The rising challenge of consumer rights to request

The privacy right that matters most to consumers is cited in Chapter III of the EU General Data Protection Regulation (GDPR), in Section 2 (i) of the California Consumer Privacy Act (CCPA), and in Part 524 of the Health Insurance Portability and Accountability Act (HIPAA): the right for consumers to request and receive a copy of their own personal data.

For companies, data is their gold, and wise leadership understands this asset's value and does everything in their power to make sure data – especially consumer data – is kept secure. The rise of high-profile data breaches and the implementation of data privacy laws have raised awareness that businesses and institutions rely on consumer information. It is their information that is compromised in data breaches. And suddenly, the protection of personal data is now a huge deal for consumers, too.

While there is no single, comprehensive U.S. federal data privacy law, there are enough industry-specific compliance regulations in force in addition to HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act, and a growing number of state privacy laws, that every organization needs to step up and recognize how subject rights requests fit into its data protection and cybersecurity policies.

Consumers Legal Right to Request Personal Information

The Privacy Act of 1974 gives all Americans the right to request personal information within government agencies, stating, "the Privacy Act permits only an 'individual' to seek access to only his own ‘record,’ and only if that record is maintained by the agency within a 'system of records' – i.e., is retrieved by that individual requester's name or personal identifier – subject to ten Privacy Act exemptions."

Outside of this act, consumer requests regarding personal information are specific to each regulation. The regulations define privacy-protected personal information and determine what types of information consumers have a right to request. For example, personal data that is subject to consumer requests under the CCPA includes name, Social Security number, passport number, and similar identity markers as well as biometric data, geolocation information, and web browsing histories. On the other hand, New York's SHIELD Act cites information security and breach notification requirements but does not offer consumers the right to request access.

Because the laws are complicated, organizations need to do some homework to understand the full impact on their operations. CCPA applies to for-profit entities based on revenue, amount of personal information, or sale of personal information. HIPAA's right to access is determined by the type of patient data the organization holds. If your company does any business with a resident of the European Union, you are required to abide by GDPR. These and other regulations force organizations to know their clients, what type of data they store, and the right to access provisions.

The Cost, Time, and Requirements of Managing Subject Rights Requests

Responding to data requests is not cheap. Gartner estimates that it costs a company $1,400 to reply to a single subject rights request manually and can take several weeks to complete. The response includes verifying the consumer's identity, clarifying what the consumer wants done with the data, reviewing the data to ensure it contains only the consumer's information, and packaging the data for delivery. As you can imagine, this process requires a lot of manpower and budgeting for a new, unpredictable demand. This is why Gartner also predicts that by 2023, at least 40 percent of privacy compliance and requests will be handled by artificial intelligence (AI), anticipating that $8 billion will be spent on compliance tools by 2022.

Failures to comply with data protection laws, as well as mistakes that lead to data breaches, are costly. Violations of the CCPA’s information security requirements can result in statutory damages of $100-750 per violation or actual damages, whichever is higher. Intentional non-compliance with regulations can result in fines as high as $7,500 per violation. GDPR miscues can cost an organization millions, depending on the violation.

Best Practices for Handling Consumer Rights Requests

Because the laws vary and requirements are always shifting, organizations should implement a general action plan to respond to data access requests. Best practices include:

Create a data privacy team that consists of representatives from different departments, including security and privacy, IT, HR, legal, and leadership. This team will be responsible for determining how data is categorized and stored.
Deploy software solutions that categorize data. Personal information should be separate, secure, and easy to find through keywords.
Only save data that is necessary for business operations.
Know where your data lives – the cloud, on-premise, third parties, mobile devices, removable hard drives, and even paper documents in filing cabinets.
Know who has access to the data, so you know who to contact when data is requested.

Have a plan and a dedicated team responsible for handling requests.

This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.