CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
March 1, 2023
At midnight on the 25th of May, 2018, millions of people were suddenly in possession of legal rights they lacked minutes before thanks to the General Data Protection Regulation (GDPR).
Among those rights were the ability to submit data subject access requests, or DSARs. It would take some time before these people understood what powers those rights gave them and how to exercise them. It would take even longer before businesses understood that they were obligated to fulfill these requests.
Soon enough, millions of more individuals would gain the right to submit a DSAR thanks to the passage of new data privacy laws across the globe. At first, businesses received barely any requests, but they would soon start to receive dozens or hundreds of requests every week. It would quickly become overwhelming, and to help businesses stay compliant and protect consumer rights, compliance vendors began to release products that would make the whole process of receiving, triaging, and acting upon DSARs a little easier.
These solutions have evolved significantly and continue to change since the inception of the GDPR in 2018. We’ll cover how DSAR solutions have changed over time, where they stand now, and what businesses can expect in the DSAR solution market in the future.
A DSAR is a blanket term covering the variety of rights that a data subject has over their data. While “access” is in the name, a DSAR can cover a range of actions, like updating data, deleting it, and so on. While some individuals reserve the term DSAR to refer specifically to access requests and use the broader term subject rights request (SRR) for all types of requests, in practice, it's become industry standard language to use "DSAR" as a catch all term that refers to all types of requests. For most people, DSAR and SRR are used interchangeably.
This can become a pretty complicated subject pretty fast, so we won’t dive into all the ins and outs of DSARs here. If you don’t feel super up to date on DSARs, you’ll want to check out our DSAR guide—in it, we cover all of the basics. But if you’re already DSAR-savvy and want to know a bit more about what the landscape of solutions to the DSAR problem looks like, read on.
At the inception of the GDPR, many businesses assumed that DSARs were spam. When they did respond, they often did so noncompliantly, fulfilling requests incompletely or inaccurately, missing deadlines, and delivering data in difficult-to-use formats. Part of this was due to ignorance of the law, but data protection authorities had also not yet issued specific guidance.
As for the tools businesses used to fulfill DSARs, most relied on email and maybe a spreadsheet or two to track data and requests. In fact, many businesses still take this approach today, especially in the U.S. where DSARs are a relatively new phenomenon.
Taking this approach, however, is very ad hoc and disorganized. Often, the person responsible for overseeing the process was just whoever could be reached by email, typically a customer service representative. When these individuals receive a DSAR and recognize the need to act, they separately email their colleagues in marketing, finance, and other departments that might have consumer data. Invariably, they miss relevant data because:
A business might succeed in fulfilling any individual request using this manual approach, but it features plenty of gaps for noncompliance to slip in over the long term. Taking the email-and-spreadsheets approach:
Businesses simply weren’t aware of their requirements and thought that an improvised DSAR workflow relying on email and spreadsheets would do the trick. That would change as enforcement progressed.
Based on data from enforcementtracker.com, the first documented GDPR enforcement action for DSAR violations was just a few months after the law went into effect—an unnamed company received a minor 388 euro fine in October of 2018. This certainly didn’t make headlines or draw the attention of businesses, but that would change two years later, when Google was hit with a 5 million euro fine for a DSAR violation. Soon after, businesses started to receive multi-million euro fines for failing to honor consumer DSARs in a compliant fashion.
These enforcement actions were coupled with growing consumer awareness around their ability to make DSARs. In fact, in May of 2020—just a few months after the California Consumer Protection Act (CCPA) went into effect and gave millions of Californians’ the right to make DSARs—44% of survey respondents subject to the CCPA reported receiving at least 10 DSARs a week, with 9% receiving more than 500 requests a week.
Software vendors began developing consumer-facing data rights software that, among other privacy tasks, can send out automated DSARs to the businesses consumers interact with. Consumers and employees began sending out legitimate requests, vexatious requests intended just to cause trouble, and requests they hoped would drum up evidence to use in lawsuits.
At this point in the evolution of the DSAR market, businesses started to demand solutions, and vendors started to deliver.
The earliest DSAR solutions solved for one of the major sources of noncompliance—creating a repeatable, seamless workflow that directed the course of action businesses needed to take when responding to a DSAR.
