Category Data Subject Requests

DSARs 101: How to Handle Data Deletion Requests

Over the past few years, data subject access requests (DSARs) have practically become universal requirements for privacy regulations around the world. But many organizations still do not know how to handle nuances of these rules, such as data deletion rights. In this article, we'll cover everything you need to know about fulfilling data deletion requests. We'll also discuss how you can automate them! Let's begin.

Need a quick primer on DSARs before reading this post? Check out our previous article!

What Are Data Deletion Rights?

Data transparency and privacy have become top of mind for both consumers and businesses. This is in large part due to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) establishing rules regarding how organizations collect and process personal data. One of these rules focuses on consumer data deletion rights.

The GDPR's Right to Be Forgotten

The GDPR grants EU residents and anyone doing business with EU organizations the right to be forgotten. Also known as the right to erasure, it allows individuals to ask organizations to delete their personal data. An individual has the right to request this if:

  • The organization no longer needs the data for the original reason it collected it for.
  • A user withdraws their consent which acts as the lawful basis that the organization relies on to process the data.
  • An individual objects to the processing of their personal data and there is no legitimate interest to override this.
  • A person objects to their data being used for direct marketing purposes.
  • The organization is unlawfully processing a person's data.
  • An organization must delete personal data to comply with a legal obligation or ruling.
  • The organization has processed a child's personal data in order to offer information society services.

The CCPA's Right to Delete

Similar to the GDPR's right to be forgotten, the CCPA's right to delete allows individuals to ask organizations to erase their personal data if:

  • The organization collected the personal data from the consumer.
  • The organization no longer needs the personal information to fulfill one of the purposes identified in Cal. Civ. Code Sec. 1798.105 (d).
  • The organization is not entitled to retain the personal data under any of the general exemptions in Cal. Civ. Code Sec. 1798.145.

Data Deletion Requests Are Different From Other DSARs

It's important to note that data deletion rights differ from data access rights. The latter requires organizations to create a report that outlines what information they have about a person and how they use it. Fulfilling data deletion requests usually requires more specificity, insight, and context into how you process the data.

To put this in perspective, an organization could manually fulfill DSARs for the most part if they only receive a low volume of them and only deal with few data sources. But doing so for data deletion requests is more complex.

What Do Data Deletion Requests Require?

Want to efficiently respond to data deletion requests? Then you should prioritize these two factors:

  1. Specificity: You should know where the data is stored as well as any third parties you share it with.
  2. Context: You should be able to correlate the data to an individual, regulatory, or business context in order to determine whether each specific data element must be deleted.

This sounds simple enough, right? Well, it quickly gets complicated! For this reason, we advise you to have a plan in place for managing data deletion requests.

A Typical Workflow for Handling Data Deletion Requests

Here are the steps you should include in your process for taking care of data deletion requests:

  1. Determine the legitimacy of the request.
  2. Verify the requestor's identity and validate their request.
  3. Define what data categories and attributes should be deleted.
  4. Elucidate where you store the data.
  5. Identify both the technical and business data owners.
  6. Determine how to delete the data.
  7. Identify who you share the data with and issue a deletion request to them.
  8. Ensure you are not processing new data.
  9. Define when you can completely fulfill the request.

Note that this outline doesn't include details like how to respond to the request, who manages the process, and which stakeholders are accountable at each step. It's also crucial to remember that policies and reports alone can't solve data deletion requests. To effectively address them, you need a technical solution that fits into your broader privacy management program.

Can You Automate Data Deletion Requests?

Due to their complexity, data deletion requests can be more time-consuming and overwhelming to deal with than regular DSARs. Many ticketing-based solutions promise a seamless way to automate them. But like typical DSARs, this can be difficult (if not impossible) to do with these tools.

In truth, ticketing systems only automate tasks such as ticket creation, receipt confirmation, and deadline alerts. An individual's personal data often exists in several formats across numerous in-house, cloud-based, and third-party systems. Ticketing systems can't find, change, or delete all of these different data formats across your systems. That will still depend on you.

Essentially, a ticketing system can tell you what to do. But actually orchestrating the request and ensure your process meets GDPR and CCPA compliance is still on you. Unfortunately, this constitutes the majority of the work involved. So, is automating data deletion requests actually viable? It is with Ketch.

