Data Subject Requests:

Quick Reference Guide

Why Should You Be Concerned about
Data Subject Requests?
The increasingly strict data privacy regulations across the globe requires an effective response from any
organization that gathers personal information. Not only must you maintain strict security measures to
prevent data breaches and misuse, but you must also be able to respond efficiently and comprehensively to
the increasing number of data subject access requests (DSARs).

Over As a result, over

100 countries, regions

and U.S. states 1 billion people
around the world
have adopted data protection laws and most can already exercise their data subject
of them include some form of DSAR provision. rights at no cost to themselves.*

Gartner predicts that by the end of 2023 over

80% of companies worldwide

will be subject to at least one privacy-focused data protection regulation. **

* Gartner, “Market Guide for Subject Rights Request Automation”, Nader Henein, Bart Willemsen, Bernard Woo, 21 February 2020
** Gartner, “Predicts 2020: Embrace Privacy and Overcome Ambiguity to Drive Digital Transformation”, Nader Henein,
Bernard Woo, Bart Willemsen, 14 November 2019

2
Here are just a few of those regulations:

ƒ California Consumer Privacy Act (CCPA) — Applies to every for-profit business that does business in California;
collects, shares or sells the personal data of California consumers; and satisfies certain other conditions.

ƒ General Data Protection Regulation (GDPR) — Applies to any organization that processes the personal
data of EU residents.

ƒ Lei Geral de Proteção de Dados (LGPD) — Applies to any business or organization that processes the
personal data of consumers located in Brazil.

ƒ New York Privacy Act (NYPA) (proposed) — If passed in its current version, will apply to companies of
any size that operate in New York, not just for-profit businesses.

These and other laws require companies to satisfy DSARs within a specified time period — securely and
accurately.

3
Data Subject Rights at a Glance
Different regulations establish different rights, but here are the key ones to know about and what they are
named in two of the key laws.

The Right to Be Informed (GDPR) or

the Right to Notice (CCPA)

The Right of Access (GDPR, CCPA)

The Right to Rectification (GDPR)

The Right to Erasure / Right to Be Forgotten

(GDPR), the Right to Request Deletion (CCPA)

The Right to Restriction of Processing (GDPR)

The Right to Portability (GDPR)

The Right to Object to Data Processing

Activities (GDPR)

The Right to Opt Out (CCPA)

Rights Related to Automated Decision-

Making and Profiling (GDPR)

4
The Right to Be Informed (GDPR) or the Right to Notice (CCPA)
Your organization must be transparent and honest about what personal data you collect and what you do with
it. You must have this information available to individuals at any time and especially at the point of collection,
without request from a data subject.

The Right of Access (GDPR, CCPA)

Each person is entitled to know exactly what information an organization has about them, how it was collected,
and whether and how their personal data is being processed. Individuals are allowed to access their own data
and learn about:

ƒ The categories of data you collect

ƒ The purpose of your data processing

ƒ Who the data was disclosed to

ƒ How long the data will be stored

ƒ Where the data was obtained from

The Right to Rectification (GDPR)

If an individual believes the data you store about them is inaccurate, you must ensure that it is corrected across
all your data locations.

The Right to Erasure / Right to Be Forgotten (GDPR), the Right to Request

Deletion (CCPA)
Individuals have the right to request the removal of personal information from your records and to tell you to
cease further data dissemination immediately. You must delete data if any of the following apply:

ƒ It was collected unlawfully

ƒ It is no longer needed

ƒ It was collected during the individual’s childhood

ƒ It appears online

5
Your organization can deny the erasure if the request violates:

ƒ The right to freedom of expression

ƒ The public interest in public health or scientific or historical research

ƒ The establishment, exercise or defense of legal claims

However, if you retain personal data, you must have the subject’s consent for further processing of the data.

The Right to Restriction of Processing (GDPR)

If it is unclear whether an individual’s information must be deleted, that person can request temporary
restrictions on processing until your organization does all of the following:

ƒ Fixes the issue

ƒ Informs the individual of the correction

ƒ Obtains consent to continue with processing

The Right to Portability (GDPR)

Individuals have the right to require a company to transfer their personal data to another service provider. This
right is intended to promote interoperability by facilitating the transfer of user data between data controllers. It
is also expected to encourage competition between digital services, since users can switch between providers
without losing their personal data.

