Data Privacy Buy-In: The Usual Suspects and What to Say to Them
Getting the business to say “yes” to data privacy isn’t easy. Yet it...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 4, 2024
Published: July 31, 2024
Navigating the stringent requirements of data subject access requests (DSARs) can feel like summitting a mountain—the path forward isn’t always clear, pitfalls abound, and you’re fighting gravity all the way.
The good news is, simplifying DSAR management is possible. And necessary. Here’s why:
First of all, the volume of DSARs isn’t going down. Each year, over 25% of all internet users submit a subject rights request. According to EY research, 60% of all organizations subject to the GDPR have seen an increase in subject rights requests in the past year. As more people become aware of their data privacy rights, and as more U.S. data privacy laws come online, DSAR requests will keep coming. s in the past year. As more people become aware of their data privacy rights, and as more U.S. data privacy laws come online, DSAR requests will keep coming.
Second, noncompliance with DSAR requirements is no joke. Ignore DSARs, and your organization may need to pay a lot—both financially and in other ways.
Organizations that fail to meet DSAR mandates face sizable consequences, most commonly fines imposed by data protection authorities. In 2023, 45 companies received fines from the EU for insufficient fulfillment of data subjects' rights, totaling over €47.3 million ($51 million). One notable offender, Spotify, was fined €5 million ($5.4 million) in Sweden for not providing full information about the personal data it processes in response to individual requests.
As a result of the California Consumer Privacy Act (CCPA), businesses spent $1.3 billion handling DSARs in 2020 and 2021 alone. And by the time 2026 comes around, Gartner predicts global annual financial penalties associated with DSAR mismanagement will exceed $1 billion.
These are not trivial penalties. And fines can quickly escalate for repeat offenders or those with egregious violations, leading to prolonged legal battles.
Beyond financial penalties, noncompliant DSAR practices violate customer trust and reflect a lack of commitment to data privacy. In fact, 72% of consumers report they would stop buying from a company or using a service because of privacy concerns. News of mishandling DSARs can spread rapidly, impacting not just customers’ perception of your company but that of potential partners and stakeholders as well.
Safeguarding against the costs of mishandled DSARs requires your business to adopt comprehensive strategies. Compliance should not be viewed as a checkbox exercise but as preserving integrity and maintaining customer trust. Recognizing the high stakes involved in DSAR fulfillment makes it easier to ensure regulatory adherence and a steadfast commitment to protecting consumer data.
Clearly, it’s critical to comply. But it’s also critically painful for privacy pros processing the requests. Let’s talk about the root causes of this pain and the best ways to find relief and get the job done.
The overall process for completing a DSAR is relatively straightforward—you can review the individual steps to DSAR management in our blog, What Is a DSAR? A Complete Guide to Data Subject Access Requests. For now, let’s focus on why managing DSARs is so hard and what you can do to make them easier.
Factors that add complexity to DSAR management include:
But for every challenge, there’s a solution that can alleviate it (if you have the right platform and features).
Laws like the GDPR and CCPA/CPRA have mandated 30- or 45-day timelines to fulfill DSARs, which can compound the pressure if you have to contend with high volume, low visibility, and multiple regulations. Doing the required work in a diligent manner will almost certainly extend past mandated timelines. And, rushing the process can result in more errors. Adding staff and resources to process DSARs within mandated timelines is one option, but it’s an expensive one. While you may avoid fines by completing work on time, you’ll take the financial hit in elevated operational costs instead.
It should come as no surprise that fulfilling a DSAR is a tedious and time-consuming task when performed manually. Organizations that receive one or two DSARs every now and again may get away with manually sifting through their systems for relevant data. But even then, they risk making errors like missing pieces of a data subject’s personal information, exposing someone else’s data, or missing deadlines. And as we’ve discussed earlier, DSAR noncompliance can get very costly very quickly.
Subject rights fulfillment is an excellent use case for automation. While it’s vital that a human remains in the loop to verify accuracy, automated subject rights solutions can significantly expedite the DSAR fulfillment workflow, helping you to meet those 30- and 45-day deadlines.
