GDPR and CCPA compliance: The stakes are high
Last month, my brother-in-law called with a seemingly simple question: “Remember that tent I loaned you?”
In the blink of an eye, my mind raced. How long ago did he give me the tent? Is it in the basement, toolshed or garage? Or did I sell it after binge-watching Marie Kondo? Why is he asking for his tent in the middle of winter and what does “loan” mean?
After all this time, don’t I have the right to forget about the tent?
Clearly, I already have.
“I’m planning a motorcycle trip in the spring,” he explained. “I wanted to make sure you had it before I bought one for no reason.”
Spring, he said. At least that bought me some time, but I had no idea where to look and no desire to start.
Worst-case scenario: I buy him a new tent, my ego gets a little bruised, and he thinks twice before loaning me his chainsaw again.
Admittedly, this is a low-stakes game, but for organizations being asked to find customer data, the stakes are extremely high.
Increasingly, governments around the world are being pressured by citizens to provide protection for the data they divulge every day.
Both GDPR and CCPA mandate not only that you disclose the type and location of data you hold on individuals, but also supply said data upon request and, in some cases, delete said data.
Disclosure under GDPR and CCPA
Under GDPR, The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information that includes: the purposes of the processing; the categories of personal data concerned.
Under CCPA, a business that receives a verifiable request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section.
Access rights under GDPR and CCPA
With GDPR, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
With CCPA, a consumer shall have the right to request that a business delete any personal information about the consumer, which the business has collected from the consumer.
The right to be forgotten
In both cases, these instances commonly are referred to as “The right to access” and ‘The right to be forgotten.”
By either moniker, people are taking these rights seriously. In the first year of GDPR, over 140,000 individual complaints were made, resulting in fines against 91 organizations.
As for CCPA, the grace period does not end until July 1, 2020, but it is reasonable to expect complaints on a similar, if not larger, scale once it does.
The EU represents the world’s second-largest economy; California is the largest economy in the United States.
This means there is a very good chance that some—if not most—of your customer data is subject to GDPR and/or CCPA compliance.
A better way to handle Data Subject Access Requests
So, if you have customer data (you do), and it’s in scope for GDPR or CCPA (it is), how confident are you in your ability to handle a Data Subject Access Request? If you’re like many companies I’ve come across, the answer is, unfortunately, you’re not.
One way we are helping organizations handle Data Subject Access Requests is Titus Accelerator for Privacy. This module delivers an out-of-the-box ability to understand, control and manage personal data with deep learning and natural language processing technologies.
The software is unique in that it uses both data content—and context—to examine personal, financial, health, security and sensitive information in data both at creation, and with our recent announcement, in data at rest as well.
Once this data is identified, metadata can be applied so your other security tools can share and store customer data, as appropriate.
And since Titus metadata is customizable, actionable and specific, you are uniquely positioned to respond to Data Subject Access Requests in ways not available to others.
Compliance is complex, no doubt about it
The right to be forgotten is not as simple as searching repositories for John Doe and hitting delete.
In many cases, there is a good reason you possess this personal data and, often there is a legal obligation to continue doing so. Both GDPR and CCPA outline conditions in which a deletion request could, or must, be denied in order to comply with any number of superseding obligations.
It’s precisely the kind of complex problem that requires combining the world’s most extensible metadata structure with the world’s most advanced data detection tool to solve.
By doing so, Titus customers are able to locate data in scope for a multitude of privacy regulations, identify the personal data contained within, and better understand the reasons for holding this data.
If it sounds too good to be true, Titus has news for you.
As said earlier, these are high-stakes scenarios.
Regulatory malfeasance carries not only real monetary consequences, but also a loss in customer trust, which is much harder to replace than my brother-in-law’s tent.