The Right to Object to Data Processing Activities (GDPR)

Individuals can tell companies to stop using their data for marketing or other purposes.
There are three legitimate reasons you can use to either deny a request or not comply with it in full:

ƒ The individual has made excessive or unfounded DSAR requests

ƒ The data is used for public, historical or statistical purposes

ƒ You need to use the data to exercise your legal claims

Compliance with this requirement often means moving data to another internal IT system.

6
The Right to Opt Out (CCPA)
Data subjects must be given the option to opt out of having their data sold to third parties.

Rights Related to Automated Decision-Making and Profiling (GDPR)

A person can object to the automated processing of their data. Whenever personal data is subjected to
automated decision-making and profiling, you have to provide “meaningful information about the logic involved
[and] the significance and envisaged consequences of such processing for the data subject.”

There are three valid reasons for performing automated processing and profiling:

ƒ The individual gave consent

ƒ Processing is necessary for the entry into or performance of a contract

ƒ Processing is authorized by an EU or member state law applicable to the data controller

7
Types of Data Subject Requests
Individuals can exercise most of these rights by making a data subject request. DSARs can be grouped into four
categories, according to the rights involved:

Data Subject Requests

Access Requests Portability Requests

The Right of Acces The Right to Portability

Change Requests Objection Requests

The Right to Restriction

The Right to Rectification
of Processing

The Right to Object to

The Right to Erasure
Data Processing Activities

The Right to Request Deletiong The Right to Opt Out

The Right Related to Automated

Decision-making and Profiling

8
What DSAR Processing Includes
In most instances, you have 30 to 45 days to respond to each DSAR. The process is often time-consuming and costly:

Many organizations The response process often

spend takes at least

$1,400 per request* 2 weeks per request*

* Gartner, “Market Guide for Subject Rights Request Automation”, Nader Henein, Bart Willemsen, Bernard Woo, 21 February 2020

Here is a simplified version of the DSAR process, based on the one provided in the Gartner Market Guide for
Subject Rights Request Automation:

Step 1: Step 2:
Request Capture Request Logging

Step 4: Step 3:
Request Prioritization Identity Verification

Step 5: Step 6:
Data Collection Response Validation

Step 7:
Response Communication

9
Step 1 : Request Capture
Unless you give your customers an easy way to submit DSARs, they are likely to use the first company email
address they find. That starts your clock, even though the contact might not be responsible for anything related
to regulatory compliance.

It’s smart to have an online DSAR form, since it helps ensure that requests go to the correct place and contain
all the required information. However, you must offer multiple channels for submitting DSARs, to ensure you
don’t discriminate against any segments, such as people who don’t have access to the internet.

Step 2: Request Logging

Assign responsibility for creating and updating a record of each DSAR to an individual or department. You might
have them develop a spreadsheet that shows the date of the request, its status and other essential information
for tracking progress. Make sure your log is sufficiently detailed, since you might need to show it to a regulatory
authority if a data subject registers a complaint.

Step 3: Identity Verification

Verify the identity of the person making the request before responding. You may not ask for protected data you
don’t already have, but you can ask the requester to provide personal information you do have to authenticate
the request. The data you request for verification must be proportionate to the request. If someone asks you to
amend their email address, you should not ask them for their driver’s license number, but if someone asks for
a copy of all information you have on them, you need to be quite meticulous about identity verification.

Step 4: Request Prioritization

Triage the requests according to factors like complexity or degree of legal or business risk to ensure that work
is prioritized properly and ensure that response deadlines are met.

10
Step 5: Data Collection
Collect all records containing the individual’s data, along with the following supplementary documentation:

ƒ Your privacy notice

ƒ A statement of the purpose for processing private data

ƒ The categories of personal data collected

ƒ The recipients (or categories of recipients) with whom you shared the personal data

ƒ How long you hold personal data

ƒ Advice on any additional rights the user has, such as the right to object to processing or the right to
request erasure or rectification, or to lodge a complaint with a supervisory authority

ƒ Where you obtained the data, if it was not directly from the subject

ƒ The existence of any automated decision-making that took place using the data

ƒ Security measures you use when transferring data to a third party

The data collection step is one of the most complicated and labor-intensive of the DSAR process. After all,
organizations collect enormous amounts of data and store it in a variety of places, including email servers,
personal computers, file stores, databases and cloud-based platforms.