An Easier Way to Automate Data Deletion

Taking care of data deletion requests offers two main benefits:

  • You comply with GDPR and CCPA rules and avoid penalties.
  • It strengthens trust between your customers and your organization by proving that you take data privacy seriously.

But manually addressing these requests is often easier said than done. Ketch is here to change this. Our solution empowers you to automate your response workflow for DSARs by leveraging tools such as open-source APIs, syntax command templates, and system integration in conjunction with a central control system. As a result, you can automatically record, track, and respond to DSARs like data deletion requests faster and more effectively.

When it comes to privacy data compliance, Ketch puts your data systems to work so you don’t have to. Real automated orchestration of DSARs and data deletion requests is finally here to put an end to the confusion and headaches that usually accompany data compliance.

Click here to schedule your Ketch demo and learn how our platform can simplify your response workflow for DSARs and data deletion requests.

How To Handle Data Subject Access Requests (DSARs): A Short ‘n’ Simple Guide

Are you having trouble handling data subject access requests (DSARs)? Don't fret — you're definitely not alone. DSARs can be complex and time-consuming to deal with. Fortunately, this short 'n' simple primer is here to help!

In this guide, we'll cover everything from what a DSAR is and who submits them to how you should respond and the common challenges you'll encounter. We'll also answer one of the most elusive questions surrounding DSARs: Can they be automated? Let's dive right in.

What Are Data Subject Access Requests?

The global digital landscape is rapidly evolving. In an effort to bolster data transparency and privacy, the General Data Protection Regulation (GDPR) granted EU residents and anyone doing business with EU organizations new rights regarding how organizations collect and process consumer personal data. The California Consumer Privacy Act (CCPA) and the more recent Virginia Consumer Data Protection Act (VCDPA) established similar obligations.

One of these rights is called the right of access. his right empowers individuals (“data subjects” under GDPR) to submit a request known as a data subject access request to learn what information your organization has about them and how you use it. Besides discovering or accessing their personal data, subjects can also use DSARs to request correction or deletion of their personal data.

Recent data privacy regulations like the GDPR and CCPA have increased the power of  consumers to make these requests, and the risk to companies of fumbling them. While this development certainly improves transparency for consumers, it also creates challenges for companies around the world.

Who Can Submit DSARs?

Anyone can submit a DSAR at any time. This includes but is not limited to customers, users, sales prospects, employees, contractors, job candidates, and donors. Individuals do not need to supply a reason for submitting a DSAR, and organizations can only ask questions that help verify the subject's identity or locate the requested data.

Individuals can also submit DSARs on behalf of others. Here are some examples of when this can occur:

  • A parent or guardian requests information on a child.
  • A court-appointed individual is in charge of handling someone else's affairs.
  • A contractor or employee requests data on behalf of their client or employer.

In these cases, it's imperative to verify that the person submitting the DSAR is genuinely doing so on behalf of the data subject. Organizations can do this by requesting supporting evidence of their relationship (e.g., birth certificates, power of attorney documentation, etc.).

What's Required in a DSAR Response?

DSARs usually request a copy of all personal data you have on a data subject. Sometimes, the subject may only request specific details. Either way, you're obligated to provide any data that is relevant to the request.

Here are some examples of the information that data subjects can request:

  • Confirmation that your organization processes their personal data.
  • Access to a subject's personal data.
  • Your lawful basis for processing the subject's data.
  • How long you'll store their data.
  • How the data was obtained and how it's used in automated decision-making and profiling.
  • Third parties with whom you share the subject's data.

How Do You Respond to Data Subject Access Requests?

Generally speaking, you must take four steps to process and fulfill DSARs.

1. Register, Record, and Authenticate the DSAR

Before your organization starts fulfilling a new DSAR, it should register the request, log it in a record system, and authenticate the user making the request.

2. Gather Personal Data

Next, you must discover and categorize the subject's personal data that you process and store.

3. Review the Personal Data

After collecting the subject's personal data, review or redact it to ensure that it meets DSAR requirements without disclosing any proprietary information or data of other subjects.

4. Deliver the Data Securely

Once you've completed the previous three steps, you can now deliver the information to the data subject. Make sure you do this as safely as possible — data breaches or leaks can be extremely expensive, both in money and reputational damage.

How Long Do You Have to Respond to DSARs?

