As people become more aware of the rights afforded to them under the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other global privacy laws, it can often become difficult to process these requests.
How do you know where the data resides? How can you keep up with different response deadlines mandated across global laws? How do you even verify the person making the request is who they say they are?
These challenges are particularly highlighted in the case of growing businesses, specifically start-ups and small businesses, where physical resources and manpower are usually limited.
To intake, verify, properly fulfill and respond to just a few, nevertheless hundreds or thousands of consumer rights requests can seem a daunting task for even the most experienced privacy professional, and even more so for privacy teams of one.
This blog outlines the four steps that can help even the smallest privacy team handle consumer rights requests and leverage OneTrust Pro Privacy Requests and Notices to help streamline the response process in compliance with the CCPA, GDPR, and other laws.
Register for the Webinar: Why Growing Businesses Need a Privacy Program (and How to Get Buy-In) on May 28, 2020, at 1 pm ET/10 am PT
Step 1: Setup Your Intake Method
When managing privacy requests with limited resources, it is vital to set up an intake method that is intuitive and structured for the end-user, not only for the practical aspects of the request but to also meet regulatory requirements in many jurisdictions.
Interactive web forms and toll-free numbers are just two of the ways that you can receive subject requests. With OneTrust Pro Privacy Requests and Notices, you can automate the full lifecycle of a privacy request from intake to response while managing your requests in a fully customizable portal that easily and securely streamlines fulfillment.
You can simplify setting up compliant intake methods for your business using dynamic web forms and managed or self-serviced toll-free numbers. It can help build trust with consumers regarding the usage and accessibility of their data.
Step 2: Verify Requestors
Now that you are set up to receive requests, you need to verify that the person who is submitting the request is who they say they are. Regardless of size, businesses are required under the CCPA and GDPR to verify consumers’ identities when requests are received for access to or deletion of personal information. Smaller privacy teams have the sizable task of establishing a reasonable method for verifying customers and satisfying this obligation across potentially thousands of requests.
Verification of a consumer’s identity is a top priority when trying to comply with consumer rights requests. There are a variety of ways to verify a consumer’s identity, including email and phone verification and known customer information. OneTrust Pro Privacy Requests can help streamline the process by offering SMBs CCPA and GDPR compliant tools that simplify processes for the consumer to provide the relevant and required evidence to verify their Identity. OneTrust Athena AI can also help authenticate the information supplied, using its intelligent robotic automation, against other systems or third-party services.
Step 3: Discover Data Needed for Fulfilment
Manually finding, compiling, and presenting the data necessary for fulfilling a privacy rights request would be a tiresome and difficult task, particularly if your team of one has many requests to complete. That’s why we have a tool to automate your data discovery and make your privacy request-response more efficient.
OneTrust Pro Privacy Requests and Notices solution offers Targeted Data Discovery along with OneTrust Athena™ robotic automation to automate discovery, deletion, redaction, or CCPA Opt-Out of Sale requests across different systems. Targeted Data Discovery can help deliver request results automatically through a secure consumer portal and offers a wide range of options for easy integration with custom apps and native systems.
Step 4: Complete Your Request
You’ve setup up your intake, verified that customer is who they say they are, and pulled the data the consumer has asked for. Now you can complete the request and fulfill your legal requirements within regulatory time frames (45 days in the case of the CCPA, and 30 days for GDPR). Responding to the consumer is imperative and generating reports with detailed records helps you demonstrate compliance.
The solutions within OneTrust Pro’s Privacy Request tool will help to simply and clearly communicate with the requestor using a messaging portal with two-way encryption for extra levels of security.
Automating your privacy requests with the tools offered by OneTrust Pro helps to simplify fulfillment, save time, and serves as a best practice for fulfilling privacy rights requests in a manner that is timely, transparent, and compliant.