Briefly

TRANSCRIPT

00:10
Adam Stofsky
So today we're going to talk about individual rights under data privacy law. So let me just start with a framing question, a kind of reminder for people. What is an individual rights request? What does that mean? And is that even the right term of art for it?

00:25
Matthew Coleman
Yeah, it's a great question. And there are a number of different ways to kind of frame it. And every law is a little bit different in how they term privacy rights requests. There's data subject rights requests under the gdpr. There's individual or consumer privacy rights requests under the ccpa. Everyone's a little bit different. But generally there are privacy laws around the world that grant people rights over the use of their data. And there are some fairly common types of rights, like the right to access someone's data, the right to request deletion of that data, the right to correct or amend inaccurate data, as well as a handful of others. But those are the basic ones.

01:01
Adam Stofsky
Okay, so we're going to talk about access and deletion today, which I think are some of the most common forms of rights requests. So I don't know, let's just say I'm working at a company and a customer calls and says, I want you to send me all the data you have on me in your software, in your system. What do you do?

01:21
Matthew Coleman
Yeah, well, there's a handful of different ways a company can go about it. And usually it's best, you know, not in the real time response to an actual request, but ahead of time to do some preparation, thinking of what the company line is going to be like, how do we want to conduct ourselves in honoring these types of requests? Because you can just do what the law says you have to do. You know, if you are subject to the CCPA or the gdpr, you know, following the letter of the law and saying we're going to respond to those requests and nothing more. Right. There may be requests coming in from people who don't live in states that have privacy laws. And so thinking about, like, do we want to still provide those rights to individuals where we don't otherwise have a legal obligation to?

02:08
Matthew Coleman
And so kind of figuring out that path first is going to be pretty essential because otherwise, you know, you're going to have to do it in real time. And if there is a legal requirement to respond, you usually there is some kind of timing requirements, whether it's 30 days or 45 days, or, you know, you generally have a chance to extend as well if there are circumstances that require more time. And if so, the next step is just going to be verifying that the person is who they say they are. How do you know that an individual is the same person as the person whose record you have on your files? Right.

02:42
Matthew Coleman
Are there ways of verifying the individual either through having them log in to their authenticated account, or verifying data that you have about this individual and maybe their transaction history or other information that you have in your backend systems that they would know and be able to give you if they are in fact that same person. And there are certain laws that do require you actually going down the road of, you know, verifying, having a couple, at least two, maybe three pieces of information on your systems and verifying with the consumer that they are the same person. Otherwise, the risk there is you divulge, particularly in an access request, you divulge information to the wrong person and that could be considered a data breach. And so we want to avoid that.

03:25
Adam Stofsky
Right or a violation of someone else's privacy.

03:27
Matthew Coleman
Right, essentially.

03:28
Adam Stofsky
So in terms of a data access request, what do you do then? Like, how do you deliver the data to the person?

03:35
Matthew Coleman
Yeah, it's another great question. So there are a couple of different ways, and it really depends on the flavor of access requests. So presuming that there is a right, that there's a law that applies, this person does have an access right, or the organization has decided, we're going to respond to this access request, generally the access request is going to be either I want to know all of the information that you're processing about me, and it's more kind of broad, categorical type of information that usually can be found in a privacy policy.

04:01
Matthew Coleman
Like we collect contact information, your account credentials, your financial information, and you can provide that list of these are the types of data that we have about you, what we're using it for, who we're sharing it with, or disclosing it to, and that information you can kind of take out of the privacy policy and send to them in an email. And that should be satisfactory for the response. If someone says, I want to know or have access to these specific pieces of information that you have about me, then it's going to be a bit of a bigger lift because you're actually going to need to extract the data out of the various different systems that your company is using to process that data and provide it to the individual in some kind of ready to use format.

04:41
Matthew Coleman
There's an interrelated right called the right to portability that also comes into play. And some of these laws require providing the information in some Kind of machine readable format like a CSV file, something that the person can then take and then provide to a different provider of services so that they can easily port their data into either. It could be a competitor, it could be some other kind of parallel business, but either way be able to continue services with someone else. And so usually you'll see kind of just, you know, data that's delineated in kind of a row format in a spreadsheet.

05:15
Matthew Coleman
And you know, you just have what the category of the data is, what the actual data element is, and then that spreadsheet is going to be password protected, encrypted, you know, sent over some kind of encrypted channel like a SFTP portal or something like that, or accessible through the person's account in order to, again, it's more of a security feature so that there's no other data breach. You're not compromising that information by just sending it over the open Internet without a password.

05:41
Adam Stofsky
Got it. Okay, that makes sense. And I'm assuming there's various SaaS products that will do this for you, depending on the size of your company.

