Data Subject Requests: The Hidden Risk in Plain Sight

Written By Ross Saunders

Do you have a plan when it comes to Data Subject Requests (DSRs)? The frequency that I hear “what is a DSR” or “what is a data subject” is astounding, particularly for companies that are business-to-consumer (B2C). This leads me to think that leaders in these organizations are not prepared for a very large and very public compliance gap in their businesses.

DSRs are the rights that individuals (also known as Data Subjects) have under data protection and privacy laws to have access to, correct, delete, or object to the processing of their data. While these differ from jurisdiction to jurisdiction (there may be more or fewer depending on your location), they are generally there in some shape or form in privacy-mature regions.

The right to access speaks to providing access to the data you have (and that you have generated or inferred) about an individual. You need to consolidate what you have and provide it to the user, generally in a machine-readable format that doesn’t require a purchase on the individual’s part. Access requests are possibly the most complex, as you need to sift through anything you have generated as well as what the user (or other parties) have provided and then pass this back to the user without compromising corporate protected data or data of other individuals.

The right to correction is to be able to correct the information you hold on a Data Subject. This is probably the easiest right as often this is built into account management or the marketing and CRM platforms you use.

The right to objection is for an individual to object to your processing of their information when they feel that you have obtained their data without due process, or if you’ve overstepped your boundaries of what is acceptable use of the data. This is often followed by deletion or correction.

The right to deletion is a contentious one, as it depends on the region you’re in. Canada, for example, does not actually have a right to deletion. However, Europe and the UK, and several other regions do. This requires a removal or anonymization of all data held about an individual and can be challenging as this could break systems (for the technically inclined: particularly if your primary/foreign keys in databases refer to personal information and not identifiers that can be separated from the personal information).

These rights should be listed in your privacy notice on your website, along with how an individual can exercise them. It should be tailored to your jurisdiction or those that you operate in and should clearly articulate who can be contacted and the time period they can expect a response (DSRs are often tied to a legislated time limit, such as 30 days for Canada under PIPEDA). As mentioned, where you operate plays a big part in what you must comply with. If you operate in California, for example, there are additional rights in terms of “do not sell or share” that need to be catered for under CCPA and CPRA.

A steady trend that we see once adding sections into a privacy notice about DSRs, is that of individuals exercising those rights. For each organization that Bamboo is appointed as vCPO, a steady increase is seen month on month of these requests coming in. This tells me that individuals want to exercise these rights and just need a channel to do so, and that means that if you are not offering a channel for this, you are opening yourself to complaints from the public, either to yourself or the information commissioner or regulators, which in the case of the latter could land your business in a world of trouble.

Now, rights aren’t absolute, these are requests after all. Your processes should detail how you respond to these requests, as well as under what conditions you can (and would) deny such a request. Deletion, in particular, is an interesting one in Canada, as it’s not actually a right in PIPEDA, but individuals are aware of this right from other regions such as the EU. In these cases, we often suggest that you comply with the request anyway, as it builds goodwill with your clientele, and is probably gearing you up for some future proofing too.

If all of this sounds wildly complicated and is something you’ve never contemplated, why not reach out to us to develop your DSR policies, procedures, and handle your updates to your public facing documentation. Let us take the pain out of this, while bringing in the human approach to building trust with your customers.

Ross Saunders

Ross Saunders is a global privacy, tech, and infrastructure specialist working with numerous industries to implement privacy programs and their accompanying technical infrastructure controls.

With a background in IT administration, software development, and Governance, Risk & Compliance (GRC), he is able to assist in a wide range of disciplines surrounding compliance, security, and privacy. He regularly assists tech-heavy companies with advisory, awareness campaigns, and practical implementation of controls.

Ross holds a master’s degree in the Management of Technology and Innovation, and holds designations and certifications in privacy legislation (CIPP/E), ethical hacking, and paralegal practice. Ross is a Professional member of the International Association of Privacy Professionals (IAPP) and is a national board member of the Canadian Association of Professional Speakers (CAPS).

In 2019, Ross published a book called “This Is Not What I Signed Up For: A survival guide for first-time managers” to help technical subject matter experts move into management roles. It is available for purchase in eBook and softcover at Amazon.ca.

Next

Quick Guide for IT Personnel: Understanding Employee Privacy on Company-Owned Devices