“Welcome to ‘Privacy Requests 101: The Complete DSR Fulfillment Course.’
I’m Josh, and I’ll be your host for this course.
Let’s start with the basics: From sign-up to new services and buying products online to social media and communications, every company collects data from its users. The emerging and increasing new data protection and consumer privacy laws allow users to interact with their data via data subject requests. As we’ll see in a moment, here are different kinds of DSRs, which stand for Data Subject Requests.
[Definition: DSR - Data Subject Request]
A DSR occurs when an individual requests to activate one of their rights, such as to get a copy of their data, modify it or remove the personal data about them that’s residing at the company.
When a user submits a DSR, they have eight rights (depending on the specific privacy regulation). The most popular are:
- The Right to Information
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restriction of Processing
- The Right to Data Portability
- The Right to Object
The Right to Avoid Automated Decision-Making
According to the GDPR, you have 30 days to respond to DSRs. The timer starts once the request and the user’s identity are verified. If you don’t follow this timeframe, you can face serious fines and consequences that can get to up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
[GDPR Rights]
DSRs and other privacy requests are protected under federal and state privacy laws. Under Articles 15-17 of the General Data Protection Regulation (also known as the GDPR), users have a right to:
- Access personal information, also known as a data access request, or get a copy.
- Rectify or correct inaccurate personal information
- And finally, remove all traces of personal information, also known as the right-to-be-forgotten.
[CCPA Rights]
Under the California Consumer Privacy Act (also known as the CCPA), users have continued rights, such as:
- The right to know what personal information a company collects from them and how they use or share it.
- The right to remove personal information their personal information from records (in most cases)
- The right to opt-out of having their information sold to third parties related to advertising or marketing activities, also known as “do-not-sell”
- The right to not be discriminated against for exercising these rights.
According to the CCPA, you have 45 days to respond to DSRs. The timer starts once the request and the user’s identity are verified.
The CCPA states that the maximum civil penalty is $2500 for every unintentional violation and $7,500 for every intentional violation of the law. Therefore the CCPA considers a penalty per violation - which is a costly risk for businesses who must comply with the CCPA.
[Types of Privacy Requests]
If we look at GDPR and CCPA together, there are ten types of privacy requests that every privacy, data, and security professional should remember and understand. We’ve touched on most of these already, so let’s review:
#1: Access
Every user or “data subject” has the right to request to know what level of access the company has to their data. This includes the who, what, and how: Who has access to this information, including third parties, what data has been collected or sold, and how this data is being used and processed.
#2: Erasure
Also known as “the right to be forgotten,” erasure allows users to request that their personal information be removed from a company’s database.
#3: Informed
Data subjects have the right to be informed when their data is being used by a company.
#4: Non-discrimination
Users should not face any consequences or discrimination for exercising their rights.
#5: Not allow automated decision-making
Users can opt-out of having their personal information used for automated decision-making, like when a company uses user data to make non-human decisions, digital profiles, and algorithms.
#6: Object
Users can also object to having their data used for certain purposes, whether marketing or research.
#7: Opt-out
By opting out, users can deny their information from being shared or sold to third-party sources.
#8: Portability
Users have the right to receive their personal data in a portable, “machine-readable format.”
#9: Rectification
If any personal information is incorrect, users can request to rectify the situation and edit any data for accuracy.
And lastly, #10: Restriction of Processing
Users can restrict the processing of data if they believe the information is inaccurate or the processing isn’t lawful or appropriate.
Each of these is a legal right of your users. By responding to these requests with accuracy and quickness, you not only secure the protection of your company or the user, but you can foster a positive user experience for users and a stellar reputation for the team, and trust points for your brand name. This means time is everything when handling DSRs — which we’ll discuss in our next video.”