05:49
Matthew Coleman
Yep, yeah, exactly. And in my experience, most of them get you a good portion of the way there, maybe 80%, 90% of the way there, because they do integrate with your systems, particularly major systems like if there's a CRM or some other kind of back end consumer database, they'll be able to pull all of the data out from there and package it in the manner that it needs to be packaged in. But there's generally going to be some additional review that's required just to make sure that the data is presented in the right way, or that it didn't miss any systems that don't have the right kind of integrations or APIs in place. And so there will be a little bit of a manual lift just to verify that you've sent the person everything that you have about them.

06:31
Matthew Coleman
The one thing also to mention on this is there are exceptions under the law in cases where you may not want to provide access to some of the information that you have about them. And some of those exceptions, basically you just need to review the law, review those exceptions, and then for each request, the guidance is that you're supposed to narrowly, you know, construe those exceptions. So if there are certain data that needs to be either redacted or not disclosed as part of an access request, that shouldn't stop you from disclosing all of the rest of the data. Right. And you have to be able to document what is the information that you didn't provide and why? Because a certain exception applies. And note that in your response back to the data subject.

07:13
Matthew Coleman
And so I'm thinking in particular cases like you shouldn't provide a Social Security number, you know, as part of these access requests, you may, you know, obfuscate the first five numbers and only provide the last four. You know, something like that. Or there may be other internal reasons where, you know, by disclosing this information, you're actually compromising someone else's privacy rights. You know, say, for example, for internal conversations between, you know, two different consumers or things like that. So reviewing the laws and understanding the exceptions is a pretty important part of that process as well.

07:44
Adam Stofsky
So you talked about the right to access data and a little bit about this idea of portability, which is another individual right. Can you just talk a bit about how deletion works and how that differs from access?

07:57
Matthew Coleman
Yeah, sure. So deletion is exactly like it sounds. A consumer can come and request the deletion of the data, and that could be a portion of the data, that could be all of the data that you have about them. But it is a right that is granted under these privacy laws. Deletion is a little bit. It's both less sensitive and more sensitive. Right. It's less sensitive in that you're not disclosing anything to a third party. So the risk of, you know, a data breach in that context kind of goes down, you know, and it's also more. More sensitive in the sense of you may need some of this data to operate the business or to comply with your other legal or regulatory requirements. So you can't necessarily delete everything wholesale.

08:36
Matthew Coleman
And so going through those exceptions is going to be, again, pretty important process because there are things that say if there's a legal reason why you have to retain data, say, for example, for purchase history and tax records, you can use an exception to basically say, we're not going to delete all of that information. Same principle applies as access. It should be narrowly construed. You should delete everything that isn't subject to an exception. But going through that analysis and understanding what is fair game for deletion and what is not is going to be required for each of these. Each of these requests.

09:12
Adam Stofsky
Okay, so my last question for now is who. Who needs to know about this in a company?

09:19
Matthew Coleman
General awareness, I would say anyone that has a consumer touchpoint should be aware of it.

09:25
Adam Stofsky
Sales, Customer service. Customer success.

09:27
Matthew Coleman
Exactly. Even marketing.

09:29
Adam Stofsky
Potentially.

09:29
Matthew Coleman
Marketing, potentially. Operations, potentially. Right. All of those should be at least aware that these rights exist. And then what the general protocol is within the organization to respond to those requests. And that is a level of iterative developments that you can start with just, hey, escalate everything to legal or to the privacy team and they will just handle it. The kind of step above that is if you're able to implement some kind of automated tooling or process where the customer service rep or the sales rep can go into the backend systems and say, hey, I got an access request related to this person. And then the backend processes do what they need to do, pull that data out, salesperson can provide that encrypted CSV file, whatever it is, you know, having some kind of automated process.

10:13
Matthew Coleman
And then you're only really escalating, you know, certain edge cases or you know, where there may be an exception that applies some kind of interpretive questions to the legal team or the privacy team to be able to figure out what to do with. And then the next step above that is particularly if you have like a significant customer like digital experience, then building those automated tools into the customer experience so that you have zero necessary touch points with any kind of internal employees. Everything gets directed to the consumer to be able to handle through their own online accounts. Again, everyone that has a consumer touchpoint should still be aware that these laws exist and how consumers can go and effectuate those rights on their own by going into their port or their own profile and making those requests automatically.

11:00
Matthew Coleman
But it just cuts down on the, you know, the manual labor hours it takes to effectuate these requests.

11:07
Adam Stofsky
Right. Matthew, thank you so much for this really great intro on individual rights requests.

11:12
Matthew Coleman
And how to handle them. Thank you so much. My pleasure. Thank you so much for having me.