With the passing of stringent data protection and privacy regulations around the world, it has become ever more challenging for organizations to respond with access requests from data subjects. With laws such as the EU General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA), and the upcoming California Consumer Privacy Act (CCPA), data subject access requests have become more burdensome, requiring organizations to respond within shorter time frames and pay higher fines if they fail to comply.
With enforcement actions ranging from suspension of operations to fines of up to millions of dollars, the consequences of non-compliance with data subject access requests are so significant that it necessitates compliance officers having a comprehensive understanding of how to successfully respond to access requests.
Data Subject Access Request 101
Data protection and privacy laws provide individuals with: the right to know the types of personal data that are being held by an organization, the reasons the organization is holding their data, and the procedures that the organization is using to process the data. The definition of personal data varies per law, but it usually covers the individual’s name, addresses, personal identifiers, as well as IP addresses, geolocation data, and internet cookies.
It’s important to note, however, that a document containing the data subject’s name does not automatically make it a personal data. For instance, a text message or voice call that stated or mentioned an individual’s name does not necessarily identify that mobile SMS or voice call as being personal data.
What Are Companies Obligated to Provide When Responding to Access Requests?
An organization that received a request for data access must provide the following:
GDPR and DPA:
- Confirmation of personal data processing by the organization.
- Copy of the personal data, without disclosing personal data of other individuals.
- The purpose of holding and processing of the personal data.
- The parties to whom the data is disclosed.
- The estimated retention period for the data.
- The notification for the data subject’s right to request of deletion of or restriction to their data.
- The source of the data.
Under GDPR, organizations are required to respond without delay, within a month. When a request is made electronically, the information must be provided in a commonly used format.
CCPA
- Confirmation of personal data processing by the organization.
- The categories of personal data processed.
- The recipient of any disclosures.
- The data retention period.
- The right to correct or erase data as well as to object or restrict processing.
- The right to complain to the supervisory authority.
- The source of information not collected from the data subject.
- Meaningful information about automated decision-making.
- For data transfers between countries, the appropriate safeguards.
- Copy of the data processed.
Under CCPA, businesses with annual gross revenues of over $25 million, that buy, sell, or share data from more than 50,000 consumers, households, or devices, and derive 50% or more of their annual revenue from selling the private information of consumers are required to respond without delay within 45 days. All written access responses must also be provided in electronic format.
How Can Organizations Effectively Respond to Data Subject Access Request?
To prepare and meet data subject access requests within the time frame, organizations should review and update their internal policies and procedures for handling access requests. They must update their current IT systems to ensure that personal data, including archived text messages, voice call recordings, and archived WhatsApp chats and calls, can be quickly isolated, transferred, or deleted per the request of the data subject.
To efficiently identify and disclose the personal data to the requestor, mobile archiving expertise and technology can be harnessed by the organization. In this day and age – where people are using mobile communication channels to send personal data to organizations – having tools and systems developed not only to capture and record mobile content,but also to organize them in a central uniform database, is vital in ensuring that the requests are responded to within the strict timelines.
The TeleMessage Mobile Archiver effectively addresses compliance, regulatory, eDiscovery response requirements and reduces risk across the government, financial, and healthcare sectors. TeleMessage captures and records mobile content, including SMS, MMS, voice calls, social media, and WhatsApp Chats from corporate or BYOD mobile phones. Messages are securely and reliably retained within TeleMessage servers or forwarded to an archiving data storage vendor of your choice.
Our mobile archiving products securely capture content from mobile carriers and mobile devices for a variety of ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving methods, you can always find the right tools or blend for your text message archiving and voice call recording requirements:
TeleMessage offers cross-carrier and international mobile text and calls archiving for Corporate and BYOD phones. Visit our website today at www.telemessage.com to learn more about how we can help your organization stay compliant with the privacy implications of different text archiving and call recording regulations.
