This post is part of a sponsored ComplyTrust blog post series. To learn more about ComplyTrust, please visit complytrust.com.
Signed in 2016 and in force since 2018, the European Union General Data Protection Regulation (GDPR) has inspired many countries around the world to pass data privacy laws. The data privacy regulatory landscape is becoming increasingly crowded and complex: there is no global “international privacy law” and regulations are frequently updated to change the impact and scope.
Paradoxically, even though regulations are being strengthened and the number of laws passed are growing, multiple surveys find that enterprises are still sorely unprepared to handle data privacy laws, four years after GDPR has been introduced.
Data Privacy – Not Your Average Risk
Data privacy is often perceived by enterprises as a risk rather than as an opportunity (think for example about better customer trust), triggering engagement of risk and compliance teams’ involvement in the design of processes related to risk assessment and mitigation.
Unlike other risks, data privacy risk mitigation is highly transactional and on the rise. According to recent research on CCPA-related (California Consumer Privacy Act) data subject requests (DSRs), the number of DSRs has nearly doubled year-over-year, even though enforcement does not begin until January 2023.
DSRs can have multiple goals, such as raising a Do Not Solicit (DNS) request to opt out of customer details resell practices, but it can also be related to data deletions. The same research noted that organizations receive an average number of 84 deletion requests per every 1 million customers.
Manual DSR Processing Doesn’t Scale
Unfortunately, those organizations often fail to grasp the breadth of scope of data privacy: because all past and present customers can raise data privacy requests, massive amounts of data, applications, and storage systems can be impacted.
Using standard compliance remediation processes requires large amounts of manual labor and can involve up to dozens of employees to identify and retrieve the data. Furthermore, manual requests are often carried out without a coordinated approach and comprehensive data analysis.
This results in long processing time for data subject requests (DSRs): another survey found that the average DSR processing time is 5 hours, with an average cost of 1,500 USD per DSR.
Impact of Unpreparedness
Unpreparedness to data privacy laws poses financial and reputational risks. Overseeing regulatory agencies can audit and eventually fine organizations found to be in violation with data privacy laws. Some are already actively fining violators (such is the case for GDPR, with a total of 1.8 billion USD fines collected up to March 2022), others are expected to begin levying fines in 2023 onwards, such as the California Privacy Protection Agency (CPPA), the organization in charge of enforcing compliance with the CCPA regulations.
Even organizations with some level of preparedness can be impacted by fines if they fail to address DSRs within certain thresholds. Maintaining dedicated staff to handle DSRs and in-house development of software solutions or scripts to handle data subject identification can become quickly prohibitive.
Reputational risk should not be under-valuated either: consumers are growing increasingly sensitive to personal data handling.
Improving Preparedness with Automation
As seen previously, data privacy preparedness requires a different approach. The staggering amounts of data and IT systems mandates the need for automated DSR handling.
To be done properly, DSR automation should meet several criteria, such as:
- A modern and modular API-based architecture that makes it simple to perform API calls from virtually any existing software solution, while also allowing simple onboarding of new SaaS platforms and apps
- Continuous compliance, ensuring that a previously handled DSR (such as personal data deletion) remains enforced over time (for example, issuing a warning if previously deleted data becomes re-enrolled into the system)
- Secure identity handling, allowing the system to enforce continuous compliance without allowing a human to identify data subjects that have been removed from the system
In addition, the service should be easy to configure and integrate with other applications and flows. For example, an API call could verify whether a re-enrolling customer was previously deleted following a DSR and inform the user that they are about to be re-enrolled.
DSR Automation Outcomes
Most importantly, a DSR Automation platform should significantly increase preparedness to meet data privacy laws while sensibly reducing cost burdens. It should stay up to date with existing and emerging regulations, updating any changes into the DSR automation process without requiring an army of legal experts to analyze, identify, and transcribe regulatory changes into manual processes.
Among DSR automation platforms, the ComplyTrust Forget-Me-Yes (FMY) data privacy application meets those requirements and provides the assurance of continuous compliance, simplicity, and reduced costs.
FMY is a flexible, Software-as-a-Service, cloud-native API-based DSR automation platform that currently supports European GDPR regulations, Brazil’s LGPD, California’s CCPA/CPRA, China’s PIPL, Colorado Privacy Act (CPA), and Virginia CDPA. DSRs are handled automatically via API calls, without the need to run through convoluted processes involving multiple teams, stakeholders, and manual labor. Coupled with multi-encryption security, FMY’s Reinfection Prevention Technology (RPT) ensures that previously requested deleted data does not return/re-infect the previously ‘cleaned’ data source(s).
Unpreparedness towards data privacy laws largely derivates from the reliance on existing risk mitigation processes and mindsets that have made their proof. Although laudable, these approaches cannot be replicated to meet the challenges of performing data privacy at scale. Manual labor isn’t scalable, costs are abysmal, and keeping up in-house with data regulations is unaffordable. Modern solutions such as ComplyTrust Forget-Me-Yes allow organizations to handle the challenge of DSR at scale, affordably, simply, and without worries.