“When it comes to DSRs, timing is everything.
The faster you can respond to a DSR, the better. To ensure users’ rights are protected, each regulation has strict deadlines that you must comply with. If you don’t, there will be legal consequences.
At the minimum, you’ll only have 15 days to respond to a request under the LGPD, which is Brazil’s data protection law. Under the GDPR, the European privacy law, you’ll have 30 days. Through the CCPA in California, USA, you’re given 45 days. If you need longer than this, there are specific extensions you can qualify for. But most often, you’ll need to count on meeting the original timeframe.
[Is There a Benefit to Waiting?]
Now, don’t think of this as a last-minute deadline to procrastinate and submit at the last second. There is no benefit to waiting the full 15, 30, or 45 days. No – faster is better, but consistency is best. By creating a consistent, organized structure for responding to DSRs, you can create accurate expectations for your users. This allows you to provide transparent, trustworthy communication for your users, empowering a positive reputation for your team — all while protecting you from legal pain and fees.
Think about this from a user’s perspective: Imagine you’re a user who wants their data rectified; you’ve spotted an error and want it fixed. After submitting a DSR, the organization tells you your information will be rectified in 7-45 business days — that’s a week vs. a month and a half. This feels frustrating and unfair to anyone.
Even worse, imagine an organization not responding to or acknowledging your request until a month and a half later. While you might have just wanted to remove or change your data, you might now have a bitter taste in your mouth for the company, leading you to quit doing business with them altogether.
Prioritizing data requests not only helps you avoid legal fees, but it can help you retain users and their business.
[Using Data From Privacy Platform to Estimate a Timeline.]
Remember: Fast is better, but consistency is best. One of the most effective ways to provide this consistency and transparency of your timeline is by utilizing data from your privacy platform.
By collecting and analyzing this data, you can estimate and plan for this timeline. For example, your data might show it takes you an average of 15-20 days to fulfill an Erasure but 20-25 days to respond to a Data Access. By communicating and meeting these timeframes, you can grant users realistic expectations and satisfaction. Having the privacy platform and resources to organize this data for your timeline is essential, especially if it includes automatic handling and processing from your company’s data sources.
Just an FYI - Gartner claims a single Data Subject Access Request, cost $1,600 to the organization, which is massive. This is why automating the handling of privacy requests is highly effective, and the ROI is huge. Your employees can focus on growing the business rather than fulfilling privacy requests in the manual approach.
[The Consequences of Not Handling a DSR Within the Legal Timeframe]
As a privacy professional, you may already know that being non-compliant may cost greatly. You can get charged up to $7,500 per CCPA or CDPA violation. But these numbers grow for GDPR violations. You can get fined 10-20 million EUR or up to 2-4% of your company’s annual revenue from the previous year. The costs of prioritizing data requests will always be worth avoiding the costs of neglecting them.
The overall fine amount will come down to the nature, length, and context of the violation, as well as the intention, actions, cooperation, and history of adherence to privacy regulations.
Keep in mind, that other than the expected fine, your brand trust could easily be ruined.
[Should You Create Different Policies and Timeframes?]
Now, the question is: Should you create different policies and timeframes for handling DSRs, depending on where the user resides? The answer is probably no because of the “golden rule.” Consistency is king. Treating all of your users fairly, no matter where they’re from geographically makes the process seamless for you and your users or clients. According to this golden rule, you don’t have to create different policies for each type of user or specific privacy regulation, but rather treat all of your incoming DSRs in the same way.
In a way, DSRs are central to a positive customer and user experience. To provide this experience, you must understand why individuals might submit a DSR in the first place. We’ll begin to answer this question in our next video.”