Data protection laws such as the GDPR and CCPA as well as the new federal data protection law, ADDPA, being considered by Congress have become a point of growing concern for US businesses and the legal teams working on their behalf.
One aspect that is common across all of these different data privacy laws is Data Subject Access Request (DSARs) which extends new rights to both consumers and employees, affording them the ability to request access to the personal data in a company’s possession
The DPIndex in the UK reported a 66% increase in the average number of DSARs received in 2021. If global trends are an indicator and as more and more consumers and employees in the US are provided the right of access to their information, organizations that do business in states with privacy laws will see a significant uptick in requests. This will only increase as more states adopt laws or the ADDPA comes into effect.
While employee data requests may not appear on their surface to be all that dissimilar from a consumer data request, they are in fact a different animal altogether. And it’s incumbent on governance, legal and privacy teams to understand those distinctions now before these new laws go into effect.
Employee v. consumer DSARs
A data subject access request (DSAR) refers to the formal mechanism by which individuals can request access to the data that companies have about them. Today under GDPR, and beginning on January 1, 2023 when the revised version of the CCPA officially goes into effect, employees will be entitled to the right to access, update and delete their personal data in the same way that consumers can.
However, that’s where the similarity between consumers and employees effectively ends. Whereas responding to consumer data requests can be onerous in its own right, a consumer’s information can usually be found in a small and discrete set of locations.
This differs greatly from a request by a long-tenured employee who might have held numerous roles as their private information is likely distributed and replicated across a variety of databases, systems and applications.
The added volume and increased number of potential data repositories creates a rash of new complexities and nuances that are simply not found in a typical consumer request. Furthermore, fulfilling an employee’s request can be far more labor and time intensive than that of a consumer given that an employee’s data might be spread across various HR and accounting systems.
The weaponization of DSARs
For companies responding to DSAR requests, the costs can be substantial – both in terms of the time and labor costs required to service each request – not to mention, the possibility of being hit with expensive and escalating fines if they are found to not be in compliance or unable to respond within the mandated timeframes.
In one survey of companies with 250+ employees, Sapio Research found it takes on average 83 hours to complete a DSAR and less than 50% were able to fulfill these requests within the mandatory time limit. According to Gartner, the average cost to respond to just a single consumer request is estimated to be $1,400.
Given the complexity of locating and fulfilling an employee request, the average cost will likely be far higher as under the CCPA, those organizations who are unable to adequately comply with a DSAR within the required timeframe can be subjected to financial penalties ranging from $2,500 to $7,500 per violation. Multiply this figure by dozens or hundreds of requests and the average business could be looking at fines that easily exceed six figures on an annual basis.
Further complicating an already convoluted process, businesses subject to data privacy requests are also finding themselves in the crosshairs of DSARs becoming weaponized. For instance, if an employee who is terminated feels as though they have been treated unfairly, these new legal requirements give a plaintiff’s attorneys both a financial incentive and an enforcement mechanism to leverage in settlement talks or future litigation.
4 essential steps for an effective DSAR response
Enterprise organizations will need to invest in a comprehensive DSAR response process if they are to keep up with a fast evolving regulatory environment and remain in compliance. Consider these four steps as being foundational to implementing an effective DSAR response strategy:
Step 1: Establish an operational data inventory. Not only are companies today dealing with significantly higher volumes of data than ever before, they must also account for an increasing array of data types and communications specific to employees. Beyond email, documents and spreadsheets, data governance teams must also locate relevant data in collaboration apps like Slack or Teams communications, video or sound recordings in Zoom, intranet systems like SharePoint, or even chats and IMs logs. Absent an operational data inventory, it is practically impossible to comply with privacy laws because if you don’t know what data you have, or know where it’s being stored and replicated in your environment, you won’t be able to fulfill the request within the mandated time frame.
Step 2: Implement data discovery capabilities. Knowing where an employee’s information is one thing, connecting that data so that your systems can quickly search and locate information on a data subject request is another. This becomes especially challenging when having to scour the massive and complex unstructured data environments across which an employee’s information might be stored and/or duplicated, which might include everything from email and internal collaboration messages to social media and multimedia files. Data discovery automation and artificial intelligence figure to play an essential role in helping to fulfill these requests within the defined time frames.
Step 3: Define a DSAR workflow. Once you have identified where an individual’s data lives, the next challenge is ensuring that the request flows to the right areas of the business – such as HR in the case of an employee request – where it can be properly remediated. A comprehensive DSAR workflow process can both simplify and supplement your existing processes and workflows, especially as compliance requirements change with new legislation. Workflows can become more challenging as enterprises grow more globally diverse and subsequently collect and store more employee data in different areas of the organization.
Step 4: Invest in automation now. Many organizations continue to rely on manual and error prone methods for processing and fulfilling these requests — from verifying an employee’s identity to finding, collecting, reviewing, redacting PII and then providing the requested information back to the subject. Organizations need to look for ways to automate not only the intake and fulfillment of DSARs, but the overall workflow as well to ensure that requests are efficiently routed to the proper individual (i.e., HR for former employees, privacy or IT for consumers, etc.) as well be able to collect data that might be stored across disparate data sources and to facilitate the review and redaction part of the DSAR process.
With the enactment of the CPRA just around the corner, enterprise organizations must take action now to prepare themselves for the coming surge of employee DSARs. With the right mix of people, processes, and technology, implementing and automating routine maintenance of your organization’s data will become essential requirements for complying with these new regulations today and ensuring that your team can adapt to whatever new data privacy laws that might be enacted in the future.