Briefly

TRANSCRIPT

00:00
Adam Stofsky
Today we've been talking about individual rights requests, and this is particularly around the right to access data and the right to have your data deleted. So I wanted to ask you today about when a rights request might kind of become a big deal or a bigger deal than a normal everyday rights request. Can you kind of describe to me when a rights request might be needed, might need to be escalated to a lawyer or a legal department?

00:42
Matthew Coleman
So it really does depend on how much legwork has been done on the front end for organizations to be able to figure out how they are going to respond to these types of requests. There are ways to game out every single type of request that an organization may receive and then put in place automated tooling to be able to just handle the requests as soon as they come in, and then everything gets filtered through that process. The process takes into account verification needs. It takes into account certain exceptions that may apply. It will automatically transform data into either hash data or obfuscated data if it wants to leverage some of those exceptions. All of the communications with the consumers or the individual users are automated. And so, you know, in those cases, very little will actually need to be escalated to the legal teams.

01:32
Matthew Coleman
That takes a lot of legwork to put in place. It takes a lot of resources, development time, you know, automated tooling, either third party or homegrown. And so not every organization has done that, and nor needs to do that based on the risk of, you know, responding to these types of requests or the volume of responding to these types of requests. So for cases where there is a bit of more of a manual involvement, usually we see escalation to legal where there is some kind of edge case or question about how the organization wants to respond. And that is either on the front end whether these laws actually apply to the individuals. Right. If we want to make a decision about, we want to extend these access and deletion rights to individuals who live in states that don't have comprehensive privacy laws.

02:17
Matthew Coleman
There's no law that grants them this type of right. We could give them access to data or grant their right to deletion of the data, but we're not under a legal obligation to do so. And usually that is a determination based on risk and based on other factors that the legal team will take into account and decide kind of what the best path forward is. The other side is usually going to be around. If there are certain exceptions that apply, the exceptions are drafted fairly broadly and fairly flexibly.

02:48
Matthew Coleman
And so understanding whether or not it applies to any given set of facts is Going to be a legal question and letting the legal team determine whether or not granting access to conversations wholesale might violate the exception against violating someone else's privacy rights in an access request, or if there's a way to hide the other side of the conversation so that is not an issue or just not provide the conversation at all. And kind of what is the line that the company wants to draw from a risk perspective in responding to these types of requests? Okay, so, yeah, usually it's a question of risk or where, you know, the. The process hasn't been completely defined within an organization, and then taking it from there and letting the legal team use the facts to make a determination.

03:31
Adam Stofsky
What are some, like, red flags that might pop up in a rights request? I'm just going to, like, make this up and come up with some ideas. Very angry customer. A threat of litigation or lawsuit, I imagine. What about just a sheer volume of requests, like just someone requesting a huge amount of data? I don't know if it would be a kind of B2B customer or something like that. What are just a very important customer. What are some of the red flags that might trigger an escalation?

04:04
Matthew Coleman
Yeah, usually. So you raised a few good ones, including very angry customer, one who is particularly sensitive about privacy rights and makes threats of either litigation or complaining to regulatory authorities. We do see that there are privacy hawks out there that are very conscientious about who's using their data and why, and those should be treated delicately with sensitivity. The other one that comes up fairly frequently is in the employment context, so either former employees or individuals who are passed over for employment. And anytime you see that, like, usually there's a bit of a disgruntled nature to the question. They're dissatisfied with kind of the way things ended. And there's always kind of a risk or specter of potential claims or litigation arising from, you know, their requests.

04:57
Matthew Coleman
And so, you know, particularly in access requests, I would say that those generally should merit some closer scrutiny and review to make sure that, you know, you're honoring your legal obligations to respond, but also, you know, not exposing the business to undue risk.

05:15
Adam Stofsky
Okay, great. And one more question just on kind of you mentioned privacy hawks. It's kind of interesting thing to think about. Like, what about getting, like, multiple requests from one person? Is that a red flag or are there kind of rules about that?

05:33
Matthew Coleman
You kind of get there are rules about that. Yeah, because you can imagine there are people out there that just kind of don't like what you're Doing as an organization and then use these privacy rights almost as a cudgel to try and cause a little bit of pain. So yes, if there are rules in all of these privacy laws that essentially say any requests that are unduly excessive or burdensome you do not need to respond to. And there are some laws that actually do kind of game out that, you know, someone has the ability to access their data once within 12 months or twice every 12 months.

06:06
Matthew Coleman
And so understanding kind of what is the outer boundary of what you as an organization are willing to accept in those cases where people are just trying to, you know, poke the bear a little bit is going to be a pretty important consideration. And then just documenting that and, you know, making sure that it's clear in the response that, you know, the individual's already gotten access to their data or we've deleted the data and there none other, no other data exists, and we're leveraging this exception to basically reject the request.

06:35
Adam Stofsky
I have one more question about some escalations to legal and individual rights requests, which is about who's doing the asking and can this get complicated? So this is an individual rights request, right? This is a right that an individual has when a company kind of has or is processing his or her data. Do companies have the right to ask like a data processor for all of their data? Will that just be in their contract? And does the ultimate consumer have the right to ask like a sub processor for their data even if they don't have a contract with that sub processor? Do you understand what I mean? Like, how does that do, how does that work? And does this change the analysis? And is this a good reason to think about bringing lawyers into the question?

07:20
Matthew Coleman
So again, more reason to have these considerations up front so that you're thinking about things like in the initiation of a relationship with your vendors, with your processors? Because you're right, it is kind of all in the contract. Most cases where there's a privacy law that's applicable to the controller, the entity that has the direct relationship with the consumer, they will have some mandate in the law that says you need to have a contract in place, a data processing agreement or some other data protection like related terms in your contract that says things like we are the controller of the data, and if we want to request you return that data at any time or at the termination of our agreement, that we can do so and give the controller the rights to be able to do that.

08:02
Adam Stofsky
This makes a chain of obligations down the line of processors essentially.

08:07
Matthew Coleman
Exactly. And then the cons, the controller is the one that ultimately has the obligation to respond to the consumer. And if the consumer goes around the controller and tries to request it directly to the processor, the response should be, sorry, we're not in control of that data. You have to go to the controller, you have to talk to them if you want to access your data or request that we delete your data and then it will go down the chain. And so the controller can then again within the contract has the rights to be able to go to the processor and say, we got this access request, we need you to help us with it, extract all of this data so that we can provide it or delete all of this information.

08:40
Matthew Coleman
And if you know that data is on some other third party process sub processor system, you need to go and do that. And so just JZ chains all the way down and then all the way back up. So yeah, generally requests should only be handled directly between the controller and the consumer.

08:52
Adam Stofsky
Okay, great. Matthew, super helpful, thanks so much.

08:56
Matthew Coleman
My pleasure. Thanks.