This first-wave of DSAR solutions alerted stakeholders of their responsibilities, connected different data stores, prompted data subjects to verify their identities, kept track of the progress and deadlines associated with each request, and more. Essentially, this wave of tools functioned as a compliance consultant in a box—something that had all of the regulatory knowledge baked in, but which didn’t do the actual heavy lifting.
That was still left to humans—busy, error-prone humans. The GDPR only went into effect in 2018, and US data privacy laws are even newer; so, most businesses don’t have a dedicated privacy professional on payroll. Even though these tools reinforced the workflow required for DSAR compliance, businesses didn’t (and largely still don’t) have anybody to own the process. More and more businesses started to push for automated capabilities.
To inject some more automation into this process, some businesses found an interesting new application for an existing solution: eDiscovery software. Originally designed for sifting through the tens of thousands of documents to identify relevant data for a lawsuit, eDiscovery software coincidentally can also be used to discover the data relevant to a DSAR. Data discovery is a very time-consuming process, and using eDiscovery software can speed that process up.
This approach has its flaws, however. For one, eDiscovery software typically requires dedicated expertise to use, and therefore doesn’t really address the human resource issue that DSARs create. It also only handles the discovery aspect of handling DSARs; while this is a time-consuming part of the process, a true DSAR solution should make the entire process simple and foolproof.
Considering the fact that some businesses receive hundreds of DSARs a week, it’s clear that automation should be part of a DSAR solution. But unchecked automation can be risky in a compliance solution. If your automated solution inadvertently exposes another data subjects’ data, deletes the wrong data, makes unintentional changes, and the like, you could face a business disruption at best and a lawsuit at worst.
Different DSAR solution vendors therefore feature different mixes of automation and human involvement in the workflow. To some extent, most solutions keep a human in the loop for final review and confirmation. Osano Consent Management Platform (CMP) provides a DSAR solution in our suite of products—here’s how we strike a balance between automation and human review.
Our approach to the DSAR challenge focuses on centralization, automation, and scalability. What that means is Osano’s Subject Rights Management and Data Discovery products (which are used in combination to fulfill DSARs):
With Osano, businesses are able to customize and embed a DSAR form and/or specify a dedicated email address to intake DSARs. This cuts down on data creep, where receiving and communicating DSARs across different portals creates yet more data to track down and handle. We also provide multiple options for data subjects to upload identity verification, enabling you to define whether you need a photo ID for more sensitive requests or a simple email verification for less sensitive requests.
Once Osano is connected with your data stores you can search for the relevant data fields that apply to a given data subject. We also provide recommended actions to take for given data fields, such as deleting sensitive data like social security numbers or summarizing commonly requested data such as purchase histories.
When data subjects make a summary request, Osano automatically retrieves the data relevant to that data subject. And when the data subject makes a deletion request, Osano can automatically delete the relevant data if the DSAR administrator desires. Throughout and before finalizing these automated actions, Osano checks in with the DSAR administrator to confirm for accuracy, striking a balance between unchecked automation and unnecessary effort on the administrator’s part.
For tasks that aren’t suitable for automation, Osano alerts data store owners about their responsibilities, regularly sending out reminders as the DSAR deadline approaches and alerting the Osano user to the status of outstanding DSAR tasks.
All told, Osano streamlines the overall DSAR process, ensuring that users can accomplish as much as possible within one tool and with a balance of efficient automation and careful confirmation.
In the future, we can expect DSARs to be much more commonplace and more self-serviceable. In large part, that will be because businesses will incorporate privacy-by-design principles into the systems they use to collect and/or process consumer data.
A data subjects’ data is their property; it only makes sense that when they use an application to conduct their banking, to connect with friends, to listen to music, make purchases, and so on, that they’ll be able to access and modify their data as they please. In all likelihood, future applications will enable users to make and execute their own DSARs, with minimal intervention from the business collecting or processing their data.
DSAR solutions will still play a role in this space; they may become the software components that handle DSARs within a larger architecture. Some businesses may take the approach of designing their own compliance systems, but the high stakes associated with noncompliance and the need for purpose-built solutions mean that compliance solutions will likely remain the domain of third-party providers.
For businesses looking to build out a DSAR process that functions in the current and future regulatory environment and that will grow with them, it’s important to evaluate solutions based on a few key points.
Asking these questions will help inform whether or not the given DSAR solution will remain a valuable investment in the long term.
Schedule a demo of Osano today and find out how we’ll answer.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.