February 3, 2020
Under the stipulations laid down by the CCPA and GDPR, businesses must fulfill DSARs or data subject access requests from 2020 onwards. Unfortunately, a survey revealed that 56 percent of companies would fail to meet CCPA requirements by 2020. Companies operating under both these privacy laws should be aware of the differences between the EU's General Data Protection Regulation and the more recent California Consumer Privacy Act when it comes to key DSARs.
It is essential for businesses to understand specific preliminary issues that are common among various DSAR types:
As per Recital 64, the controller needs to use every available resource for verifying the identity of data subjects who submit requests for access. This is especially true for online identifiers and online services. What's more, the verification process must not exceed the amount of sensitive information mentioned in the request. It is also said that the verification procedure must not be unnecessarily time-consuming and challenging.
The California Consumer Privacy Act has tasked the Attorney General with drafting procedures and rules for governing the decision whether or not a particular request is a valid consumer request. These regulations will come out in the first draft. Ideally, a request that has been submitted via a password-protected account maintained by a business consumer will be treated as a bonafide request.
The Information Commissioner's Office has released information mentioning that the General Data Protection Regulation does not prevent any person from making a subject access request through a third party. This third party is responsible for establishing an authority that will allow them to act on behalf of the data subject. The details may even be sent directly to the data subject if he/she does not understand what information the third party enlisted by them for the task will access.
The new data protection directives allow a natural person or an individual registered with the Secretary of State to receive authorization from the consumer for acting on their behalf.
The Information Commissioner's Office has established the timing for compliance at one calendar month or sooner. If the request is complicated, however, an extension of two months will be granted to the organization.
The CCPA makes it clear that DSAR requests must be responded within 45 days. In some cases, an extension of up to 90 days is permitted.
The GDPR requires the following information to comply with data subject access requests:
? If any processing of the data took place
? Categories of personal data that were processed
? Recipients of the disclosed information
? Data retention period
? Right to erase or correct data along with restricting or object processing
? Right to complain about the supervisory authority
? Source of information not submitted by the data subject
? Copy of the processed data
? Meaningful details regarding automated decision-making
? Necessary safeguards for data transfers taking place between two or more countries
It is essential for the controller to disclose all information relating to:
? Categories of personal information gathered
? Types of personal information sold
? Categories of sources
? Categories of third parties with whom the organization shares personal data
? Categories of third parties to whom private data was sold
? Categories of personal information for every third party
? Particular pieces of information collected by the business
? Commercial or business purposes for gathering or selling the data
The following requirements need to be fulfilled:
All pieces of information offered by the data subject to the controller should be legally based on either a contract or consent. This is applicable wherever the processing took place, even if through automated means.
Under the CCPA, every right to access responses must be submitted electronically.
Data needs to be structured in a commonly used format readable by machines.
All data should be in a portable format.
Controllers allow transferring data smoothly without any objections or hindrances. If it is technically feasible, they retain the right to transmit the personal data directly to another controller.
The transfer is permitted to the fullest technical extent as long as the data is available in a readily usable format that the consumer can transmit to a different entity without any issues.
The following information needs to be deleted:
Personal data that falls under one of the six grounds for erasure and is not covered by one of the five exemptions should be removed without fail.
Personal details covered by the law and out of the provision of exemption must be removed.
All data subject access requests should be restricted to personal data. Plus, it applies only to personal data:
? That is no longer required for the purpose processed or collected
? Which is no longer bound by consent since it has been withdrawn
? That is an objection covered by Article 21(1)
? That does not fall under the unlawful processing of personal information
? The collection of which comes under Article 8(1) offer of information society services.
Exemptions apply if the processing is required for:
? Exercising the right to freedom of information and expression
? Public interest in public health
? Compliance with a legal obligation
? Exercise, defense, and establishment of legal claims
? Archiving of specific historical or scientific research, and public interest
All requests made under CCPA are limited to personal details. The law does not cover any right to information, such as GLB Act Information or HIPAA.
Exemptions for rejecting the request to delete data include:
? Debugging
? Exercise of free speech
? Security purposes
? Completion of transaction
? Compliance with the CCPA
? Solely internal users
? Specific internal, lawful uses
? Compliance with a legal obligation
? Certain statistical, scientific or historical research in the public interest
The fundamental difference between EU and GDPR is the coverage area. The first protects individuals inside the EU while the latter protects consumers who are Californian residents, including households. While they do share a few things in common, they try to protect the interests of the data subjects to the full extent of the law.
We take privacy seriously. While we promise not to sell your personal data, we may send product and company updates periodically. You can opt-out or make changes to our communication updates at any time.