Finding the right data in all these mountains of dispersed data sources requires both expertise and access
permissions. Only a limited number of employees have the knowledge and ability to carry out a DSAR search
manually. Fulfilling such requests diverts those employees from their primary tasks, reducing productivity. To
speed up this time-consuming part of the process, you may want to look to automate this step.

Step 6: Response Validation

Review each response for completeness and accuracy. You may decide to require review by legal counsel before
sending the response to the requester.

Step 7: Response Communication

Share the response securely and confidentially with the requester. Remember that you must respond within
the timeframe defined by the applicable regulation.

11
Automation Is the Key to Scalability
A manual approach is unsustainable. Clearly, automating data collection offers profound savings in both time
and budget.

How the Netwrix DSAR Solution Streamlines DSARs

The Netwrix platform streamlines the process of satisfying DSARs:

ƒ A simple and clear interface lets non-IT staff, such as employees in the marketing and legal departments,
easily learn and use the tool to process DSAR cases.

ƒ Role-based controls provide different access levels to information on a need-to-know basis. As an

admin, you are notified about all DSAR cases and requests, but your staff can see only the requests
they create.

ƒ The solution automates the discovery and exporting of personal information associated with an
individual.

ƒ You can get progress notifications, such as when case status is updated.

ƒ Robust data security capabilities help protect sensitive data and mitigate the risk of data exposure or
misuse.

Explore the Netwrix product in action – no deployment needed

12
Additional Benefits
Moreover, the Netwrix data security platform helps you achieve, maintain and prove compliance with other
aspects of privacy mandates, not just DSARs, and improve security. In particular, the solution helps you:

ƒ Pass compliance audits with less effort and expense. Instead of scrambling to collect evidence that
you have the required controls implemented across your environment, simply run predefined reports
mapped to the key provisions of the regulation. Answer ad-hoc questions from auditors easily using
the interactive search.

ƒ Improve risk management. The Netwrix platform includes a risk assessment dashboard, so you can
spot security weaknesses at a glance, such as improperly configured systems. You can also automate
remediation workflows, such as automatically moving sensitive data from unsecure location to the
secure one, and revoking excessive permissions to sensitive data before you suffer a breach.

ƒ Improve data management. The Netwrix platform enables you to mitigate risks to data throughout
its lifecycle, automate data management processes to reduce costs and boost efficiency, and improve
productivity by keeping valuable content organized and discoverable. In particular, you can discover
and classify data at its creation or ingestion, ensure that critical data is stored securely, and clean up
data that is no longer needed to reduce risk and costs while enhancing user productivity and decision-
making.

In short, the Netwrix data security platform helps you establish a mature privacy posture to ensure security
and regulatory compliance. As a result, you can avoid hefty fines, enhance customer trust and client retention,
reduce costs, and drive business success.

See the unified platform in action - no deployment required

13
Discover more useful information on this topic
Data subject access requests (DSARs): The essentials

GDPR data subject rights: How to handle requests

The right to be forgotten: EU laws and US concerns

CCPA vs GDPR: What GDPR-ready companies need to know about the CCPA

Does the GDPR apply to US companies?

How you can get ready for GDPR audits: GDPR compliance checklist

How you can handle DSAR requests more easily and with less expense

How Netwrix solutions help you achieve and prove GDPR compliance

Addressing CCPA requirements with Netwrix solutions

Read how Promocil ensures GDPR compliance and allocates its security budget more efficiently by accurately
discovering personal information

Read how Horizon Leisure Centers maintains GDPR compliance and saves £80,000 annually

14
 About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000
organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT
teams and knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.

Next Steps
One-to-One Demo — schedule a personalized product tour with Netwrix expert: netwrix.com/livedemo

Free Trial — setup in your own test environment: netwrix.com/freetrial

In-Browser Demo — see the unified platform in action, no deployment required: netwrix.com/browser_demo

Request Pricing — get a quote tailored to your specific needs: netwrix.com/pricing

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539