December 15, 2022

 Megan Silverman

compliance data privacy DSARs GDPR CCPA CPRA

If the term DSAR is unfamiliar to you, be advised: what you don’t know could cost you and your company dearly. The term stands for “Data Subject Access Request” and refers to a request by an individual (a “Data Subject”) to an organisation to reveal what information it has collected, stored, and is using about the Data Subject.

DSARs initially arose from the “right of access” enshrined in Article 15 of the EU General Data Protection Regulation (GDPR). An organisation subject to the GDPR must confirm whether they are processing personal data, provide a copy of personal data, and furnish other information. Other jurisdictions’ data privacy laws have since imposed similar requirements.

For many organisations, DSARs are now the most common type of request they receive, and a convergence of trends is making DSARs a growing problem for US and multinational organisations:

• Lawmakers (particularly in the US) are enacting new regulations authorizing DSARs
• Enforcement entities worldwide are increasing penalties for violating DSAR regulations, and
• More and more people are becoming concerned with their data privacy and aware of their right to obtain personal information held by organisations.

The result is a near-exponential rise in DSARs just as some regulators have begun fining organisations over $100,000 for failures (especially systematic ones) to comply with DSAR requests within the mandated time limits (typically 30 days). To avoid these fines and the bad press they generate, it is imperative to develop and operate an efficient and effective DSAR compliance program.

Most companies are not ready. A recent study found:

• 94% of companies subject to the GDPR are not prepared to meet the GDPR’s privacy compliance requirements
• 95% of companies used manual GDPR compliance processes that are not only expensive but also error-prone and time-consuming – creating a risk of substantial fines for violations
• 91% are unprepared for compliance with the California Consumer Privacy Act (CCPA)
• 90% were not fully compliant with the DSAR requirements of the CCPA and the California Privacy Rights Act (CPRA) [1]

With California now a model for other states fashioning data privacy laws, understanding the CCPA and CPRA is critical. Most mid-to-large-sized US companies and multinationals – and even smaller ones – are subject to the two laws. The CCPA, the first comprehensive privacy law in the United States, took effect at the start of 2020 and allows California residents to control how businesses process their personal information. It also requires businesses to honour requests from California residents to access, delete, and opt-out of sharing or selling their information. The CCPA applies to for-profit businesses that collect and control California residents’ personal information, that do business in the state of California, and that either:

• earn annual gross revenues over $25 million;
• receive or disclose the personal information of 50,000 or more California residents, households, or devices each year; or
• make 50 percent or more of their annual revenue from selling California residents’ personal information

California authorities were initially lax in enforcing the CCPA. Those days are over. In August 2022, California’s attorney general announced a $1.2 million settlement with French cosmetics chain Sephora over alleged violations of the CCPA. Although the matter concerned failure to fulfill the CCPA’s “Do Not Sell” requirements, the signal to multinationals operating in California is unmistakable: a new era of aggressive enforcement has begun.

The California Privacy Rights Act (CPRA) compounds the risks. The law, which goes into effect January 1, 2023, expands the scope of the CCPA and establishes the California Privacy Protection Agency, vesting it with full administrative power, authority, and jurisdiction to implement and enforce the CCPA. Additionally, the CPRA removes the CPPA’s right to cure. It also requires companies to operate an effective and scalable CCPA compliance management solution. Starting in January, companies should expect DSAR compliance audits and enforcement actions by the newly-created agency to become customary. Companies yet to implement a robust DSAR response function (and the study cited above suggests there are many such businesses) risk potentially enormous financial penalties and reputational harm.

The time to act is now. But DSAR compliance is not as simple as it might seem. It involves several components, each of which is crucial: a sound process, adequate staff, and a way to remain up-to-date on new requirements imposed by existing and new legislation. Standing up the process, staff, and monitoring function is time-consuming, expensive, and requires extensive familiarity with the relevant laws and regulations.

For law departments that do not have the time, budget, or legal and operational professionals to tackle the new and growing burden of DSARs, there are compelling advantages to outsourcing all or a portion of your DSAR compliance. Outsourcing eliminates the time, money, and resources necessary with a go-it-alone approach. Outsourcing is also very likely to prove more cost-effective: a service provider can leverage economies of scale, process, and subject-matter expertise unavailable to a law department on its own. Moreover, outsourced DSAR compliance is easily scalable as the number of DSARs rises or falls. Finally, outsourced DSAR compliance provides you the opportunity to determine which portions of the process to insource and what to continue to outsource according to your organisation’s evolving needs.

Elevate assists customers with GDPR, CCPA, and CPRA compliance requirements – including the processing, review, redaction, and production of responsive DSAR materials – with an end-to-end DSAR response offering. We combine the legal expertise of our law firm, the staffing capabilities – including top-tier Data Privacy Officer talent – from our flexible legal resourcing business, and the knowledge of process and technology know-how of Elevate’s eDiscovery and Document Review team. We also provide targeted solutions for specific aspects of the GDPR, CCPA, and CPRA compliance, according to your organisation’s unique needs. Whatever the case, Elevate can lower your compliance costs, make your process more efficient, and help ensure you meet the requirements of the growing number of data privacy laws and regulations.

No one wants to become the poster child for non-compliance when the CCPA decides to start flexing its muscles. Contact us to discuss your DSAR response needs.

[1]  See “Mid-2022 Research from CYTRIO Shows Most Companies Remain Exposed to CCPA and GDPR Compliance Fines,” BusinessWire, July 26, 2022, available at https://www.businesswire.com/news/home/20220726005290/en/Mid-2022-Research-from-CYTRIO-Shows-Most-Companies-Remain-Exposed-to-CCPA-and-GDPR-Compliance-Fines