Perhaps the most customer facing and public compliance requirements for GDPR, CCPA and LGPD are around the rights of the data subject, often referred to as individual rights or data subject access requests (DSARs). These regulations have significantly increased the requirements on businesses regarding how they address individual rights and related requests, specifically the type of requests they need to address and the timeline and process they need to follow in order to fulfill the requests.
In order to build consumer trust and fulfil data subject rights requirements, organizations must have a consistent and streamlined process for the intake and management of consumer requests.
This webinar will review:
-Summary of data subject rights requirements for GDPR, CCPA & LGPD
-Best practices and tips to comply
-Practical steps for implementing a Data Subject Rights -Management program along with sample case studies
2. Speakers
2
K Royal
FIP, CIPP/US / E, CIPM, CDPSE
Associate General Counsel,
Privacy Intelligence
TrustArc
Maggie Gloeckle
FIP CIPP/US/E, CIPM, CIPT, CDPSE, PMP
VP, Privacy and Compliance Counsel
A&E Networks
3. Agenda
3
● Data subject rights under GDPR, CCPA, & LGPD
● Recommended practices and tips to comply
● Practical steps for implementing a Data Subject Rights Management
program
4. Quick Review
4
GDPR
European Union’s
General Data Protection
Regulation, passed in
2016, effective 2018
CCPA
California Consumer Privacy
Act, process started in 2017,
passed 2018, amended 2019,
regulations 2020, plus new
proposed modifications and
looming California Privacy
Rights Act (CPRA)
LGPD
Brazil’s Lei Geral de Proteção de
Dados, passed in 2018 to be
effective in 2020, and then this
year - not delayed, pushing
enforcement out to 2021
5. Poll 1
5
What are you most interested in learning about today?
1. Specifics on laws and individual rights
2. Case studies / practical examples
3. How to operationalize managing individual rights
4. All of the above
7. 7
What are Individual Rights?
https://app.sli.do/event/d7d2fkix/embed/polls/fdf9f038-95ab-4660-96cc-0f5857f69223
8. Individual Rights Mapped to Other Regulations
8
GDPR CCPA LGPD
NZ
Privacy
Act 2020
Japan
LPPI*
China
Civil
Code
Dubai
DPL 2020
Egypt
LPPD
Privacy
Shield
Access X X X X X X X X X
Correction X Z* X X X X X X X
Erasure X X X X X X X
Object,
Opt-Out
X X X X X X X
Portability X X** X X
9. GDPR Individual Rights
9
Article Right of the Data Subject
15 Right of access
16 Right to rectification
17 Right to erasure (‘right to be forgotten’)
18 Right to restriction of processing
19 Notification obligation regarding rectification or erasure of personal data or restriction of
processing
20 Right to data portability
21 Right to object
22 Automated individual decision-making, including profiling
10. Individual Rights
Articles 15 - 22
10
Credit to the brilliance of Ashley Slavik
Chief Privacy Office, Lead Data Counsel
Veeva Systems
11. CCPA Individual Rights
11
CCPA Section Right of the Consumer
§ 1798.100 Right to access, notice, and data portability
§ 1798.105 Right to deletion
§ 1798.110 Right to disclosures of personal information
§ 1798.115 Right to disclosures of personal information sold
§ 1798.120 Right to opt-out of sales
§ 1798.125 Right to nondiscrimination
12. CCPA Individual Rights: Third set of proposed modifications - Oct. 12
12
Collection of personal data (999.306)
● Interacting with consumers offline
Must provide an offline method that the consumer is aware of so they can exercise their right to opt
out
● Over the phone
May provide the notice orally during the call where the information is collected
Opting out (999.315)
● Must be easy for the consumer and require minimal amount of steps to do so
Examples: Don’t ask for unnecessary information for process request
AND scrolling through a page = bad
Authorized Agent (999.326)
● Clarifies the proof that a business may require an authorized agent to
provide, as well as
● What the business may require a consumer to do to verify their request
13. LGPD Individual Rights
13
Art. 18 Right of the Consumer
I Confirmation of the existence of the processing
II Access to the data
III Correction of incomplete, inaccurate or out-of-date data
IV Anonymization, blocking or deletion of unnecessary/excessive data or data processed in
noncompliance with the law
V Portability to another provider, by express request, subject to commercial and industrial secrecy
VI Deletion of personal data processed with consent of the data subject
VII Information on public/private entities where controller shared data
VIII Information about denying consent and the consequences
IX Revocation of consent as provided in §5 of Art. 8
14. Poll Question
14
Where would you categorize your individual rights management program?
