Today’s columnist, Steve Dickson of Netwrix, says that staying compliant with data privacy regulations like CCPA and GDPR requires storing sensitive data in secure locations. TomRaftery CreativeCommons Credit: CC BY-NC-SA 2.0

Even as companies face the IT challenges of supporting remote work through the rest of the pandemic, data privacy and regulatory compliance remain central priorities.

In our research, data privacy was a No. 5 priority (41 percent) for IT professionals halfway through 2020, with regulatory compliance (29 percent) also a leading concern. We see these trends driven by the requirement to conform to a growing list of privacy standards, as well as a critical way to ensure customer loyalty.

But compliance costs money. As new privacy standards appear worldwide, adding to the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), the number of data subject access requests (DSARs) will grow substantially – driving an increased need to assure both efficiency and transparency when fulfilling privacy obligations.

Unfortunately, meeting the requirements and deadlines defined by privacy laws are extremely challenging in our new reality when many organizations are shifting towards long-term remote work. In fact, Gartner finds that a single subject rights request (SRR) for access costs organizations more than $1,400, and a majority of organizations take more than two weeks to provide a response.  

Why so long? First, it’s challenging to identify and provide all relevant data for a particular individual. With so many offices closed and employees self-isolating, it’s physically impossible to get hands on hard copies, which may be exactly the data that your customer requests. Second, the DSAR management often falls on shoulders of IT teams, and these teams are now more overworked than ever, managing the heightened security demands of their remote workforce.

Governing bodies make concessions, yet require transparency

In response to these challenges, governing authorities are making concessions to organizations. The Data Protection Commission has extended the official GDPR deadline for fulfilling DSARs from one month to two months if an organization has difficulties in processing customer requests. The Data Protection Commission also specifies that authorities are now ready to let organizations respond to DSARs in stages: a company can now provide electronic records first and hard copies later, when the quarantine ends. 

Yet, regulatory bodies still require transparency from organizations regarding the purpose of personal data collection, including how it’s processed and how the company plans to address a request of a particular customer. In fact, the entire success of DSAR management depends on the organization’s ability to communicate with its customers. If a company succeeds in this, it will ensure that everyone has become familiar with the process, reducing the possible anxiety of customers and fulfilling a DSAR successfully. If not, the company may face penalties and lose new customers as well as customer loyalty, none of which any company can afford right now.

Stay transparent and manage DSARs effectively

Securing a company from financial and reputational consequences of non-compliance requires two steps:

First, companies must make regular and detailed communication with their customers. The customers need to know how their data gets processed and why, how long the company plans to retain this data and how the company will address its requirements, especially if it’s done in stages.

Second, even if the deadlines are not strict, companies still have to process DSARs as quickly as they can. Therefore, implementation requires a set of measures to speed up a response to these requests and reduce the burden on the IT team. Consider these practices:

  • Reduce the amount of data stored. The more customer data a company holds, the more data it will have to review, redact and disclose to fulfill DSARs. Moreover, GDPR Article 5(1)(e) says that companies cannot keep customer data for longer than they actually need it. Therefore, the company needs to stay transparent about how it uses customer data. Make sure to mention how long the company will store data in consent and don’t keep data longer than needed.
  • Store all sensitive data in designated locations. Identify and store sensitive data in secure locations. This will prove that the company supports the security and integrity of customer data, as required by Article 5(1) of the GDPR. But this practice also helps the company manage DSARs more efficiently. Reduce the scope of systems that the company has to look through to make it easier to find the sensitive data related to customers.
  • Establish efficient methods for completing data searches. Responding to a DSAR requires the company to carry out a reasonable search for the data subject’s personal data. This may mean searching through large amounts of data held in various formats and locations, such as email, word documents, databases, and messages in collaboration tools. Classify and tag all data. This makes the search more accurate and avoids the risk of providing irrelevant data. If possible, automatically search through tags, it will help the team find all the data customers require faster.   

While it takes some work to follow these steps, the ability to fulfill DSARs transparently without delays can create customer loyalty – something that’s particularly important during these uncertain times. Communicate with customers regularly, make sure everyone understands the stages of DSAR management and implement relevant measures to streamline the process. This will help the company comply with all the requirements of governing authorities and build trusted relationships with customers. 

Steve Dickson,  chief executive officer, Netwrix