The constantly evolving regulatory landscape—combined with increased consumer interest in how personal data is accessed, used, and shared, as well as the data misuse and abuse allegations that dominate mainstream discussions—is forcing organizations across all sectors to examine their data management and privacy programs more closely.
Both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) introduced a range of data privacy and protection requirements to safeguard consumer data of EU citizens and California residents. Among the many impactful requirements, each law includes data subject rights management. Under the GDPR and the CCPA, individuals have the right to discover what data an organization is holding about them, why the organization is holding that data and to whom their information has been disclosed.
In order to exercise this right, an individual can submit to an organization a data subject access request (DSAR). As part of the compliance requirements for both the CCPA and the GDPR, organizations must have a way to respond securely and timely to consumers who exercise their ‘Right of Access’.
Consumers’ Right of Access
For GDPR specifically, the Right of Access dictates that “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”, including the purpose of the collection and the existence of automated decision-making including profiling.
This right of access prompted an interesting DSAR last year, that fortunately was documented on Twitter. As part of their compliance with this DSAR, Netflix leveraged Virtru’s email encryption product to securely send the information that the individual requested. Here’s how it happened…
Netflix Responds to DSAR Using Virtru
A tech policy researcher, Michael Veale, wanted to understand how much user data Netflix stored. He wasn’t interested in Netflix’s algorithms for recommendations or profiling of his viewing decisions. Instead, Veale wanted to know whether Netflix stored Black Mirror: Bandersnatch choices. Bandersnatch broke ground in providing an interactive watching experience, where the viewers determine specific character actions and the various plot twists. Veale was curious about if and how Netflix stored these plot decisions.
Veale’s findings were well-documented by Motherboard and Gizmodo, and highlight the extent of the interpretation of ‘personal data’ which is likely to continue to evolve. Veale acknowledged Netflix’s thoroughness to his request and included a detailed overview of the data Netflix provided within a Twitter thread.
How did Netflix comply with this DSAR? According to Veale, they provided the file, containing his personal user data, to him through an encrypted email using Virtru.
Securing and Enabling Compliant Privacy Workflows
Managing DSARs from consumers can quickly become a burden for organizations of all sizes. Even if your organization has already spent significant time and resources to build a secure infrastructure to store collected data, responding to a DSAR means that the data must be moved out of the encrypted data stores into something else—likely email or a custom application—to get it to the individual who made the request. This presents a significant security challenge.
In the Netflix example above, Virtru’s emphasis on usable encryption streamlined this entire process for both Netflix and Veale. Virtru fits seamlessly into email clients which allows the sender to encrypt the message itself, as well as attachments, with a simple toggle above the body of the email. Users can also leverage additional access controls, such as message revocation and disabled forwarding, to ensure that only the intended recipient—in this case, Veale—has access to the data.
If the recipient also has Virtru, they simply open the message in their email client. If the recipient doesn’t have Virtru, they can access the encrypted content via Virtru’s Secure Reader after verifying their identity. Because the message and file are encrypted end-to-end—from the sender to the recipient—if the data is intercepted, it will be unreadable to anyone other than the intended recipient.
For organizations needing to respond to DSARs, Virtru expedites and streamlines the compliance process. Given the increasing concern about data misuse, these requests are only likely to increase. In fact, organizations increasingly are concerned about their ability to comply with privacy regulations and their ability to provide the requested data within the required window and without undue delay. This is especially difficult given the rise of these requests since the GDPR came into effect in May 2018.
With the CCPA now in effect, and future regulations in the works, organizations—specifically those in media, entertainment, retail, and marketing—must be prepared to handle DSARs in a way that preserves the privacy and security of the data. Virtru protects data across the full lifecycle—from sender to recipient and beyond—helping organizations quickly adapt to the shifting regulatory environment. Get in touch with us to learn more about how Virtru helps with GDPR and CCPA compliance.