1. Initial / ad hoc - respond as arises
2. Repeatable - some processes
3. Defined - policies in place
4. Managed
5. Optimized
15. Compliance Requirements
15
Element GDPR CCPA LGPD
Method of
request
Not addressed Two or more methods,
including a toll-free phone
and online
Not addressed
Delivery
of
request
Must be concise, transparent,
intelligible, easily accessible,
using clear and plain
language, especially to a
child. in writing, electronically,
or orally if identity verified.
Electronic requests =
electronic delivery
Through consumer account
if one exists or by mail or
electronically at consumer’s
option (not allowed to
require an account to be
created for this purpose)
Printed or electronic, per
data subject, in safe and
suitable means
Number
of
requests
permitted
Not addressed (if excessive,
because repetitive nature,
may charge or refuse to act)
May limit to 2 in a 12-month
period
Not addressed
Limitation
time
frame
Not addressed Applies to information
collected in the preceding
12 months
Not addressed
16. Compliance Requirements
16
Element GDPR CCPA LGPD
Identity
verification
May refuse to act if not able to
identify; May verify identity if
reasonable doubt exists
Verifiable request required, but
time to verify identity does not
extend time to respond
Not addressed, but does have
“express consent”
Timeframe to
respond
Without undue delay and in
any event within one month
45 days Confirmation & access 15
days if not simple, all other
immediately
Extension of
response
time
Two-month extension where
necessary for complexity and
# of requests; inform within
first month with reason for
delay
45 days extension if inform
consumer during first 45 days
Not addressed
Charge Free unless manifestly
unfounded or excessive - then
reasonable fee
Free except for multiple copies
- then administrative costs.
Free
Training for
processing
requests
DPO advises on obligations
and monitors compliance,
including awareness- raising
and training
All individuals responsible for
handling inquiries must be
trained.
DPO orients employees and
contractors regarding practices
to be taken in relation to
personal data protection
18. Poll Question
18
How many individual rights requests do you receive in total (that require some level of
management)?
1. less than 10 a month
2. between 11 - 100 a month
3. between 101 - 500 a month
4. between 501 - 999 a month
5. more than 1,000 a month
19. Key Individual Right: The Right to Access
19
GDPR Article 15: Allows various methods, includes confirmation data is processed
● Exception: Aside from the uniform exception for manifestly unfounded or excessive requests, the
right to access should only be limited to the extent it adversely affects the rights and freedoms of
others.
CCPA Section 1798.100: Right to know
● Exception: The CCPA regulations make an exception for disclosure where there is a conflict with
state or federal law, and prohibits businesses from disclosing certain data elements like
government-issued identification numbers, financial account numbers, account passwords, security
questions and answers, health insurance or medical ID numbers, and unique biometric information.
LGPD Article 18, II: Right to Access
● Exception: the LGPD does not provide a list of exceptions to the right to access, but does state that
access should be provided taking into consideration trade and commercial secrecy and LGPD does not
apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state
security; or d) activities of investigation and prosecution of criminal offenses
20. Practical Example: The Right to Access
20
● Request for video inside a store (or employer) to identify who may have stolen
something or did a particular action or what about in a parking lot, (a crime seems
logical, but what about leaving a note?)
