Responding to DSARs: How to Navigate Operational Challenges and Complexities
The ability to respond to normal course of business requests can be challenging, but relying on regular staffing for the flood of requests stemming from a data breach is not tenable.
April 08, 2020 at 07:00 AM
6 minute read
Part 1 of this article looked at the similarities between responding to data subject access requests (DSARs) and the response to litigations and investigations. Part 2 takes a closer look at the operational challenges of responding.
When it comes to data subject access requests (DSARs), there are two contexts to consider: 1) the normal course of business where consumers are exercising their rights, and 2) where there has been a data breach.
As a normal course of business, you may receive a few manageable requests that internal resources can cope with. When there is a breach, a large organization can receive thousands of requests. The volume alone creates huge challenges.
You need a plan.
In either case, the activities required to respond to the consumer are the same. The corporation must act diligently whether it is one request or 10,000. Absent a complete catalog of consumer data, and PII specifically, complying with the response will be costly and painful at best.
|Preparedness
Data Mapping: While data mapping is a daunting exercise, GDPR and CCPA guidelines require that organizations have a record of data storage and flow including origination, how it is maintained, used and accessed. Data mapping is now a requirement.
Note that even with extensive data mapping you will not find everything. If an employee copied data to their laptop to run reports, for example, it will be difficult to find—to say nothing of "shadow IT" issues. Here, forensic analysis can be useful.
Planning: As proffered in Part 1, organizations need well-defined workflows to effectively operationalize the response. ALSPs are leveraging their process expertise in designing, documenting, and executing legal operations like contract lifecycle management and compliance programs to manage DSAR responses. This includes communications; data identification, collection, and analysis; QA/QC; and production.
Proper planning will ameliorate many of the fundamental challenges.
Firstly, recognize the complexity involved. Many organizations understand the process at a high level, but there is evidence that few have gone through the rigor of understanding what's involved, including the potential volumes. Just managing the necessary communications to consumers and internal stakeholders can be challenging.
Secondly, have knowledgeable resources relevant to each data repository. Are IT or the data owners (e.g. finance, sales, operations, et al.) able to manage data identification and collection in addition to their regular work?
Finally, does the organization have the resources to plan and execute from identity authentication and communication through to production?
|Execution
Requestor Identity Authentication: The last thing you want to do is send personally identifiable information to the wrong person and create a data breach. This can become challenging if the current consumer relationship doesn't involve password-protected accounts where in-use multiple-factor authentication is sufficient. Both the GDPR and CCPA have guidelines on identity verification which can include using third-party services.
Communications Management: When thousands of requests come in, they can quickly overwhelm organizations. That said, even low volumes of data subject requests must be carefully managed between internal departments, customer relations, and legal counsel. Internally, a request for the relevant data must be sent to each data owner. Externally, communications with requestors must be managed from both customer service and legal perspectives.
Sophisticated ALSPs like QuisLex and a few others are experienced acting as points of contact (POC). They draw on skills honed in areas such as contract management and establishing communications protocols. This includes creating work tickets for the various groups that need to act on the data, communicating with customers, and managing escalations.
While this can involve automation, communications from consumers often require individual responses addressing specific concerns. An angry customer may require escalation to customer service or counsel for input on determining an appropriate response or if a lawsuit is threatened.
Gather and Process: Like any discovery process, the data must be collected and processed so it can be formatted and made accessible to the ALSP for review to perform redactions, QA/QC, and readied for production.
There are several products available that help extract the necessary data from systems, but this assumes that you can actually interface with those systems through APIs. This is not always the case. The reality of any large organization is that not all systems are state-of-the-art. Attempts to implement robotic process automation (RPA) have also been problematic as RPA can be very touchy if the behavior of the system is not as expected. Also, RPA often produces errors such as including other consumer PII. Identifying these false positives and other issues is vital to avoiding unlawful disclosure of PII.
Arguably, leading ALSPs can perform data collections more efficiently and effectively—including scripting routines where they are effective—than off the shelf software or RPA implementations.
Review and Produce: The occurrence of false positives is the central reason that human intervention is required. IP addresses can look like Social Security numbers. Credit card numbers can be confused with other numeric values. And if you're looking for identifiers across countries, the number of combinations increases the rate of false positives. As noted in Part 1 of this article an eyes-on-data review is required to manage for these errors, redact PII not belonging to the requestor, and carry out quality assurance procedures.
While production of the requestor's data corpus can benefit from automation, it will require manual manipulation, particularly to meet the GDPR and CCPA requirements for portability and easily readable formatting.
|Conclusion
It is difficult to imagine an organization having the necessary resources to manage data subject requests on their own. The ability to respond to normal course of business requests can be challenging, but relying on regular staffing for the flood of requests stemming from a data breach is not tenable.
Data privacy regulations are turning what might otherwise be a C-suite thought experiment into an urgent reality. Engaging external resources like leading ALSPs, well-versed in executing against these requirements, is the logical choice. ALSPs bring years of legal process expertise with the ability to deploy the people and know-how to cost-effectively execute and mitigate the risk of non-compliance when responding to data subject requests.
Adam Beschloss is principal at Content Logic. He has more than 20 years' experience in transformational technology- and process-driven services in the legal industry. He has held leadership positions at a Big Four, a renowned global technology company and a leading alternative legal service provider. Beschloss earned his B.A. at Columbia University.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Friday Newspaper
- 2Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 3Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 4NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 5A Meta DIG and Its Nvidia Implications
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
