The EU General Data Protection Regulation (GDPR) ushered in a new era of data privacy, raising the bar for the protection of personal data and information. It has quickly become the gold standard and a model for other countries drafting or enhancing their existing data privacy laws.
Tougher data privacy laws have gone in effect in some of the most populous countries around the world. Brazil ushered in its version of the GDPR by passing the General Data Protection Law (LGPD) providing fundamental privacy rights to its data subjects. In the United States, this past November, California approved the California Privacy Rights Act (CPRA) that will strengthen consumer rights and data protection beyond the current law, the California Consumer Privacy Act (CCPA). And 2021 has already witnessed additional states following suit with both Virginia and, most recently, Colorado passing comprehensive privacy legislation.
Analyst Gartner predicts that almost two-thirds (65%) of the world’s population will have its personal data covered by modern privacy regulations by 2023, up significantly from just 10% in 2020. With other countries such as China and India also drafting and/or finalizing more comprehensive laws mirroring the GDPR, these predictions look to be right on the mark.
Do your customers trust you with their data?
Organizations around the world are implementing procedures and practices to ensure compliance and avoid massive fines. But it’s not just about regulatory compliance. As more personal data is collected than ever before, consumer trust will become a key competitive differentiator. The way organizations collect and use personal data will affect that trust level. A McKinsey survey of 1,000 North American consumers in 2020 found 71% of respondents would stop doing business with a company if it gave away sensitive data without permission.
A key focus of most modern data privacy regulations is to support requests made by individuals around their rights to know what data an organization is collecting about them, why the organization is in possession of that data, and to whom their information is disclosed. One key right is the right of access. So, it’s no surprise, then, that data subject access requests (DSARs), or consumer rights requests are quickly moving up the privacy management agenda. DSARs are the most common (71%) type of data subject request organizations now receive, according to an annual privacy study by the IAPP.
Responding to and processing these requests place a huge operational burden on organizations since there are many steps that must be performed. And these requests must be completed within prescribed timeframes. Failing to comply risks both financial penalties and bad publicity that could damage brand reputation and reduce trust.
The importance of knowing—and controlling —your data
For many organizations, responding to access requests is overly manual, error-prone and time-consuming. The process, from intake to fulfillment, drains already stretched resources for privacy management teams and redacting information included in the response, if necessary, will require a substantial manual effort too.
Organizations also have so many siloes and disparate systems—both paper and electronic—that it’s difficult to even identify what data they have. Outside of data housed in core business applications, considerable personal data resides on file shares and in other unstructured data environments. According to the IAPP study, the most difficult types of requests to respond to are those that involve locating unstructured personal data.
Tackling privacy management challenges with technology
So, how can organizations best tackle these privacy management challenges? When addressing how to accurately respond to DSARs, automation will shorten lead times, dramatically reduce the risk of human error and minimize cost. To do so, it is important to leverage a single integrated case management tool to automate the end-to-end process and ensure audit readiness.
This technology needs to include the ability to digitize physical assets, such as paper, when personal information does not exist in a digital format. And when it does, the solution needs to support automated redaction as part the workflow process. Leveraging text analytics to detect and automatically redact terms and phrases from the response is needed to expedite the turnaround time to meet deadlines. Finally, the solution needs to ensure a secure delivery to the requestor that minimizes any risk of data leaks and/or breach.
Unquestionably, an automated request fulfillment process will reduce compliance risks and operational burdens associated with this process. However, as individuals seek to act upon their privacy rights, the smarter companies are going to use privacy management as a competitive differentiator to increase trust and demonstrate to customers that they have their best interests and security in mind.
Learn more about Privacy Management solutions from OpenText.
Andy Teichholz is the Senior Industry Strategist, Compliance and Legal, at OpenText.