In the previous installment of this blog series, we took a look at the first priority French DPO’s should address – gaining visibility. Through the use of data discovery and data mapping exercises, we unpacked the importance of understanding your data and how that understanding builds a strong foundation for privacy program maturity. When we look at the second priority for DPOs in France, building on the visibility from step one to create efficient, repeatable processes for managing data protection requirements such as DSARs and incident management.

A fundamental understanding of personal data and your regulatory obligations allows your organization to take action in an informed way and operate in line with the CNIL’s strategic priorities. Furthermore, recording your actions directly feeds back into your record of processing activities and helps to build further visibility into how data is being used, while remaining compliant with GDPR’s Article 30 obligations. 

 

Taking action when a security incident occurs

Data protection and security breaches are a fact of life and usually a case of "when" and not “if.” A strong view into organizational data gives DPOs and CISOs the foundation for taking the appropriate actions in-line with applicable laws and enables them to be prepared for when a data breach occurs.

When data protection and security teams are alerted to an incident, assessing the incident is one of the critical steps that must be taken. This includes determining if the at-risk information is protected by jurisdictional or sectoral laws, classifying the severity level of the incident based on the sensitivity of data involved, and establishing a remediation plan that includes a plan for notifying the affected individuals and appropriate regulatory bodies. 

Once you have assessed the incident, you should turn to remediating any damage caused. In the immediate aftermath of an incident, organizations should determine containment measures to limit damage. Additionally, turning to your data map can help you perform forensic analysis of what happened.

 

What does the CNIL say about taking action when it comes to a data breach?

In May 2020, the CNIL updated its guidance in relation to managing security incidents and data breaches. Within the guidance, a five-step process is outlined that includes:

1. Plan and prepare
2. Detect and report
3. Evaluate and decide
4. Answer
5. Learn the lessons

 

Through the lens of 2023 priorities, you can align steps one and two with the idea of gaining visibility. Equally, steps three and four align with our second priority: taking action. 

In the guidance, CNIL states, “In order to be able to react, it is necessary to be informed and to detect incidents in order to qualify them. It is advisable to set up a monitoring system on current threats, through internal or external sources […] and set up systems for detecting and reporting alerts, making it possible to detect abnormal, suspicious or even malicious activities, and tools for detecting “security events.” This monitoring of system activity for security purposes must respect the rights of internal or external users […] After having evaluated the information reported and determined whether the security event is a proven incident, it is now time to qualify the incident, in particular with the aim of determining the authority(ies) to be made the recipient(s).”

 

Incident management: A practical example

Let’s check back in with Lois, DPO at ACME Co. To recap, Lois had been made aware of a security incident and due to prior data discovery and mapping exercises, they had centralized visibility into ACME’s personal data. This allowed Lois and her team to act using ACME’s data map as the foundation. Lois was able to take steps including:

• Identifying further upstream risk

• Implementing appropriate safeguards ​

• Identifying roles and next actions​ 

• Notifying the affected individuals and relevant supervisory authorities

 

Without an evergreen data map, Lois would have faced the challenge of taking these actions without regulatory context and potentially being in violation of the law by not following the appropriate notification process. 

In the final part of Lois’ story, we’ll take a look at how Lois can automate the incident management process. 

 

Fulfilling DSARs effectively

Taking action is the most important thing the data protection office can do regarding DSAR fulfillment. Leaving data subject requests unfulfilled, incomplete, or responding outside the prescribed timeframes can leave your organization exposed to regulator complaints, loss of consumer trust, and potentially large administrative fines. 

The first step for responding to DSARs is setting up appropriate intake methods and making them available and accessible to data subjects. When these forms are completed by a data subject, the data protection office must then verify the identity of the requestor, so that the organization can ensure that the requestor is who they say they are and can help avoid disclosing personal data to unauthorized individuals. 

