September 14, 2020
News about data breaches has become so common, it is no longer shocking to hear about the size and scope of recent breaches and ransomware demands. However, each time a breach happens, consumers become more aware of the issues surrounding companies collecting and storing their personal data. Rising concerns about data privacy have led to wide-ranging legislation, both locally and globally. Due to protections provided by legislation, regulations such as GDPR and CCPA now give consumers the legal right to request a copy of their personal information, as well as erasure of their data through a Subject Rights Request (SRR). Companies are required to comply if they have customers in the location covered by the regulation.
To comply with an SRR, organizations must have the ability to accurately and efficiently find all data associated with an individual’s name and provide a detailed report. Not being prepared to correctly satisfy consumer requests in a timely manner can result in costly fines and significant reputational damage.
Creating a process for the management of SRRs is a critical operating procedure for all types of organizations, from large consumer companies to small nonprofit organizations and everything in between. While data breaches involving personal and financial information have been all too common, consumers are now faced with other types of sensitive data being compromised—and even purposefully shared—without their knowledge. Recent breaches like Blackbaud, Zoom video call hacks, COVID-19 contract tracing, and wearable technology information have exposed political, location and personal health data. With increased media attention and education regarding consumer rights, people are more likely to exercise their ability to submit an SRR.
Financial Impact of Violations and SRRs
Companies must satisfy the requirements of the law by providing a report of the customer’s data and erasing data on request within a certain timeframe, or potentially face high fines. By mid-2020, the GDPR has levied €77 million in fines. Many companies mistakenly assume they are only subject to the regulations if they are headquartered in the country or state with the law. Gartner found that SRRs cost an average of $1,406 per request and 66% of companies needed at least two weeks to respond. Companies without a streamlined and automated process are likely to see significantly higher costs and increased workload.
Turning to Technology for SRR Management
To help organizations stay in compliance and reduce their security risk, we have introduced Spirion Compliance. Sprion’s CEO Kevin Coppins says that with many new innovations in data privacy management technology, it’s challenging to find the right solution for your business.
“Don’t be fooled by ‘this is easy, push this button, all problems solved.’ Data grows, flows, and replicates. ‘Sensitive’ is a term that gets redefined daily by new laws, regulations, and shifting cultural norms. This challenge needs proven technology built not just on passion for privacy, but the hands-on experience to do something about it,” says Coppins.
Companies using Spirion Compliance can expect to see the following benefits:
- Improved Productivity: Spirion Compliance utilizes Data Privacy Manager’s Playbook feature to create a customized workflow for each SRR, which ensures that each request follows the right process for its specific circumstance and that requests do not get missed. Additionally, the workflow suggests remediation options and offers insights into ramifications of each choice. Organizations can also see a snapshot and metrics for all SRRs, both in real time and historically. The tool generates a wide range of reports that meet most compliance requirements.
- Low False Positive Rate: By using an innovative problem-solving framework, Spirion Compliance searches all data storage silos—servers, data centers, geographies, internal networks, and cloud service providers—to find all of the data an organization possesses. Unlike other vendors, Spirion uses context to accurately find data associated with the person, instead of reporting a high number of false positive records.
- Simpler and Faster Remediation: By using data association and subject inventories, Spirion Compliance provides an automated workflow for mapping to a profile to create actionable intelligence. Organizations can then quickly remediate data according to regulations and the consumer request.
With the increase in privacy regulations and rising consumer awareness, companies cannot afford to wait to create a repeatable process for handling SRRs. The risk of overwhelming work, non-compliance penalties and negative publicity is too great. By proactively setting up a system like Spirion Compliance, organizations can effectively manage current SRRs and the likely increase in requests going forward.