Data is increasingly crucial for businesses to boost profitability, so customer loyalty should stay.
Data privacy laws like GDPR, CCPA, CPA, VCDPA, and many more have come up with Data Subject Access Request (DSAR), a request made by the user to know what all personal information a business has on them and how it is used.
This article explains the process of a data subject access request and how businesses can simplify, automate and reduce the DSAR response time with Adzapier's end-to-end DSAR solution.
A data subject access request ( DSAR ) is a request to know what personal information of the data subject has been collected and stored and how a business uses their personal information.
Organizations must provide access to personal information about individuals unless an exemption applies and DSAR requests promptly.
Healthcare Industry: Why DSAR is a must-have
It's only natural that many healthcare companies are often loaded with large DSAR requests by their patients as hospitals and other health-tech businesses deal with their clients' enormous and sensitive personal data. And this also gives them a reason to worry about data security and privacy compliance.
In fact, as per the tech jury,
Hospitals account for 30% of all significant data breaches.
More than 2100 healthcare data breaches have been reported in the US since 2009.
18% of teaching hospitals said that they had experienced a data breach.
6% of pediatric hospitals reported data breaches.
There is a 75.6% chance of violating at least five million records next year.
34% of healthcare data breaches come from unauthorized access or disclosure.
By the end of 2020, security breaches cost 6 trillion dollars for healthcare companies.
Nearly 80 million people were affected by the Anthem Breach.
According to Srikanth Samudrala, Co-founder & CTO, Ekincare,
"The major reason for such breaks is that healthcare professionals are usually not trained in tech simply because it's not a part of their day-to-day job."
Also, according to US Healthcare regulator HIPAA there has been an upward trend in data breaches over the past 14 years, with 2021 being the most affected by data breaches.
Now the direct repercussion an organization faces right after the data breach is an enormous inpour of DSAR requests.
With ineffective management and a tedious manual response process, more than 58% of organizations must comply with DSAR management and often cannot process and respond to a DSAR request. And this results in heavy fines
DSAR fines and timelines under different worldwide regulations:
GDPR fines of up to 4% of the annual turnover or 20 million EUR, whichever is greater. The GDPR's timeline for DSAR allows 30 days for a response.
The CCPA charges a penalty of $7,500 per consumer per violation whose rights have been violated. CCPA says that your organization must acknowledge receiving the DSAR within ten days of response within 45 days of receiving the request.
LGPD fines of up to 2% of the annual turnover or 50 million Reales, whichever is greater. The LGPD doesn't prescribe any specific deadline and requires a response as quickly as possible.
Now data breaches like these result in some significant repercussions that businesses need to understand and act on.
1. Reputational loss
It's evident that when a data breach happens, people lose their sensitive personal data used to blackmail them, sold for monetary benefits. Whatever the reason, reputation damage indeed results in a loss of public trust and a decline in profitability.
2. Financial Cost
The average data breach cost in the non-healthcare industry is $158 but $355 for the healthcare industries. When done manually, the average cost for complying with DSAR is around $1400 per request. And believe it or not, more than 50% of the companies that need to be data privacy compliant still use ad hoc, manual, and incomplete provisioning of services for fulfilling DSAR requests. Not only is this tedious, but heavily ineffective for managing operational costs.
DSAR process: How health-tech can redesign their response strategy
DSARs are subject to relevant privacy laws and must be responded to appropriately. Companies can ask individuals for additional information to verify their identity when receiving DSARs; this process should be simple and manageable.
They must also provide access to any collected company personal data that applies within the scope of the individual's request.
If a company believes an exemption applies, it should explain why it used it in its submission.
But before we dwell a little further, let's look at the current scenarios of the Healthcare response processes to data subject requests.
Manual tracking of requests that makes the process tedious and cost ineffective
Lack of technical knowledge amongst healthcare members.
Lack of privacy-compliant culture, i.e., understanding and empathizing with the implication of data breach on the patients
And as technology continues to grow, healthcare needs to adapt and imbibe the tech at every touchpoint of their data security and privacy framework.
DSAR Framework that companies need
1. Building a privacy culture
One of the reasons for data breaches is human error. And this can be done internally as well. So, it's essential that your employees understand the importance of their patient's data and how it can affect their mental health drastically.
2. Acknowledgment and Identification
It will be beneficial for an organization to send the requesting individual a DSAR acknowledgment combined with a request to verify the identity of the person who made the request. This will give you a chance to know what precisely they want to know, i.e., whether they would like to have a comprehensive or a narrow look at the data that you hold.
3. The Search
This is a crucial challenge for any organization and the most tedious too. Ascertaining where the specific data is located and sorting it out takes much more time than what is legally given to comply. Electronic storage and structured physical filing systems must be searched, including archived and backup data. That is why there is a need for an end-to-end solution like Adzapier's DSAR management for your business.
4. Exemptions and Exceptions
You can refuse to comply with the DSAR request only when:
Suppose any part of the request is a vexatious, frivolous, unnecessarily repetitive, or excessive request by the data subject. You must provide evidence to support this claim.
Also, the organization should provide evidence of a false request in case of an Orchestrated request by your competitors.
However, remember that DSAR is "purpose blind, "i.e., it is your customer or employees' right to information that you can't deny. So, tread with caution when exercising exemptions and exceptions.
5. Manner of Response
It's essential to note that when you make a DSAR response manually, there is a high chance that you give the wrong data to the right person or otherwise. A request must be provided with the data they have requested and nothing more.
6. Manner of Response
The response of the DSAR must be in writing in a clear, concise, and understandable language unless stated otherwise. The mode of communication shall be done safely and securely through an electronic method unless otherwise indicated by the data subject. The data subject is entitled to a copy of their data, not the document in which it is held. Also, if the data subject asks for multiple copies, you can charge a reasonable fee.
7. Awareness of Other DSAR Rights
Apart from these, you must know what rights the data subject can exercise under respective protection regulations.
Data subjects have the right to erasure, rectify, data portability, restriction, or object of personnel processing for marketing and advertising purposes or not to be subject to automated decision-making.
In each case, your organization must ensure to facilitate the exercise of these data subject rights.
Adzapier DSAR management: End-to-End Response Automation
The DSAR process is the most comprehensive privacy law obligation a business must adhere to, to protect and secure personal data. It provides the ability to understand individuals' rights and provide transparency about what personal information is being held and how it is used.
Adzapier's DSAR Solution offers an end-to-end DSAR response management solution that streamlines, automates, and reduces your response time and heavy fines.
Prioritize your time with a single dashboard that centralizes received requests and DSAR deliverables.
Enhance your DSAR response process with metrics such as avg time to respond to one request making your overall management competent.
Keep stakeholders in the loop by Tracking data with data discovery for a timely response that can be categorized as region, status, subject type, and much more.
Streamlines the end-to-end DSAR process within one tool, minimizing the potential for risk and interruptions to your daily work
DSAR compliance is complicated, but we make it so easy.
If you are still unsure whether privacy compliance is a need for your business, then schedule a free call with our Privacy experts today!