Under the stipulations laid down by the CCPA and GDPR, businesses must fulfill DSARs or data subject access requests from 2020 onwards. Unfortunately, a survey revealed that 56 percent of companies would fail to meet CCPA requirements by 2020. Companies operating under both these privacy laws should be aware of the differences between the EU's General Data Protection Regulation and the more recent California Consumer Privacy Act when it comes to key DSARs.
It is essential for businesses to understand specific preliminary issues that are common among various DSAR types:
As per Recital 64, the controller needs to use every available resource for verifying the identity of data subjects who submit requests for access. This is especially true for online identifiers and online services. What's more, the verification process must not exceed the amount of sensitive information mentioned in the request. It is also said that the verification procedure must not be unnecessarily time-consuming and challenging.
The California Consumer Privacy Act has tasked the Attorney General with drafting procedures and rules for governing the decision whether or not a particular request is a valid consumer request. These regulations will come out in the first draft. Ideally, a request that has been submitted via a password-protected account maintained by a business consumer will be treated as a bonafide request.
The Information Commissioner's Office has released information mentioning that the General Data Protection Regulation does not prevent any person from making a subject access request through a third party. This third party is responsible for establishing an authority that will allow them to act on behalf of the data subject. The details may even be sent directly to the data subject if he/she does not understand what information the third party enlisted by them for the task will access.
The new data protection directives allow a natural person or an individual registered with the Secretary of State to receive authorization from the consumer for acting on their behalf.
The Information Commissioner's Office has established the timing for compliance at one calendar month or sooner. If the request is complicated, however, an extension of two months will be granted to the organization.
The CCPA makes it clear that DSAR requests must be responded within 45 days. In some cases, an extension of up to 90 days is permitted.
The GDPR requires the following information to comply with data subject access requests:
It is essential for the controller to disclose all information relating to:
The following requirements need to be fulfilled:
All pieces of information offered by the data subject to the controller should be legally based on either a contract or consent. This is applicable wherever the processing took place, even if through automated means.
Under the CCPA, every right to access responses must be submitted electronically.
Data needs to be structured in a commonly used format readable by machines.
All data should be in a portable format.
Controllers allow transferring data smoothly without any objections or hindrances. If it is technically feasible, they retain the right to transmit the personal data directly to another controller.
The transfer is permitted to the fullest technical extent as long as the data is available in a readily usable format that the consumer can transmit to a different entity without any issues.
The following information needs to be deleted:
Personal data that falls under one of the six grounds for erasure and is not covered by one of the five exemptions should be removed without fail.
Personal details covered by the law and out of the provision of exemption must be removed.
All data subject access requests should be restricted to personal data. Plus, it applies only to personal data:
Exemptions apply if the processing is required for:
All requests made under CCPA are limited to personal details. The law does not cover any right to information, such as GLB Act Information or HIPAA.
Exemptions for rejecting the request to delete data include:
The fundamental difference between EU and GDPR is the coverage area. The first protects individuals inside the EU while the latter protects consumers who are Californian residents, including households. While they do share a few things in common, they try to protect the interests of the data subjects to the full extent of the law.