How many applications does your company use on a daily basis? Would you have any idea which of those applications contain personal information—let alone what kind? The fragmented nature of data management further complicates the journey to DSAR compliance. With data siloed across various departments, databases, and file structures, many organizations lack visibility across data stores or a unified approach to managing that data. This lack of centralization and visibility hinders the fast, accurate retrieval of data.
To manage data, you need to be able to see it. An intuitive, holistic data mapping solution that integrates with your DSAR solution can create a detailed map of data flows and sources that facilitates faster data discovery and helps alleviate one of the bigger headaches of the DSAR process.
Ideally, these solutions automatically identify and integrate systems that process personal data in your organization. For example, Osano can discover many systems through sources like your single sign-on (SSO) provider of customer data platform (CDP). However, not all systems will be discoverable in an automated way regardless of what solution you use. For any niche, disconnected, or shadow IT systems, you’ll want to make sure your solution allows for frictionless manual uploads of data store information. This ensures your data map is as comprehensive and provides as much visibility as possible. In turn, you’ll be better equipped to find relevant data when fulfilling DSARs.
Too much data held by organizations can make DSAR processing an arduous task. Any data involved requires careful verification, review, and packaging. Compounding this work by a huge volume of data makes processing DSARs a massive effort.
Even if you have perfect insight into your organization’s data landscape, finding a specific individual’s data to fulfill a subject rights request can feel like finding a needle in a haystack. With an automated data discovery solution, you can identify a given individual’s personal data even if it’s spread across multiple, disparate systems.
When Osano's data discovery capabilities, you can discover data through your data map and its underlying data inventory. Not only will this help you quickly identify all an individual’s data held within your systems, but you’ll be better able to identify when and where data has passed to a third party. This way, you’ll be able to quickly notify vendors and other partners of the need to comply with a DSAR.
Data privacy compliance can’t exist in a vacuum. Subject rights requests, in particular, require extensive and coordinated collaboration. Privacy professionals don’t have insight into or control over every single system that may process personal information. And as we’ve described earlier, it won’t be possible to automatically pull personal information out of every system in your organization.
Privacy professionals need to coordinate with the internal stakeholders who own various personal data stores and ensure they know how and when to take certain actions to fulfill subject rights requests. That could involve deleting certain data, reporting on what data they have, and so on.
While training and clear communication are excellent, it always helps to have a system that can provide guidance and ensure everybody stays on the same page.
Osano allows users to tag individuals in their organization as data store owners. Doing so enables you to assign those data store owners action items should they control data relevant to a subject rights request. A suite of webhooks and APIs allow for notifications in the other systems and tools your organization already use to manage the workday. Osano users can also set internal timelines—this way, you can set deadlines earlier than the 30- or 45-day window provided by law so you can account for stragglers without risking a regulatory violation.
To add another layer of complexity, businesses must navigate the requirements for each data privacy law they are subject to. Different laws provide data subjects with different rights that they may exercise and impose different requirements on organizations when fulfilling those rights requests. All of this means that a multijurisdictional company may be inundated with DSARs from multiple regions, with each request requiring meticulous attention to detail to ensure compliance. Without an easy way to take inventory of existing data, fulfilling data requests can be next to impossible in a large organization with massive data stores.
Data privacy solutions shouldn’t leave the nitty-gritty of compliance up to you; they should have regulatory knowledge built-in and verified by experts, so you can focus on your core work. Osano’s uses geofencing and localization to ensure that data subjects from different jurisdictions have access to the request types that their governing law provides. This way, you won’t have to worry about fulfilling subject rights requests from jurisdictions without a governing data privacy law or failing to fulfill a unique request type you weren’t aware of. Osano Subject Rights Management has all that knowledge baked into its design.
As the demands of data privacy continue to evolve, the ability to provide quick and precise responses to DSARs guarantees legal compliance and customer trust.
With centralization of the subject rights request process and automation of time-consuming and repetitive tasks, you can speed up compliance, relieve the burden on your team, and reduce the likelihood of human error in your own DSAR process.
Book a demo and see how Osano can help you create a simpler, less laborious DSAR process.
Are you subject to the CCPA? If so, your employees can submit DSARs, and you have to honor them. Here's what to watch out for and how to comply.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.