Taking effective action when a DSAR is received, and identities are verified heavily relies on having already developed a clear and up-to-date view of your organization’s data. An evergreen data map will allow data protection teams to easily search and discover all instances of a requestor’s personal information, as well as instances of personal information that relate to other individuals. 

Having found the information needed to fulfill the DSAR, it should be compiled into an easily accessible format and all personal information related to other individuals and proprietary business information should be redacted.  This final version of the DSAR response should be reviewed and communicated back to the requestor via a secure method. 

 

What does the CNIL suggest for fulfilling DSARs?

The 2022-2024 Strategic Plan issued by the CNIL contains three central themes, the first of which is the promotion of control and respect of individuals’ rights in the field. This gives organizations operating in France an indication that DSARs are about to be on the rise. The CNIL will be focusing on increasing awareness around subject rights as well as increasing the effectiveness of enforcement action relating to DSAR violations. 

For organizations looking to develop or enhance their DSAR process, the CNIL issued a guide for how to respond to a right of access request. It is broken into four main steps:

1. Verify the identity of the person making the request
2. Ask what data the request relates to e.g., specific data or processing activities 
3. Check that the request does not concern a third party
4. Respond to demand on time

 

The CNIL also notes that organizations should set up internal processes for processing DSARs that considers the escalation of requests to relevant teams or individuals. Organizations should also aim to provide responses in an understandable and accessible method in clear and simple terms.

 

Case study example of the importance effectively fulfilling DSARs

Let’s see how Clark, DPO at Daily Planet Inc., is getting on with the influx of DSARs being received by Daily Planet. 

Along with data discovery and mapping exercises, Clark has also prepared his DSAR process by placing a dynamic request intake form on Daily Planet’s webpages. The intake form is informed by regulatory intelligence and therefore delivers the correct experience to requestors. Clark is also able to verify the identity of requestors through a combination of verification approaches, including email and SMS verification and integration with third-party identity verification tools. 

Every request that Clark receives where the requestor’s identity is verified must then proceed to the data map. Clark can then easily locate and compile all known examples of personal data relating to the requestor through the data map. However, once the information has been compiled, it still needs to be reviewed by Clark and their data protection team. During this review, Clark and his team manually redact and remove all mentions of other people’s personal data, as well as sensitive business information, before being sent back to the requestor.

While Clark and his team are able to fulfill DSARs effectively and accurately, the sheer volume being received will become too much to be handled manually. 

In the final chapter of this case study, we’ll see how turning to automation helps Clark to reduce the time and effort required to fulfill DSARs.

 

OneTrust Privacy Incident Management and Privacy Rights Automation 

OneTrust Privacy Incident Management can help your organization to manage the full privacy incident lifecycle. Privacy Incident Management can simplify incident response by utilizing rule-based automated workflows that consider the applicable law, location, or severity of the incident. Through a centralized record of the activity history, subtasks, and supporting documentation, you can gather all the context needed to understand the impact of an incident and even link incidents to your Data Map and vendor inventory. With these workflows and records in place, you can feel confident in communicating your response while utilizing built-in breach notification assessment templates from over 300 jurisdictions. With OneTrust Privacy Incident Management, you can demonstrate compliance with auto-generated, exportable audit trails and automate root cause analyses after every incident to identify downstream mitigation tactics to reduce the chances of incident re-occurrence.

OneTrust Privacy Rights Automation can help your organization automate its DSAR fulfillment process from start to finish. The solution helps to deliver the right experience to consumers or employees wherever they are using dynamic intake forms and allows data subjects to verify their identities through a combination of verification approaches including email/SMS verification, SSO/OIDCID verification, and integration with third-party identity verification tools. OneTrust Privacy Rights Automation allows custom configuration or to leverage out-of-the-box workflows for deleting, updating, or otherwise actioning privacy rights requests and include automated data redaction to ensure sensitive and proprietary data is not disclose in error. Finally, this can all be communicated back to the requestor through a secure messaging portal.