Responding to a Data Subject Access Request

Can you respond quickly and compliantly to data subject access requests?

Data subject access requests from current employees, past employees, job candidates, customers, and others will be a costly discovery, regulatory, and litigation minefield for many companies. Before you can begin to respond to a data subject access request, you must be able to identify all the potential locations where an individual's personal data may exist including paper, electronic, and data held by your third parties. Successfully navigating and responding to data subject access requests requires organizations to have a comprehensive understanding of what personal data you have, where it exists, and any regulatory obligations to retain that data.

Do you really know what personal data you have and where it exists?

How you develop and maintain your data inventory directly impacts your ability to meet your compliance obligations, demonstrate an effective level of diligence with regulators, and defend your compliance efforts against plaintiff's attorneys. Companies that have taken a limited approach and only identifies personal data in applications or databases fall short of their compliance obligations. You must know where data exist to protect, delete, report, or produce it.

“With these new privacy laws, we can expect a cottage industry of professional plaintiffs to test whether companies are in compliance. A similar phenomenon is taking place in the European Union with respect to the General Data Protection Regulation. Professional plaintiffs will know before they make the request for their information what information the company has about them. They’ll simply want to test whether they receive back everything they know the company has. If they don’t, a civil lawsuit (perhaps even a class action) will be filed.” – Al Saikali, Shook Hardy Bacon

The California Consumer Privacy Act removes the bar on discovery by granting California residents unprecedented access to their data held by companies along with a private right of action, which may see an expansion of applicability under a proposed amendment to the law. Perhaps the greatest threat companies face under the CCPA involves data access requests from residents exercising their rights and litigation that will be driven by the plaintiffs’ bar.

Are you retaining personal data longer than necessary?

Over-retention of personal data will not be defensible. You can't lose personal data you don't have, and you don't have to produce it for data access demands or in litigation. Companies that fail to undertake data minimization efforts will face severe regulatory or legal consequences if personal data is breached that should not have been held by the company.

If you experience a data security incident or a data subject rights request (e.g. a subject access request), then you will be sitting on top of an awful lot more affected data - and the resultant risks, costs, and negative PR in respondent to the incident or request will be substantially greater. - Phil Lee, FieldFisher

With rapidly expanding state privacy regulations on the horizon, compliance efforts must be agile and iterative and provide the greatest level of diligence and defensibility.  Legal and IT teams must take great care in focus efforts on approaches that are effective, sustainable and adaptive.  Companies that don’t have a handle on their data practices face a costly discovery nightmare and potential oversights when responding to data access requests that could spark unprecedented litigation.

There are three foundational requirements that regulators and industry leaders agree provide the essential foundation for compliance and can also help limit liability when faced with data access requests that could trigger a flood of class action litigation: Know Your Data, Know Your Vendors, Eliminate Unnecessary Data.

Schedule a call to learn how Jordan Lawrence helps the world's leading companies prepare for compliance with key data privacy & cybersecurity regulations.


Contact Us

© 2019 Jordan Lawrence. No legal representation made.

Jordan Lawrence is not a law firm and does not provide legal advice.