The California, Virginia, and Colorado state privacy laws that have been recently passed are drawing some much needed attention to consumers’ rights when it comes to their data. It’s true that some consumers have the right to request that their data be deleted from certain companies. But what is that process actually like, and how easy is it for the general public to submit a request for data deletion?
Promoting Transparency with Consumers
In the California Consumer Privacy Act (CCPA), for example, if a consumer wants a company to locate or delete their data, those companies are required to use language that is completely transparent with consumers regarding how they will do it. And that means the language needs to be written in a way that consumers will easily understand so they can use these rights if they choose. It must also include contact information for the Attorney General—the person who enforces CCPA—if the consumer feels the need to file a lawsuit.
To make the process transparent and easier for consumers, CCPA (similar to GDPR) requires all companies with online and physical stores to have a toll-free number that consumers can call, along with a website and an optional in-store transaction to request data. If a company only has a physical store and no website, they are still required to have the toll-free number.
Most consumers will probably use a website option to request their data. However, if they decide to pursue a data deletion or discovery request, things sometimes get tricky. Often they have to dig pretty deep within a website to get to the request page. Sometimes it requires clicking on four or five links to eventually reach a portal that may not even look like the company’s website (many organizations use a third party to manage these data requests), which then asks them to enter personal data to verify who they are.
CCPA also requires consumers be able to opt-out of a company sharing their data with third parties. Sometimes the company will make this obvious with notifications that pop up when consumers visit websites that say “Don’t share my data,” with a checkbox attached. But since the law doesn’t dictate exactly how companies must allow consumers to opt-out of this, other businesses may not be so transparent.
The Realities of Data Discovery
When a consumer puts in a request for their data, the company is supposed to be able to tell them where they got the data from and with whom the data has been shared. However, without a dedicated data discovery tool, a company likely will only know if they collected the data from their own website, such as when the consumer signed up for a newsletter. If a third party sent the data or the business bought it, it’s harder to trace the origins.
Without a discovery solution (like PK Discovery), organizations have limited and inefficient ways of finding that data. Businesses may try relying on a data loss prevention (DLP) solution, but that only finds patterns within the troves of data. For example, if the company was looking for a consumer’s credit card information, the DLP would only be able to locate a 16-digit string based on the pattern it was told to search, not the exact number they’re looking for. The DLP will also assume any found 16-digit string that matches the search criteria is a credit card number, when in reality it could be almost anything, from a customer or employee ID number to a scrambled credit card number. Thus, unfortunately, DLP leaves organizations at the mercy of multiple false positives and false negatives when searching for specific data.
Another way companies could locate data would be talking to the data governance office. The information they’d be able to provide would be things like marketing information, such as the consumer’s shopping or login history—all the “known” or “valuable” data. The problem there is that the data governance office has no way of knowing for certain if they’ve found all the data. Backup tables and file structures could be unknown to data governance, and will therefore not be included. Data governance can provide a source of truth or quick answer on data, but will not be quite as helpful at finding all of the data.
Lastly, even if companies are somehow able to find John Smith’s data, there’s the issue of individual identity. Many individuals have the same name—LinkedIn alone boasts approximately 168,000 results for the name John Smith. How can companies distinguish between two separate people who share the same name? Sending John Smith #2’s data to John Smith #1 technically results in a data breach, leaving the company liable for a lawsuit.
Privacy by Design
Businesses are required to stay on top of the privacy rights of hundreds of thousands—perhaps even millions—of individuals protected by multiple regulations. Maintaining individuals’ privacy begins with understanding the data you have, then employing the methodologies, tools, and techniques required to achieve the necessary levels of privacy.
Solutions such as PK Discovery and PK Privacy, both applications of the PK Protect suite, are purpose built to discover the sensitive data that is at the root of meeting privacy requirements. PKWARE’s data protection solutions include built-in automation that can automatically trigger deletion, masking, or encryption of sensitive data once it is discovered in order to facilitate a consumer’s Right to be Forgotten. Continuous monitoring means the system can quickly and easily pull up requested data in order to follow DSAR policies.
Accuracy, integrity and validations have gone into developing PKWARE’s software. This development work is irreplaceable and could save your company from a big data headache when a consumer puts in a personal data request.
Are you in need of automated data discovery and protection tools that will allow you to automatically search through petabytes of data? Request your free customized demo now.