21. GDPR: Key Individual Right: The Right to Erasure (‘Right to be Forgotten’)
21
Eligible only if:
● personal data are no longer necessary for purposes they were collected or otherwise processed;
● DS withdraws consent and where there is no other legal ground for the processing;
● DS objects to processing (marketing, public interest) and no overriding legitimate grounds exist
● the personal data have been unlawfully processed;
● the personal data have to be erased for compliance with a legal obligation; or
● the personal data have been collected in relation to the offer of information society services
Exceptions:
● exercising the right of freedom of expression and information;
● compliance with a legal obligation by law, public interest or official authority task;
● public interest in the area of public health;
● archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes; or
● establishment, exercise or defence of legal claims
22. CCPA: Key Individual Right: The Right to Erasure
22
Exception: Businesses may decline to delete a customer’s personal information when a business requires the
personal information at issue in order to:
■ Complete the transaction for which the personal information was collected, provide a good or service
requested by the consumer, or reasonably anticipated within the context of a business’s ongoing
business relationship with the consumer, or otherwise perform a contract between the business and the
consumer.
■ Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or
prosecute those responsible for that activity.
■ Debug to identify and repair errors that impair existing intended functionality.
■ Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or
exercise another right provided for by law.
■ Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6
(commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
■ Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest
that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the
information is likely to render impossible or seriously impair the achievement of such research, if the
consumer has provided informed consent.
23. LGPD: Key Individual Right: The Right to Erasure
23
Article 8 VI deletion of personal data processed with the consent of the data subject, except in
the situations provided in Article 16 (Termination of Data Processing ) or unnecessary or excessive
data
Exceptions:
Personal data shall be deleted following the termination of their processing, within the scope and
technical limits of the activities, unless retention is authorized for the following purposes:
● compliance with a legal or regulatory obligation by the controller;
● study by a research entity, ensuring, whenever possible, the anonymization of the personal data;
● transfer to third parties provided that the requirements for data processing as provided in this Law
are obeyed; or
● exclusive use of the controller, with prohibited access by third parties and provided the data has
been anonymized.
And keep in mind, LGPD does not apply to data processed exclusively for purposes of: a) public safety;
b) national defense; c) state security; or d) activities of investigation and prosecution of criminal
offenses (Article 4)
24. Practical Example: The Right to Erasure (‘Right to be Forgotten’)
24
Common examples we seen:
● Drug screens
● Prior applications for jobs
● Annual reviews
● Social media posts
● Internet search history
● Movie rental history
● Hotel stays
● Visits to restaurants
● Church records
● Grades / school records
25. Key Individual Right: The Right to Restriction of Processing
25
GDPR Article 18: Individuals may, in certain circumstances, have their personal data excluded from
processing. This right prevents the personal data from being used for most processing purposes, other than
simply storing the data (with exceptions). Once the processing has ceased, the controller must notify an
individual before processing resumes. Data subjects may request and obtain cessation of processing (Article
18(1)).
● Exception: If processing has been restricted, it may only be processed with “the data subject’s
consent, or for the establishment, exercise, or defense of legal claims or for the protection of the rights of
another person”.
CCPA Section: The CCPA does not have an analogous right.
LGPD Article 18 IV and IX: Blocking and also revocation of consent as provided in §5 of Article 8 of this
Law. §2 The data subject may oppose the processing carried out based on one of the situations of waiver of
consent, if there is noncompliance with the provisions of this Law.
26. Practical Example: The Right to Restriction of Processing (and Blocking)
26
● Request for deletion denied, requests restriction of processing while awaiting
resolution
27. Key Individual Right: The Right to Data Portability
27
GDPR Article 20: The right to data portability is under the GDPR. This right supports the free flow of
information, provides user control and empowerment, and fosters competition and development of new
services.
● Exception: This right does not apply to processing necessary data for the performance of a task carried
out in the public interest or in the exercise of official authority vested in the controller. The right is also
limited if it adversely affects the rights and freedoms of others.
CCPA, this right is included in the right to access in section 1798.100(d) and simply requires that if the data is
"provided electronically, the information shall be in a portable and, to the extent technically feasible, in a
readily useable format that allows the consumer to transmit this information to another entity without
hindrance".
LGPD, in Article 18, V, provides portability of the data to another service or product provider, by means of an
express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling
agency; In addition, Article 11 prohibits sharing sensitive data between controllers to obtain an economic
advantage, except portability consented by the data subject. Also, anonymized data is exempted
28. Practical Examples: The Right to Data Portability
28
● Porting contracts from one contract manager solution to another
● Books from reading services or movies from providers?
