The General Data Protection Regulation (GDPR) has given people more clearly defined rights to decide over their own personal data in Europe. Now California is following suite with its own privacy regulation CCPA (California Consumer Privacy Act), which comes into full force after a grace period on June 1, 2020. Both of these laws grant consumers rights that you as a business must comply with; you need a process to manage data subject privacy requests. PrivacyBox is a SaaS solution that will help with capturing requests, communicating with data subjects securely and keeping an audit trail for compliance.

Doing business means processing personal data. Whether you capture data on a paper form, in a web form or automatically from user behavior, you must be able of responding to data subject privacy requests.

If you run some form of online business it is likely that you store and process a lot of personal data. Being able to handle requests from people who want to use their rights granted by these laws is important. This is why we built a software solution to help this process; PrivacyBox.

What is the difference in data subject rights in GDPR and CCPA?

These laws have many similarities, but also some differences. As you can read in our privacy policy, under the GDPR you have the following rights:

• Be informed about the processing of your personal data
• Access your personal data collected or processed by us
• Rectify your personal data
• Erase your personal data
• Object to the processing of your personal data
• Restrict the processing of your personal data

Similarly, under the CCPA you also have defined rights:

  • The right to request a company to not sell your personal information. “Sell” is here in a broad legal definition, meaning you are not allowed to share it. If a person you are processing data about is requesting you to not share the data, then you have to comply with that for up to a year before you can request permission to start “selling their data” again.
  • The right to have data deleted
  • The right to know which categories of personal data you are storing
  • The right to know the specific information you store about them

In both cases, you need to offer data subjects one or more ways to contact you in order to act on these rights. A common approach is to use an e-mail address for this but unfortunately this has a number of drawbacks like getting a lot of spam in the email inbox, manual logging for proof of compliance, difficulties in sharing the workload of responding to requests between team members. Clearly, having a software solution for this makes life easier and safer for everyone.

Capturing requests from data subjects

The first step you need is to capture the requests. You could use emails for this, but it is easier to ensure the right information is included in the request if you use a form on your web page to do this. PrivacyBox provides you with the appropriate forms for both GDPR and CCPA, and you can easily integrate these on your web pages using an iframe.

Request capture form for privacy requests.
Example of a data subject privacy request capture form from Cybehave, her for the GDPR jurisdiction.

If you put forms on the web, you will likely receive spam messages from bots. This is what ReCaptcha’s are often used for – those annoying pictures of traffic lights or bridges you have to click. While effective for stopping bots, they can bey an annoyance to users and especially users with accessibility needs. Instead of challenges when submitting your form, we will send the data subject an email with a link to click and a confirmation code to submit to verify that the email address submitted and the request is indeed real. This keeps the spam out of your privacy team’s workflow and saves you from wasting time.

When the requester has confirmed the request, they are logged in to a “user log” page where they can follow the progress of their case, add comments and upload documentation.

The user log of PrivacyBox: here the data subject can follow the data subject privacy request case and add comments and attach further documentation as needed.

You can see the iframe for the request capture form in action by visiting our access request page for Cybehave’s products: https://cybehave.no/privacy/submit-a-privacy-request/.

Behind the scenes: the power of PrivacyBox for privacy request management

Of course, capturing the request is only part of the story – the real work happens behind the scenes. Your privacy team receives the request, reviews its legitimacy, and performs the necessary actions. They need to document that they are complying with the request deadlines (respond within 30 days for GDPR and 45 days for the CCPA), communicate results with the data subject, share the tasks between privacy team members. Luckily, PrivacyBox supports all of this. When a request comes in, an alert email is sent to one or more email addresses configured by the Team Administrator. Then the task can be investigated and information added. If you need to request further information from the data subject that can be done through the user log portal: the data subject gets a private link to view progress of the case, add comments and upload attachments securely.

Screenshot showing main information and operations of the primary work view for the privacy team.

Can I get a demo?

Absolutely, just let us know and we will set up a video demo and a free 2-week demo account to play around with the tool. To start using PrivacyBox, all you need is an iframe on your webpage.

Leave a Reply