Under the CCPA, you must respond to a DSAR within 45 days. The GDPR only gives you 30 days to do so. Although both laws offer extensions in certain cases, failure to respond to a DSAR within the proscribed timeframes can result in substantial fines and regulatory penalties. It can also damage your organization's reputation by suggesting that you don’t value transparency.

Why Are DSARs So Challenging to Fulfill?

DSAR orchestration involves a complex workflow of verifying the request, finding the data, reviewing it, and delivering it to the subject. Bringing automation to the process would be a boon for organizations, but it’s easier said than done due to the following complexities: 

Personal Data Can Exist Across Multiple Systems

Depending on the size of your organization, DSAR orchestration can encompass dozens, or even hundreds, of systems that collect and store information. This means you have to go through all of the steps mentioned above for each system your organization relies on — in-house legacy, cloud-based, data warehouse, and third-party — to fulfill the request.

This factor alone can exponentially increase the complexity of completing a single DSAR. Consequently, fulfilling DSARs can quickly become both time- and labor-intensive, costing you much more money and resources than you had originally envisioned.

The bottom line? If you don't keep all of a subject's personal data in one convenient place, you'll probably have to implement a data mapping process to keep track of everything and rely on a reporting tool to pull this information from several resources to generate a DSAR response efficiently.

No matter what business you’re in, this is a common conundrum you're likely to encounter. Personal data about your customers resides in more places than just your CRM — it's also in your financial and customer service systems, data logs, backups, websites, and many more locations across the cloud.

Personal Data Can Exist In Multiple Formats

Besides existing in multiple systems, personal data also comes in multiple identifier formats, such as names, email addresses, accounts, and cookies, just to name a few. To make matters worse, your customer may be John Smith in one system, cookie AU9AtlDpEbAqfakUE in another, and reward member #59420392 in yet another. Before you can even think about fulfilling or automating DSARs, you need to be able to find and align all of this data--a heavy lift.

For example, let's pretend you've received a DSAR based on an email address. If this isn't the system identifier, you'll need to request more information from the data subject or try to figure out the correct data format by delving into your system. The latter option isn't always available since some systems only hold obscure identifiers. Without this information, not only is automation impossible, but your compliance is now at risk.

Current Tools Are Inadequate

Even if you can locate all of a data subject's information, fulfilling the DSAR requires you to know and implement all of the steps of your workflow for each system. Tools like ticketing systems have proven to be valuable in helping customer service and IT help desks organize their workflows. And many have even added support for managing GDPR and CCPA DSARs. But they can only automate part of the process.

Ticketing systems can take care of tasks like ticket creation, receipt acknowledgment, and due date alerts. But they can't find, delete, or change all of the formats of a subject's personal data across all of your systems — that task falls to you. In other words, your ticketing system can tell you what to do, but you're still on the hook to actually orchestrae the DSAR and ensure that every step you take satisfies GDPR and CCPA. This actually comprises the bulk of complexity, time, and effort within your DSAR response workflow.

Regardless of the ticketing solutions, spreadsheets, and documented procedures you employ to streamline your DSAR response workflow, the actual process required to account for, modify, or remove personal data from each of your systems will still be manual to a significant degree.

So can DSAR orchestration ever be truly automated? Luckily, that's exactly what Ketch is for.

True Automation for Your Data Subject Access Requests

GDPR and CCPA compliance doesn't only let you avoid penalties; it's also a prime opportunity to establish and build trust with your customers. Quick, efficient responses to DSARs can elevate your brand by showing your clients that you take their data privacy seriously. But as you now know, accomplishing this isn't an easy feat.

If you're wondering if there's a better way to automate your DSAR response workflow, Ketch has got you covered. We built our platform from the ground up to automate the fulfillment of data subject access requests. And when we say "fulfillment," we really mean your entire workflow — not just ticket creation.

Want to remove compliance headaches and avoid hiring a costly data compliance analyst? Robust, automated DSAR orchestration is just a few steps away. Click here to schedule your Ketch demo and learn how our platform can simplify your DSAR response workflow.

To learn more about Ketch's innovative approach to Privacy Orchestration, download our white-paper here. 

Can Orchestrating Privacy Data Subject Requests be Automated?

The complex, time consuming, and downright annoying process of exporting, erasing, or rectifying personal data to respond to valid data subject requests sanctioned under privacy data regulations like GDPR and CCPA likely has you wondering if there’s a better way. You’re not alone if you’re considering a ticketing-based solution touting the ability to automate this process. But can orchestrating data requests from customers be automated?

