Articles

How to Handle Data Subject Requests in 2024

Guides
James Grieco
James Grieco
Aug 19, 2024
5
min read
How to Handle Data Subject Requests in 2024

Data rights have been around in practice for a bit over six years now, from when the EU’s General Data Protection Regulation entered into force in May 2018. With the wave of global data privacy and protection laws the GDPR has since inspired, the majority of people on the planet now have some level of data rights.

For businesses, that has meant a strange few years, as brand new compliance requirements popped into existence and have quickly become major determiners of how entire compliance programs are run. More challenging is how fast the sphere is still moving, with approaches to handling data subject requests today compared to just a few years ago looking vastly different. 

The New Challenges in Handling Data Subject Requests

First is the sheer scale of data subject requests, with the amount of requests companies receive significantly increasing year over year. From 2020, when the California Consumer Privacy Act went into effect and reinvigorated the American privacy sphere, to the end of 2023, consumer privacy requests have nearly tripled. 

Between 2022 and 2023, the percentage of internet users who exercised their right to know rose from 24% to 28%, a figure equating to hundreds of millions of individuals. 

This steady public embrace of individual data rights has coincided with the ever-growing complexity and size of data stacks, with numerous surveys showing smaller organizations averaging nearly 200 data systems in their tech stack and enterprises having well over 500 data systems in their stacks. 

It is no surprise that Gartner has found the total cost of completing a single data subject request manually to be roughly $1400. Why so high? As of 2023, MineOS internal data showed that the typical data subject request requires companies to locate and clear data from an average of nine data systems, with those numbers trending up in 2024. That equates to quite a bit of manpower, IT involvement, and opportunity cost. 

The last piece of the puzzle is regulation. The increased quantity and complexity of data subject requests make it an item to prioritize for most B2C organizations to begin with, but regulations add new wrinkles to the process that many organizations are not prepared for if they haven’t been obsessively tracking state legislatures (which, to be fair, is not a constructive task for most organizations). 

Much of the evolution in data rights is currently coming from the United States, which is particularly interesting given it is the only member of the G20 without a comprehensive federal data privacy or protection law. Despite that, the states have taken it upon themselves to advance data rights in a surprisingly progressive manner.

What to Know About Handling Data Subject Requests in 2024

There is a new data right that will likely become immensely popular once more people find out about it. 

The Oregon Consumer Privacy Act, passed in 2023 and already in effect as of July 1, 2024, created the ability for individuals to see which third parties their data was shared with, giving individuals never-before-seen transparency on data sharing practices. 

States to pass privacy laws after Oregon, including Delaware, Maryland, and Minnesota, also give their residents this right, meaning at least 17 million Americans will have this right by the end of 2025 once all the laws have become active. 

That means businesses need to have a better record of where the data they collect and process is going, as well as a new template for responding to this data right. 

Something that affects considerably more people and data subject requests is Universal Opt-Out Mechanisms (UOOM). 

UOOMs are essentially just an all-encompassing measure for consumers to opt-out of discretionary data collection and processing on a large scale, rather than having to opt-out on each individual website they visit. 

Although UOOMs like Global Privacy Control have been around for years, many websites do not process these requests properly. 

That might have been manageable until now (although the very first CCPA fine, issued to Sephora, was partially over the company refusing to process opt-out signals), but it will soon become untenable. 

Of the nine US state laws in effect as of 2024, six require organizations to honor and process UOOMs: California, Colorado, Connecticut, Texas, Oregon, and Montana. In the coming years, states with laws coming online that have similar requirements include Delaware, New Jersey, Nebraska, Maryland, and Minnesota. 

That group includes both the majority of data privacy laws passed in the US as well as the vast majority of Americans covered by privacy laws in the nation. The takeaway is, that while some elements of state privacy laws do not gain consensus, UOOMs are gaining steam on a near-universal level so that organizations need to have consent management sorted out to protect DSR handling downstream.

Not only is failing to honor and process opt-out signals going to put organizations at risk of noncompliance, it is going to significantly exacerbate DSR handling, as each element of a privacy program really does touch every other element

If an individual knows enough to enable a UOOM, they’re likely going to know and happily exercise their data rights, which is going to create problems (and additional DSR work) when they submit access requests and see an organization was processing data it should not have been. It's because of this that processing UOOMs ensures both good consent management and a more streamlined DSR flow.

Of course, this level of transparency is exactly what’s needed in the sphere, and something California is tackling. 

As part of the Delete Act, passed in October 2023, data brokers must publish annual metrics about how many CCPA DSRs they received during the previous calendar year, how many of those requests they complied with and how many they denied, and both the median and mean number of days it took to respond to a request. 

The most important part? That requirement is already live as of July 1, 2024. The bulk of the legislation, creating a one-stop-shop for initiating bulk DSRs on behalf of consumers, is scheduled to hit in 2026, and is another aspect that will transform how organizations need to approach and solve for DSR handling.

DSR Handling in 2024: You Need Automation

So what is an organization to do in handling data subject requests in 2024, given they are more common than ever, more complex than ever, and carry both more compliance and transparency requirements? 

Find the right data governance platform. Without the automation and tools to ensure you are recognizing UOOMs, completing DSRs quickly and correctly, and aligning your privacy program across the various geographical differences present in the data privacy landscape, you will have trouble keeping up and keeping your customers happy (and safe). 

Come chat with us and check out why MineOS should be your first choice for data governance.