Regulations such as the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are forcing organizations worldwide to revisit their Data Privacy policies and practices. Other privacy regulations around the world are likely to have data subject rights as their core principles. While there are minor variations in the specific types of information involved and the conditions under which these rights are to be respected, the fundamental requirements are similar.
PKware has the following features within the Privacy module of the PK Protect product, to scan, process and retrieve information related to Data Subjects from source systems and to generate useful DSAR reports.
The Privacy Screens combine information about Data Subjects with information about systems and users to show the various situations including exposure to third party user risk, and cross border transfer risk. There is also a “Data Subject Search” screen where an individual Data Subject’s data can be retrieved. This is an interactive, ad-hoc retrieval of Data Subject information which can be used as a manual DSAR data retrieval mechanism. However, in this document, we describe the automated DSAR capability in PK Protect. The Privacy Screens are described in more detail in the Privacy section of the PK Protect User Guide.
Automated DSAR Capability
The European Union’s General Data Protection Regulations (GDPR), give an individual the right to request access to his/her personal information that an organization is handling, and the purposes for which this information is being used. This right is called the Right of Access (RoA). Similarly, an individual can also request the erasure (RtE) of his/her personal information being stored in the organization’s repositories, subject to applicable laws.
RoA (Right of Access)
Right of Access allows the Data Subject to retrieve their personal data which the organization has obtained or processed. The organization must provide information about the Data Subject that it has processed, collected or that has been transmitted to a third party. In RoA, the organization must provide a copy of the data being stored about the Data Subject in their repositories.
RtE (Right to Erasure)
The Right to Erasure is also known as the Right to be Forgotten under GDPR. It allows the Data Subject to request the erasure of all their personal data which is being processed or stored by the organization. The scope of the erasure will be subject to other applicable laws.
The Automated DSAR capability in PK Protect enables DSAR requests to be processed in an automated fashion at pre-determined schedules, while still allowing for a manual inspection and approval/rejection by a Data Protection Officer (DPO).