To Automate or not to automate, that is the question.
Both the European Union’s GDPR (Global Data Protection Regulation) and the CCPA (California Consumer Privacy Act) include the right for a user to request their data at any time. This right is often called the Data Subject Access Right, or DSAR.
It may sound simple enough, but this one requirement includes many steps. Once the request has been made, the process may go as follows for the company:
- Authenticate the user as the individual associated with the data
- Locate all of this user’s associated data
- Collect the data into a portable format (typically CSV)
- Securely transfer this data back to the user
This needs to be done in a way that maintains the user’s privacy, is traceable, and is completed within the regulations time limit (usually 30-45 days).
If your company has a very small number of users it is possible to do this manually. However, the larger the number of employees dealing with the data and the more users you have, the more complex this process becomes.
Here are three reasons to consider automating this process:
1. Process - Training and Staff
The handling of a DSAR can cross numerous layers of staff, from customer response who takes the request, to development staff that may need to pull data from your databases. To ensure the security of the data, the number of people who can access it should be minimized and the transfer may need to be encrypted. This process has to be well thought out, clearly documented, and easy to follow for any employee who may be involved.
An automated tool allows you to ensure consistency in your process and limit the access points to the data, maximizing the safety.
2. Mass Data Request
One request at a time may not be an issue for your company to handle but imagine if you were to receive multiple requests at the same time. Although you may think this is unlikely, some customers have started to use this as a way to punish businesses. One example took place in October 2019 when players of a video game by company Blizzard encouraged each other to request their data at the same time in the hopes that it would overwhelm company resources and cause what we call a DDOS or Distributed Denial of Service. This is not the only example of this. There is also a website called Ship Your Enemies GDPR that is set up to allow you to do boggle down the company of your choice with requests. On the flip side, website's such as YourDigitalRights.org are designed to help the user create properly formed user requests, but this too could overwhelm your employees and your systems.
Having a software solution to manage your Data Subject Access Requests for you means that you will be able to handle heavy load if, and when, it ever happens.
3. Audit Trail
All regulations require that you track the date on which a request is made, details about the processing, and the date at which the data is transferred to the user. To do this manually, your company will have to ensure that everyone complies with your process, and documents all of the steps during the workflow for the DSAR.
Using any kind of electronic system to track the requests enables you to produce a report for audit purposes at any point, allowing you to get your compliance reporting done automatically.
Enzuzo was designed to make CCPA and GDPR data request compliance easy. By seamlessly connecting to your existing tools, you are able to automatically handle the request when it comes in, handle high volumes, and maintain an audit trail of the workflow.
Using the customizable workflow, automate your process in a way that works for your company while maintaining consistency for your staff and employees. All while protecting your data and reducing effort.
Get started for free and immediately start loading your data privacy requests.