Best Practices for Managing Consumer Privacy Requests

Nearly every day, we talk with clients who are working hard to update their systems and processes around consumer data privacy in order to comply with the specifics set forth by both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We see a good bit of confusion and indecision around how organizations can best manage requests and what specific technologies should be selected to make process change around data as efficient as possible, without sacrificing data security. In a recent webinar, we looked at the basic challenges with consumer privacy compliance and reviewed some of the ‘best in breed’ tools available.

When compared, the GDPR and CCPA are different in approach but broadly similar in effect. Both have potential impacts that businesses located outside the geographic jurisdictions (Europe and the U.S. state of California) must consider. Under both, there are four primary considerations for data subject rights:

  • The access the consumer has to his/her personal data being collected
  • Disclosure of the purpose of the data collection
  • The opportunity for the consumer to opt out of having their information sold or shared
  • The opportunity for the consumer to request their collected information be deleted

As with all privacy compliance programs, it is important for both GDPR and CCPA compliance to understand and document the personal information your organization collects and consumes, as well as understanding how that information is being used, both internally and externally.

We also help clients understand that it’s important to have a solid business plan in place before tackling data privacy process change. We recommend understanding the variety of internal stakeholders that need to be involved and developing coordinated approaches between the business, IT and legal. Having a solid legal and privacy support team in place is an added bonus.

It’s All About the Portal

With a solid understanding of consumer rights and a strong business plan in place for all to follow, it’s time to talk about technology. Specifically, the consumer data subject rights portal – where the rubber meets the road.

Technically, a data subject rights portal is not a formal requirement of either GDPR or CCPA, but it will make your job easier as you set up processes that will be user-friendly for both internal and external audiences. The portal is a central repository for both users across the organization and consumers. It is a single stream to track activity and to store all disclosures and data retention policies. It is also a place where the organization can outline consumer rights, list any third-party information, post FAQs and use as a secure file provider to fulfill consumer information requests.

We like to break the activities that take place within the portal into three categories:

  • Intake and communication processes
  • Remediation activities (Hashing, Obfuscation, Deletion, Deidentification – Data Management tools like Informatica, Collibra, and others can support automation of these functions)
  • Compliance and operational reporting

During intake, where the organization has the first consumer contact, and verification, where the organization launches its process to verify the requestor’s identity, it is important to communicate often and document everything. While we believe it is best for each organization to choose a portal software that is compatible with the most commonly accepted software packages across the organization, we often recommend portal-like software vendors such as OneTrust and SmartSheets to support a transparent privacy process from these initial steps.

When moving through remediation activities, it is important that the tracking software can handle documentation of all steps taken – this will be critically important if the organization is audited and needs to show exactly how the process was handled. We have seen that most auditors will take ‘intent’ into account, so the organization that can demonstrate it did all it could to move as quickly as possible, looks better than the organization that doesn’t have a plan in place. This means that, whenever anyone touches a record, documentation should capture who got involved, what they did and what the result was of that action. Even if no activity is taking place, it is important to touch these consumer tickets at least once a week. This ensures the organization doesn’t exceed statutory limits. Service level agreements (SLAs) should be established and regularly monitored. A high degree of visibility is critically important.

It is not an exaggeration to say that data management challenges will be encountered throughout the process of selecting a portal and getting it up and running, while simultaneously prepping the organization to embrace the new processes around data privacy. Being proactive, developing a comprehensive data management plan and implementing as quickly as possible, while keeping communication channels open and transparent, are keys to success.

Consider these lessons learned we shared in the webinar:

  • Compliance with data subject rights is critical
  • Support from all business areas helps ensure success
  • DSR portals reduce complexity and increase ease of use
  • Data management for DSR fulfillment is complex, but manageable
  • The earlier you get started, the sooner you will be in compliance

Our final thoughts: even though data privacy compliance is complex, it is manageable. To put a plan together can be cumbersome, but there are tools and technologies that help facilitate that work. It is a challenge that needs to be addressed quickly:  the sooner, the better.  Often, our privacy & data management clients regret not starting or planning their journey at an earlier date.

To listen to our privacy webinar series on demand, register here.

Jeremy Stierwalt

Managing Director
Technology Consulting – Business Intelligence

Ernie Phelps

Senior Manager
Technology Consulting – Business Intelligence