A traditional media company with a steadily growing online and digital marketing presence wanted to ensure it was compliant – across both its print and digital properties – with all aspects of the CCPA, from notice to potential data sales to data protection and breach preparedness.
Because of the political/social climate surrounding news organizations, the Company was concerned with being able to adroitly manage Data Subject Request obligations. Its specific focus centered on building functional processes to verify the identity of individuals and the legitimacy of requests.
THE DPSA SOLUTION
DPSA developed a custom CCPA Risk Assessment, taking into consideration the client’s industry as well as identified concerns, and examined the Company’s existing privacy operations. Our assessment confirmed that the Company did engage in CCPA-defined “sales” of personal data and also identified the following:
DPSA’s customized CCPA Risk Assessment confirmed the Company’s expectations but also identified risk in areas that had not been considered. The assessment uncovered the need for a Data Inventory to generate the dataflow information and tracking that was necessary for DPSA to build a suitably comprehensive set of processes that allow the Company to validate and respond to Data Subject Requests.
Well in advance of the CCPA’s go-live date, the Company rolled out a custom technology solution that automates its processes for validating Data Subject Requests, verifying Data Subjects’ identity, and preparing fulsome response to Requests. The DPSA-designed system routes all questionable or complex Requests to a special workflow for increased interrogation and either completion or rejection.
Addressing the urgency of Data Subject Request management, DPSA leveraged privacy technology to build an automated workflow and tracking process for the Company. For “standard” requests, email triggers acknowledge receipt of the request, confirm verification, provide the requested information or confirm deletion, and record the date and time for each step of the process.
DPSA also created a multipoint checklist for instances where verification is more complex and the Company is exposed to greater risk from fraudulent requests. For such requests, the checklist vets an individual’s identity and ensures the legitimacy of the Request—all within the CCPA’s 45-day window.
Critically, DPSA worked with the Company to build sustainable processes that can be uniformly deployed even as US states continue to propose privacy laws with slightly differing requirements.