Use cases
Industries
Products
Resources
Company
Privacy laws bring substantial compliance challenges for every organization that collects, processes, stores, and transfers personal data anywhere in the world. For legal departments, compliance professionals and internal investigators these privacy laws create a whole set of new obligations.
With eDiscovery platforms like Reveal, organizations are empowered to remain compliant with the increasingly stricter privacy regulations. Smart eDiscovery functionalities lead to better, faster, more efficient and less disruptive handling of GDPR or CCPA access requests.
The General Data Protection Regulation (GDPR) took effect on May 25, 2018 and replaced the previous Data Protection Directive as the primary law regulating how companies protect EU citizen’s personal data. On June 28, 2018, California became the first U.S. state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act (CCPA) of 2018. The CCPA becomes effective January 1, 2020.
The GDPR is one of the most comprehensive data protection laws in the world and extends far beyond the European borders. Since the economy of California is the fifth largest global economy in the world, the impact of the CCPA is expected to be global too.
Given their comprehensiveness and broad reaches, modern privacy laws have significant impact on how companies and government organizations manage digital information when dealing with information from citizens and consumers. As data is the lifeblood of most organizations, it is no exaggeration to state that these and future privacy laws require fundamental changes in organizational behavior. Industry analyst Gartner predicts that by 2021, organizations that violate privacy laws will pay substantially more in compliance costs than companies that adhere to best practices. No company can ignore these privacy regulations and data security requirements.
Since May 25 2018, the General Data Protection Regulation regulates all activities involving the personal data of EU citizens.
The GDPR covers multiple aspects of data protection, privacy, cybersecurity and information rights. There is the right to question an organization about the possession of one’s personal information. Everyone has and can exercise “the right to be forgotten.” There are strict cyber-security requirements (mandatory data encryption, data security measures, report of breaches, informing subjects of data breaches, etc.), data processing rules, the need to redact or pseudonymize sensitive information when there is no explicit need to store such information and the need to ask for and save prior consent before certain personal information is collected and stored.
EU GDPR Article 15 states the "Right of access by the data subject"
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
Administrative fines can reach 20 million Euro or 4% of annual global revenue, whichever is highest.
An individual can submit a Data Subject Access Request (DSAR) - which can be up to 80 pages long to specify the information sought - to any organization. The organization has to comply within 30 days. DSARs are often followed by a “Right to be Forgotten Request” on reported information.
A typical DSAR consists of the name of the person (including various spelling variations and nicknames) and all related information the requester is interested in (such as data related to a job or credit application). Or if the requester is a former employer, all the projects he or she participated in, and all communications about the requester with other employees and even people from other organizations. A simple request can already involve a lot of data.
It gets more complicated when a former employee asks to access his PII. In this case, relevant data typically includes employment history, education, skills and qualifications, health information, performance data, pay history, disciplinary actions, bank details, next of kin details, etc. Some of this information will be stored in personnel files and payroll records, but even more will be stored as unstructured email data spanning possibly hundreds of mailboxes scattered all over the organizations.
Sometimes the reason for a DSAR is simple. A customer is switching to a different provider/supplier/dealer/employer. They, therefore, requests to retrieve and delete all of their personal data related to their purchase and shipping history with the company of which they are no longer a customer or employee.
Sometimes, a request is made out of privacy concerns. Individuals are now more aware of their rights and more concerned about data privacy. The number of organizations that are involved in data privacy issues and scandals is increasing exponentially. Concerned individuals submit DSARs to see what data of theirs is being collected, potentially at risk and whether they should follow the right to access with the right to be forgotten.
There is also an increasing number of DSARs being used as tactics by aggrieved ex-employees to cause maximum disruption to their former employers. Global law firm Squire Patton Boggs reported in a recent survey, a particular increase in DSARs being used where an individual is facing a disciplinary or performance issue and wants to cause problems for the business or to get advance disclosure prior to raising a claim.
The survey states that a little less than a quarter (24.4%) of all respondents noted that DSARs involved employees seemingly just wanting to know what the organization has on record about them. However, 65.5% of the companies also report they had dealt with DSARs that were connected to a workplace issue (for example, grievance, redundancy, performance management, etc.), while specifically among the 64 companies identifying an increase in DSARs since the GDPR, 92% confirmed they had dealt with DSARs connected to a workplace problem. Sometimes actual and potential litigants use DSARs or as a “fishing expedition” to obtain either pre-action disclosure or disclosure whilst proceedings are on-going.
Either subsequently or additionally, a data subject can request erasure of the data from a data controller, provided the data meets any of the following conditions:
There are some exceptions such as compliance, legal requirements to hold data or matters of national security or public interest, but one should not seek to use such exceptions lightly. Data controllers are typically obligated to erase personal data “without undue delay” which means within a month.
Organizations must notify authorities of data breaches within 72 hours of discovery and keep records of all breaches. Data subjects must be notified of any breaches affecting their unencrypted personal data.
The CCPA enhances the privacy rights and consumer protection for residents of California. The California State Legislature passed the bill on June 28, 2018 and was signed into law by Jerry Brown, Governor of California.
In spite of the fact that the California Department of Justice is continuing its rule making process for the CCPA and the California legislature is considering further amendments, businesses must comply with the CCPA on January 1, 2020.
The CCPA is the first of its kind and 17 additional states so far are following its lead.
The CCPA is designed to give California consumers ownership and control of their personal information, and the right to hold businesses accountable for such information which they collect and handle as part of their business operations.