Personal data exists in multiple formats across multiple in-house, cloud-based, and third-party systems. It can be an email in one system, a rewards number in another, or a cookie in yet another. Before a data subject request can even be fulfilled, much less automated, you need to find the data. Easier said than done. Consider a request based on email address. If that’s not the system identifier, you need to either gather more information from the now-frustrated customer or delve into the system to try and determine the data format. That’s not always possible with systems that hold only obscure device identifiers or cookies. And by law, you can’t claim you don’t have the data just because you don’t have the identifier. Without this information, compliance is at risk and automation is not possible.

Even when the data is located, fulfilling the request requires knowing all the steps within the workflow of each system. For external systems, this could be sending an email or going through the user interface to generate the request. For internal systems, it means identifying the responsible system owner and operator. This is all compounded by the fact that you still need to determine if the request was even received and fulfilled—for every system.

Since the definition of personal data is broad, and it can reside in several linked systems and subsystems, the question also often remains whether the scope of all the data was even dealt with. You might think a data subject request only requires you to delete the customer table containing names, email addresses and account information. But if that customer’s data exists in other locations and formats like purchasing or browser history, you’re only in compliance if ALL the appropriate data is deleted. That also means you need to know what data is exempt and must be maintained for contractual, legal, or auditing purposes.

Considering the complexity of it all, don’t be fooled by ticketing-based system that have you thinking the actual work of fulfilling data subject requests will be automated. Sure, these systems may automate the creation of a ticket, an email response to the customer acknowledging the request, or the due date required by a specific regulation. They may even help you manage HOW to fulfill requests—that is once you’ve determined and set up all systems, identifiers and workflow requirements. But ticketing-based systems are simply not capable of automating orchestration.

So the question remains—can orchestrating data subject requests even be automated or is that just pie in the sky? That’s where Ketch come in.

Using technology rather than process, Ketch is working to solve the barriers of automation by invoking tools like open-source APIs, syntax command templates, and system integration in conjunction with a central control system that lets you automatically record, track, and respond to data subject requests. When it comes to privacy data compliance, our goal is to make data systems work so you don’t have to.

Are Ticketing Systems Effective for Handling Data Subject Requests?

Complying with data security and privacy regulations like GDPR and CCPA isn’t just about avoiding penalties—it’s also about building trust with your customers. That means fast, effective response to data subject requests from individuals asking to discover, access, rectify, or delete their personal data that your company maintains.

With the data sitting in multiple systems and formats—from names and email addresses, to accounts and cookies—orchestrating data subject requests can be complex and labor-intensive, costing you money and tying up resources to respond by the deadline. Under CCPA, that’s 45 days. GDPR gives you just 30.

Ticketing systems make it easier for customer service and IT help desks to effectively respond to requests through an organized workflow. They’re a great tool for recording, assigning, prioritizing, and tracking support tickets. Many of these systems have now added support for managing GDPR and CCPA data subject requests. With features like tagging to ease searches, canned responses to prevent repetitive work, assignment rules to delegate responsibility, and customized reporting to help with audits, a good ticketing system can certainly make handling data subject requests more efficient. But if you think these systems will do the work for you, think again.

Ticketing systems can automate some of the workflow in responding to data subject requests. Think ticket creation, receipt acknowledgement, assignment, or due date alerts. But the actual work of fulfilling the request still must be done. Automation claims may give you the illusion that it will do it for you, but a ticketing system is never going to find and delete or change all the formats of someone’s personal data across multiple internal, cloud-based, data warehouse, and third-party systems. That’s up to you.

In other words, your ticketing system might tell you what to do, but you’re still stuck orchestrating the request through a combination of manual system hunt and peck, available data privacy APIs, and third- party requests—all of which then needs to be verified to ensure GDPR and CCPA compliance. This is what makes up the bulk of complexity and time within the workflow. But it doesn’t have to.

Ketch doesn’t just manage the workflow of responding to consumer data subject requests by creating and tracking tickets. We actually intelligently automate the fulfillment of those requests by directly integrating with the systems where the data resides. Instead of treating data privacy like help desk and investing in a ticketing system that at most creates a ticket, stop the manual, time-consuming process of closing that ticket with Ketch.

Click here to schedule your demo and learn how Ketch doesn’t just capture and track data subject requests but automatically orchestrates their fulfillment.