● Medical records
Notes:
GDPR Recital 68 “The data subject's right to transmit or receive personal data concerning him or
her should not create an obligation for the controllers to adopt or maintain processing systems
which are technically compatible.”
LGPD - commercial secrecy
29. Steps to Comply
29
Ensure understanding of what data you collect, the collection process, and where it resides.
Establish a process to intake individual rights requests that is easy the individual, and
ensure this process is well- communicated throughout the organization. A request may
come in from many routes and the person receiving that request needs to understand that a
request is being made. Individuals typically won’t understand or use the exact verbiage in
the law.
Validate the individual's identity.
Once the request is validated, have a process to review it, evaluate the data referenced, the
reasons for processing the data, and evaluate any exceptions.
Have a response process.
Put in place an appeals process for denied requests. Retain documentation throughout the
process.
30. Best Practice Tips
30
Incorporate these rights into your privacy program and ensure there is an
established process from beginning to end.
Take your data inventory and data processing records a step further to
envision requests made for that data.
Work with your vendors to ensure that these rights can be honored their side
and get documentation to validate that ability.
Be helpful. This is not an adversarial process. These are rights provided to
individuals to protect their freedoms and right to privacy.
32. Case Study
32
Ann worked at a large grocery store chain (Food-n-More, HQ in California) and was also both a customer and a
rewards member. She was honored to be profiled in their public blog as the employee of the month. Food-n-More
provided great benefits, including tuition reimbursement. After she resigned to attend college full-time in Arizona,
she worked for them during seasonal busy times, such as Christmas.
Ann used Food-n-More’s online individual rights form to request access to her information. She received a
response back that they determined the only information they have on her is her email subscription.
Ann contacted the email this response came from stating that she was a past employee and in fact, still worked for
them seasonally. No response.
Ann looked up the contact information online and called the number listed. It went to the general answering service.
She explained the purpose of her call and was routed to the HR hotline. She left a message, but also called a
number listed for customer service. She explained what she wanted and the person asked her to hold. After coming
back on, the person routed her to a voicemail that instructed her to leave details for her inquiry.
After multiple back-and-forth communications with both HR and the privacy department over about 4 months, Ann
finally received information on her employment dates, role, pay rate, and that she could request benefit information
for her FT employment.
*This fictitious case study was written to highlight the best practice tips.
33. Case Study Continued
33
What went wrong here? The company did not:
● Response was not inclusive
● Have a process to clarify responses
● Train all people who manage responses
● Have a process to receive or evaluate requests within the required timeframes
● Have a plan for communication or response in a timely fashion
What went right? The Company did:
● Had an individual rights form
● Did have someone in privacy
● Did provide information….
If the company had an Individual Rights program in place, the process could have been smoother.
Efficiently managing numerous requests per month can be further enhanced through a technology
solution designed to automate and streamline requests processing.
34. Automate the data subject request lifecycle
TrustArc Individual Rights Manager enables organizations
to efficiently and securely respond to data subject requests
at scale. With the ability to configure and automate
workflows, combined with our unique privacy intelligence
solution, organizations can meet global regulatory
requirements, reduce cost, and build customer trust.
Confidently Maintain
Global Compliance
Receive contextualized up-
to-date regulatory guidance
to ensure workflows are
always aligned with the
latest privacy regulations
Tailor Workflows to
Meet Every Need
Address business
requirements by
customizing automated
workflows to streamline
end-to-end
request fulfillment
Streamline
Verification Process
Configure identity
verification workflows based
on regulatory requirements
by leveraging our suite of
validation approaches and
integrated partner solutions
Deliver a Branded
Experience
Create an on-brand privacy
experience through
customizable intake forms,
landing pages, and email
templates
36. Upcoming Webinars
36
Schrems II: Practical Considerations from a
Legal Process and Technology Perspective
October 27, 2020 @ 9:00
PST
How to Manage Vendors and Third Parties to
Minimize Privacy Risk
October 28, 2020 @ 9:00
PST
Post 'Schrems II': Examining Your Options
and How to Action the Ruling
October 29, 2020 @ 9:00
PST