The EU’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have greatly expanded consumers’ control over their personal data that is collected by businesses. As a result, organizations are now required to implement processes for managing subject rights requests (SRRs)/data subject access requests (DSARs) under the new regulations.
Major Requirements Under GDPR and CCPA
GDPR and CCPA have largely similar goals but have implemented them in different ways. Most new requirements are the same across GDPR and CCPA, including the following:
- Notification: Companies are required to notify data subjects of the data being collected and how it will be used.
- Disclosure: Data subjects may request access to a copy of collected data under certain conditions and with some exceptions.
- Erasure: Data subjects may request that an organization (and its service providers) delete all copies of collected data.
- Opt-Out: CCPA enables opting out of the sale of data to third parties. GDPR allows data subjects to restrict or object to data processing and to object to automated decision making under certain circumstances.
Despite the similarities between the two regulations and their shared intent, the details differ significantly. For example, the CCPA protects data at the household level as well as the individual level, while the GDPR generally provides a data subject with more rights than the CCPA.
Challenges of SRR and DSAR Compliance
While the details of the CCPA and the GDPR vary, they both have similar underlying requirements for an organization collecting and processing personal information of data subjects protected under the regulations. In order to maintain compliance with these regulations, an organization must have full visibility into the data that they have collected regarding a data subject and appropriately respond to an SRR/DSAR.
SRRs/DSARs require an organization to have specific capabilities:
- Rapid Response: The CCPA allows 45 days for a response to an SRR, and the GDPR response window for a DSAR is one month. Extensions are allowed, but only after informing the data subject within this initial window.
- Full Data Visibility: An organization must be able to provide all data collected regarding an individual, regardless of where it is stored within the organization (databases, cloud, desktops, etc.)
- Data Processing Visibility: In an SRR/DSAR, an organization must divulge how a data subject’s information has been processed.
- Third-Party Visibility: An organization can be required to inform data subjects of third parties with whom they have shared the data subject’s PII and must inform service providers of data deletion requests.
Simplifying SRRs/DSARs with 1touch.io
Complying with the requirements of SRRs/DSARs before the deadline can be challenging if an organization does not already have robust data tracking and management in place. 1touch.io enables an organization to automatically discover and track data subjects’ PII wherever it is located within the organization and store tracking information in a Master Catalog. The 1touch.io SRR/DSAR Ticketing System offers OpenAPI integration and is connected to the Master Catalog, enabling centralized tracking and Immediate responses to SRR/DSARs. Learn more about how you can become CCPA compliance — and how to prepare for the CPRA. 1touch.io can help!