Laws such as the EU's General Data Protection Regulation and the California Consumer Privacy Act have established new regulations for how, when and where organizations can use individuals' data. As part of these new regulations, individuals can ask organizations about the data they have and request corrections be made to the information, or even that it be deleted completely.
Experts say organizations must prepare for these types of requests. Here, Dimitri Sirota, CEO and co-founder of the privacy automation company BigID, addresses some of the key issues that organizations are facing in this new era of data access rights.
Editor's note: The following transcript has been edited for clarity and length.
What's the main thrust of data subject access requests?
Dimitri Sirota: DSARs, or individual data rights as they're referred to in the U.S., are a regulated requirement stating that individuals are allowed access to the data that organizations collect and process on them. It comes back to this notion that individuals retain intellectual property rights, or ownership rights, over their data even after they give it to a company.
What these new privacy regulations all try to do is balance the rights of individuals with the requirements companies have to conduct their business. What you're seeing now around the world is that most of the privacy regulations are anchored in this notion that people retain their rights to access, delete or correct their data, even after they give it to a company.
It changes the relationship that individuals have with companies. No longer are companies free to just collect data and do whatever they please; they now effectively become custodians or stewards of the data. They need to be able to account for what data they collect on what individual because that individual will retain a right to get access to and correct it.
Do the new state laws, such as the California Consumer Privacy Act, contain such provisions? Individuals can just call up a company and ask: "What do you have on me, and I want to talk about what you can do with it?"
Sirota: The simple answer is yes. They all differ a little bit, but what they all share in common is this requirement for individual data rights. That seems to be a common flavor across the U.S. regulations.
In fact, for the state of New York, there's very little in their privacy regulation beyond the right [for individuals] to access their data. For corporations, the conclusion is that they need to prepare themselves for a situation where countries and states go the way of California and Europe and require them to account for the all the data they have on individuals.
Fundamentally, an individual has a right of access to go to a company and say, "I want to know what you have on me." And, secondly, they'll get some choices as to what they want to do with that information. That includes just collecting it or asking for it to be deleted -- depending on whether deletion is [allowed under] other regulations. In some cases, it extends to asking, "What consents or permissions have I given you for this data?" and "I want to know what you're allowed to do with that [data]."
How should companies handle these requests? What's the plan of action these companies should have in place?
Dimitri SirotaCEO and co-founder, BigID
Sirota: What we're seeing is some of the companies are putting committees in place. The committees typically are a triumvirate, with the three constituencies. One comes from the privacy office; they have more of a legal background and interpret the law and provide guidance, advising on what they need to do in terms of defining new policies and processes, maybe defining new capabilities.
The second constituent is typically the data owner; this role is typically found within the chief data office, which most Fortune 100 and Fortune 200 companies now have. Essentially, they have data ownership across the company. The third leg in the stool is the security office. The security office wants to know where the sensitive data is, and they want to ensure that the sensitive data is properly protected. But all three groups need to know what they have for data before they can fulfill requests.
Don't most companies know what they have for data?
Sirota: The problem with that is it's not very detailed. They're relying on data recollection vs. data records. As they shift to this world of personal data rights, they need detailed information. It's not enough to say, "I think I have Dimitri's information here." They need to know exactly where they have cookies, IP addresses, names, addresses, even family names on Dimitri. That's a very different animal.
What do you expect will be the big trouble spots ahead for companies? Are there any other business benefits to these new individual data rights laws?
Sirota: There are three key bullets. Under the regulations, the company is not just accountable for finding what has historically been called PII, or personally identifiable information -- things like Social Security numbers or credit card numbers. Under the privacy regime, companies are accountable for finding all PI, with PI including a whole variety of things that, when taken alone, aren't personal. GPS coordinates, an IP address, a cookie -- those are not in and of themselves personal, but if the company can associate that particular instance of a GPS coordinate with a mobile app from a session that [an individual] initiated, it's personal. That's one thing: being able to locate PI vs. PII.
The second thing is around data discovery technologies. Historically, data discovery technologies were mostly focused on finding data of a particular type, like a credit card number or like a Social Security number. With individual data rights, the priority is not finding data of a particular type; it's finding the data of a particular person. Being able to figure out whose data vs. what data is another big challenge for corporations.
And third, because of the way the privacy regulations are written, companies have to look across all their data and not just one type of data, like a file share. For organizations that are looking at this and thinking about the burden to meet these obligations, the one thing they need to realize is there's a commensurate opportunity. If they can find all the data that belongs to their customer, they're going to know that customer better. They should look at this not just as some cost but as an opportunity to get to know their customers better and how they interact with them.