (DSRs). Of course, the rollout of additional privacy regulations has become almost routine. But as the growing number of jurisdictions empower individuals with the right to opt out of more types of processing and access, rectify, or delete personal data, the legal and operational challenges of these laws continue to accelerate. Organizations – especially those with lean privacy and legal ops functions – will need to be strategic in addressing the expanding regulatory burden.

With that in mind, we offer a few issues to address as you map out your next steps when it comes to DSRs.

Employee- and Business-Related DSR Requests

With the advent of the California Privacy Rights Act (CPRA), employee- and business-related DSRs will have come to the U.S. (although there are still some efforts to delay the implementation of those rights). Employee requests, in particular, can be very different from consumer requests in that they often require the collection and review of documents from a variety of internal systems and e-mails. Those documents must then be reviewed and redacted to ensure that other employees’ personal information is not included and that purely business information is not produced.

Obviously, introducing a litigation-like document review into the DSR response process can be quite the monkey wrench. Therefore, mapping out an approach – deciding what will be collected, produced, etc. – is key. A data map, processes, and the right technology are also a must. The last thing you want to do is go into crisis mode every time an employee (or their lawyer, if they are preparing to assert a claim) makes a request, i.e. scrambling to search every system, collect documents, review and produce them all within the statutory timeframe.

DSR Appeals Process

As if standing up a DSR process was not enough, various state laws going into effect in 2023 – including Colorado, Connecticut, and Virginia – will require businesses that decline to take action in response to DSRs to institute an appeals process. This appeals process will need to be conspicuously available. Moreover, if a consumer’s appeal is denied, the business also will have to provide the consumer with an online mechanism or other methods to contact the applicable attorney general to submit a complaint.

Updated Opt-Out Rights

Many U.S. businesses have spent the last couple of years trying to discern whether they “sell” data under the California Consumer Privacy Act (CCPA) and, if so, setting up processes to allow consumers to opt out of any data sales. In 2023, new state laws will expand the scope of consumers’ opt-out rights.

First, CPRA and new state laws in Colorado, Connecticut, Utah, and Virginia clarify that consumers have a right to opt out of processing personal data for targeted advertising purposes. Second, the newly arriving state laws – particularly Colorado, Connecticut, and Virginia – allow consumers to opt out of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an individual’s economic situation, health, and personal preferences, interests, or behavior – in other words, profiling. Third, the CPRA will allow consumers to opt out of the processing of certain sensitive personal information.

The result? Businesses will need to operationalize opt outs for a variety of different situations.

And, of course, dealing with these requirements goes beyond simply tracking opt-out requests. For example, organizations will need to determine which processes involve such automated decision making or profiling. If such processes involve data aggregation, they will need to be evaluated to determine how the exclusion of the opt outs affects their models. In short, these changes require a fresh look at what your organization does with the personal data it collects.

Right to Correction

Although it already has existed in the General Data Protection Regulation (GDPR), in 2023, the first U.S. state laws will go into effect – in California, Colorado, Connecticut, and Virginia – that allow consumers to correct inaccuracies in their data. Businesses will need to update their DSR forms as applicable to address this new right and operationalize correcting personal data as necessary.

Uniform or Specific Approach? 

DSR requirements have always varied somewhat from one jurisdiction to the next, and the new laws rolling out in 2023 are no different. For organizations that operate in multiple countries/states, the question is: do we have a uniform approach to DSRs, regardless of the legal rights of the data subject; or do we comply with the law of the jurisdiction for each individual?

On the one hand, a common approach for all DSRs is tempting. Let’s say an organization has all of its consumer data in a CRM and has implemented processes and systems that allow easy retrieval, deletion, and extraction of such data. If a consumer in, let’s say, Ohio requests access to their data, is it worth the trouble to deny them just because Ohio does not require it? After all, checking each state’s laws, updating them, and issuing a denial are all extra steps in an already burdensome process. Moreover, the new laws continue to raise awareness about consumer privacy rights and the expectations of customers who may not happily accept the fact that the business is rejecting their request because of their location.

On the other hand, employee DSRs can be extremely burdensome, especially if they require the review and redaction of hundreds or thousands of pages of e-mails and other business records. Voluntarily extending this right to your entire customer base or workforce may not make sense.

This decision requires a holistic review of the organization’s processes, customer and employee base, and resources.

****

The biggest takeaway from these changes is that the regulatory environment for privacy will continue to evolve in ways both big and small. Building a solid but flexible privacy framework of people, processes, and technology will help organizations stay on top of this ever-shifting ground.