Bernstein Data Knows the Obligations to Respond Quickly and Effectively.
Businesses face multiple obligations to provide accurate and complete data to consumers, courts, and regulators.
Meeting Consumer Demands
For every one million personal identities in their files, U.S. businesses receive an average of 30 Data Subject Access Request (DSARs) from customers each month, according to Data Grail. Manually processing a single DSAR costs $1,524, according to Gartner research, making the average company’s annual cost of manually responding to these requests more than $500,000.
Based on various privacy laws and regulations, companies across many industries have obligations to respond to customer DSARs about what personal information they hold. Customers generally have the right to view, edit, or delete it, along with obtaining a copy for data portability purposes.
Under HIPAA, for example, healthcare organizations must provide a patient’s health information within 30 days of a written request. To meet this obligation, healthcare providers must know the information’s exact location – the systems and data repositories – and be able to retrieve it. Successful compliance requires both the proper technology and the right processes.
Across the U.S. and Europe, privacy-related laws and regulatory enforcement are growing. Notable U.S. regulations include the California Consumer Privacy Act (CCPA), and state laws in Colorado, Utah, Connecticut, and Virginia, which are all becoming effective in 2023. In October 2022 the Council of the European Union approved the Digital Markets Act (DMA), which includes broad provisions for data portability and access impacting EU companies and certain other non-EU companies that offer services there.
Limiting Damages and Costs from Data Breaches and DSARs
State and federal laws typically trigger a comprehensive, expensive notification process for companies hit by a consumer data breach. The average cost in the U.S. is $9.4 million, in part because outside lawyers and service providers must often be engaged. Implementing sound Information Governance practices – such as defensible disposal and effective information security – can help limit the damage, reduce the critical timeframes, and lower the cost of a data breach.
For companies, even fulfilling a simple DSAR involves risk; the process might reveal internal violations such as maintaining too much consumer information or sharing it improperly. Companies are increasingly mandated to retain only the personal information necessary to serve customers, for the minimal time required. These concepts of data minimization and data limitation found in the EU’s General Data Protection Regulation (GDPR) increasingly are influencing state and federal oversight in the U.S.
Satisfying Legal Requirements
Legal data responsiveness involves litigation activity and court requests for information. The paper-based discovery process of the past has been primarily replaced by eDiscovery of digital files and electronic communications. An entire industry exists to support discovery and eDiscovery, as most companies are unfamiliar with navigating the necessary parameters and tools. The respondent must also decide which hard-copy documents and digital information are relevant and which fall under attorney-client privilege. The less information to review, the faster and cheaper the discovery process.
Not exposing too much information unnecessarily is a key strategy for companies to reduce their discovery risk and cost. All information that a company keeps, even if all retention requirements have been met and it should have been disposed of per the Retention Schedule, is subject to potential discovery. Therefore, consistently applying retention requirements, per the Records Retention Schedule, across the organization and disposing of information in the normal course of business limits the amount of information subject to discovery and proactively mitigates risk. Good Information Governance practices such as defensible disposal and following a Record Retention Schedule provide value. For example, best practice is an e-mail policy that considers it a transitory system of communication only, rather than a system of record; barring legal or regulatory holds, companies can apply automatic deletion to e-mail systems.
Certain industries have obligations to retain records that facilitate regulatory oversight. For example, financial services firms must maintain information about securities markets, trades, and related communications for a prescribed duration to verify fair and efficient market operation. In the event of an enforcement action, regulators can demand records of trade-related communications going back many years, if available. Such firms must also have Records Management policies and procedures to supervise employees involved in market activity, including monitoring employees’ internal and external communications on new platforms like encrypted messaging.
Across all industries, consumers, regulators, legislators, and courts increasingly expect that companies will manage consumer and other regulated information safely and effectively: identify it, retrieve it, and provide it when required. With proper Information Governance procedures in place, costs and risks are reduced and responding to such requests can become a routine task.
Bernstein Data Solutions
- Respond to Consumer Privacy Requests – Knowledgeable personnel, robust processes, and adequate technology solutions to respond to consumer requests about their personal data (including identification, correction, provision, deletion).
- Communicate Legal / Regulatory Imperatives to Organization – A process for communicating
eDiscovery imperatives to business units to ensure they act decisively and accurately with regard to preservation and collection activities.
- eDiscovery – Knowledgeable personnel, robust processes, and adequate technology solutions to conduct eDiscovery activities (including the identification, preservation and legal hold, collection, and provision of data), in response to courts and regulators.
- IT Governance that Assures IG Requirements – IG standards, policies, and processes incorporated into IT Change and IT Asset Management governance and operations (such as SDLC processes) to assure that new and changing technology solutions remain in compliance with IG requirements (such as continuing to capture records in archives).
- Knowledge Base of Regulatory Requirements – A system(s) for capturing and maintaining Regulatory Intelligence and for capturing and maintaining the organizational location (businesses and systems) of records, personal data, and other relevant information (a “data source catalogue”).
Solutions are built from a comprehensive set of Information Governance capabilities utilizing our proprietary IG Operating Framework. Click to view a key set of solutions and capabilities.
"*" indicates required fields