The act provides new individual rights to data access, erasure and to opt-out of data selling. Under the CCPA, California residents have the right to:
All business of one or more of the following types:
Or businesses that:
The CCPA defines personal information as information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. The CCPA differs in definition of personal information from GDPR as it extends that to household in comparison of GDPR that classifies consumer information as personal only. It does not consider Publicly Available Information as personal.
The Limited Private Right of Action for Unauthorized Disclosure of Data allows consumers to bring a private right of action against Covered Businesses in connection with “certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information” if the Covered Business has failed to implement and maintain reasonable security measures to protect such information.
In the event of a data breach, a business may have to compensate consumers from $100 to $750 per consumer and per incident. Any reputation damage must also be counted and litigation (e.g., class actions) is possible.
The CCPA is not just an American version of the GDPR. Companies that are already prepared for GDPR will have an advantage in addressing CCPA, but this will not be enough.
In some respect, the scope of the CCPA is more limited than that of the GDPR. The CCPA for example does not restrict the transfer of personal information outside the US. It also does not require that businesses appoint a data protection officer and conduct impact assessments. The CCPA does not require businesses to have a "legal basis" for collection and use of personal information and the California residents' right to access personal information is limited to data collected in the past 12 months.
On the other hand, the scope of the CCPA is wider. The CCPA's definition of personal information specifically includes household information. The CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a "Do Not Sell My Personal Information" link on websites and mobile apps. Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements might not meet CCPA requirements.
The GDPR applies to all businesses that process data of EU citizens, irrespective of their location or size. The CCPA is slightly narrower in its scope: it only applies to California-based businesses with a revenue above USD $25 million or those whose primary business is the sale of personal information.
The GDPR mandates penalties for non-compliance and/or data breach, which can reach up to 4% of the company’s annual global turnover or 20 million Euros, whichever amount is greater. Although the CCPA is presented as a “privacy” bill, the law includes a private right of action against companies that fail to adopt reasonable data breach security practices.
CCPA fines are applied per violation, are uncapped and there are apparently no sanctions for non-compliance. The violation is considered at the point of breach, contrary to the GDPR that can apply a sanction where a company is deemed to be at risk of a breach or not behaving responsibly. In addition, CCPA allows for the consumer to sue the business for violation.
Both regulations endow the consumer with specific rights such as the right to access information and have information deleted or accessed. The GDPR is specifically focused on all data related to the EU consumer/citizen whereas the CCPA considers both the consumer and household as identifiable entities and, in some cases, only considers data provided by the consumer as opposed to data sourced or purchased from third parties. It is important that businesses test their processes to ensure they can accommodate these rights.
In both privacy regulations, the “Right of Access” (GDPR) or “Right to Know” (CCPA) and the “Right to be forgotten” (GDPR) and “Right to Delete” (CCPA) will bring an extra need for eDiscovery technology.
A typical request consists of the name of the person (including various spelling variations and nick-names) and all kinds of information they are interested in. This could be data related to a job application, credit application, or project they participated in. In Europe, a DSAR can grow to be an 80 page document, specifying the information sought.
Where Article 15 of the GDPR was designed to help concerned citizens to get more access to their personal data, it is now also (ab)used by upset employees or dissatisfied customers in legal disputes. As the cost of such request can be enormous to a company, it is considered an effective tool to force the other party into a higher settlement in legal disputes. As a result, we have seen a steep increase in the number of such requests all over Europe.
Handling DSARs is expensive for those who are unprepared. All requested data needs to be collected, processed, reviewed and produced in a common format (often PDF) and disclosed to the requestor. During the review, a lot of time is spent protecting confidential information belonging to the company and personal data belonging to other data subjects.
The CCPA includes individual cause of action or a class action against companies that fail to adopt reasonable data breach security practice. When a breach of privacy occurs under the GDPR, data controllers should notify supervising authorities not later than 72 hours after becoming aware of it. They must also notify the data subject “without undue delay.”
When data has been leaked or a hacker has accessed mailboxes, file shares, or a Content Management System, etc., eDiscovery is essential to determine as quickly as possible, whether personal information was comprised, which details were compromised, and which individuals were affected. Technology also generates the required reports, so parties are notified quickly, which lessens the potential for fines and excessive damage claims.
A subject access request means a lot of work for your organization. If you are not prepared or do not use technology, it can be very disruptive, and if you do not meet the deadlines or requirements can get very expensive. Still DSARs are a fundamental data protection right and it’s your organizations responsibility to respond to them in the ways dictated by the GDPR, CCPA or other privacy laws.
While it will never be anyone’s favorite, using technology makes responding to access requests significantly more manageable. eDiscovery technology helps you to:
In short, using smarter technology leads to better, faster, more efficient and less disruptive handling of GDPR or CCPA access requests.
DSARs are often followed by a Right to be Forgotten Request on reported information. Data controllers are typically obligated to erase personal data “without undue delay”. Detailed tracking and reporting features in eDiscovery platforms ensure a complete audit trail to prove erasure.
Privacy laws bring substantial compliance challenges for every organization that collects, processes, stores, and transfers personal data anywhere in the world. For legal departments, compliance professionals and internal investigators these privacy laws create a whole set of new obligations.
With eDiscovery platforms, organizations are empowered to remain compliant with the increasingly stricter privacy regulations. Smart eDiscovery functionalities lead to better, faster, more efficient and less disruptive handling of GDPR or CCPA access requests.