How to Respond to Privacy Rights Requests

Responding to a privacy rights request might sound as enticing as responding to your mother-in-law’s texts about whether you mistakenly left Tupperware at her house three years ago. However, unlike the great Thanksgiving Tupperware Mystery of ‘21, responding urgently to a privacy rights request is important for two main reasons:

1. It’s the law
2. It’s the right thing to do to respect the privacy rights of your website users

In this article, we’ll do a quick rundown of what this request is, and how to fulfill it in a timely and efficient manner. We hope that, by the end, you’ll have a much better understanding of privacy rights… can’t help you with Tupperware identification, though. Nobody can, sorry.

What is a privacy rights request? 

A privacy rights request (often called a Data Subject Access Request (DSAR)) is a request from an individual asking to exercise one or more of their privacy rights. For example, an individual asking you to delete their data or asking you to correct their data in your records would be considered a privacy rights request.

Failing to respond to requests or failure to honor privacy rights is one of the most common ways for companies to get fined for non-compliance. It’s also crucial for responses to be done in a timely manner as privacy laws often set a time period in which a response must be provided after a request (usually 30-45 days).

All of this is important for agencies for two main reasons:

1. Your agency could receive a privacy rights request; and
2. With more and more privacy laws being enacted, clients are becoming subject to more privacy laws that offer privacy rights. If your client receives a privacy rights request, they may reach out to you for help processing it (e.g. delete the data from the website’s backend).

As an agency that wants to be in the know for if/when these type of questions come up, it’s probably best to split it up into A) how you can be prepared for such questions and B) actions you should take once a request has been issued.

Preparing for a privacy rights request in 7 steps

Each of the following steps should be done prior to receiving a privacy rights request. Doing so will help you efficiently and accurately respond to any future requests without having to reenact your favorite Michael Scott moments.

Step 1: Identify which privacy rights you offer and to whom you offer these rights 

The privacy rights that you are required to offer are determined by the privacy laws that apply to you. Usually, the privacy rights that you offer would be listed in your Privacy Policy. 

For example, if you used Termageddon to generate your Privacy Policy and the privacy laws that require companies to provide privacy rights apply to you, your Privacy Policy will have a section titled “Your rights” that will list the rights that you are required to provide and who you offer them to (e.g. everyone that visits your website or residents of specific states or countries only). 

If you do not have a Privacy Policy, then the privacy rights that you are required to offer would be listed in the privacy laws that apply to you. 

Step 2: Identify how individuals can exercise their rights

This step comes with the following questions to consider:

1. What contact methods can individuals use to exercise their rights? For example, phone, email, cookie consent banner, physical mail, smoke signals (not recommended), etc. If your Privacy Policy designates the contact methods, be aware of the fact that individuals may attempt to exercise their rights through other methods (e.g. by calling you or sending a Facebook message). It is important to train your employees on spotting a privacy rights request, even if it comes from a source that is not designated in your Privacy Policy. 
2. Can individuals designate an authorized agent to exercise their rights on their behalf? If so, how would they do that? What documentation will they need to provide to you to designate an authorized agent (e.g. valid power of attorney)? 
3. Do they need to verify their identity or place of residence to exercise their rights? How can they do that (e.g. email you from the email address that you have on file for them)? What information would they need to provide to you to verify their identity? 

This information should also be in your Privacy Policy if you are required to provide privacy rights by the laws that apply to you. If you generated your Privacy Policy with Termageddon and the privacy laws that require the provision of rights apply to you, your Privacy Policy will have a section titled “Exercising your rights” that will list this information. 

Step 3: Understand when you can refuse requests

Privacy laws provide exceptions for when you can refuse to process a request to exercise privacy rights – these exceptions vary by privacy law, but the common ones are:

1. You cannot verify the individual’s identity; 
2. The information is part of legal proceedings so you cannot delete it as requested; 
3. Allowing the exercise of privacy rights would place another individual in a situation that would jeopardize their safety. 

If you refuse a request, the reason(s) for doing so must be clearly documented and communicated to the individual. 

Step 4: Create a data map

When someone contacts you to exercise their privacy rights, you will need to know where you store data in order to process the request.

For example, if someone asks you to delete their data, you will need to go into all of the databases where that data is stored to delete it. If you do not have a data map and do not know where this data is stored, this could lead you to miss things or make the process so time-consuming that you miss the deadline for the response. Plus, if childhood cartoons taught us anything, it’s to always remember where you filed away the name/data.

You should create a checklist of all of the places that you store data (this will differ for each business). Here are some of the common places: 

• Website backend
• Employee chat software (e.g. Slack)
• Analytics account
• Advertising account
• Email
• Google Drive (or similar document repository)
• Support ticketing software
• Calendar 
• CRM (e.g. Hubspot or Salesforce)
• Email marketing vendor (e.g. MailChimp or ConstantContact)
• Payment processors (e.g. Stripe or PayPal)
• Accounting/invoicing software 
• Stored on phones 
• Stored on computers 
• Printed paperwork
• Task tracking software (e.g. Trello or JIRA)

Pro tips: 

1. Minimize the amount of data that you are collecting in the first place. The less data you collect, the easier it is to find it and/or remove it; 
2. Stop storing data on tools that you don’t need. For example, if you have never looked at your Google Analytics data and don’t plan on doing so in the future, remove it from your website and delete that data; 
3. Proactively delete data that you no longer need. Example: if a person who is not a customer signs up for your email newsletter and then unsubscribes,  their data should be deleted as you no longer need it. 
4. Consider creating a checklist like this for clients as well – at least create a list where data is stored when the website is being developed so clients can have that part of the checklist and then can add other areas where they keep data to the checklist as well.

Step 5: Create templates for responses 

Create a series of templated emails that you can quickly fill in with the pertinent details for each response that you may send for exercising privacy rights: 

1. Unclear request template 
2. Verify identity template 
3. Request accepted/honored template 
4. Requests partially accepted and partially refused template 
5. Request refused template 

Or, you can use the templates we drafted up (you’re welcome). Just note a few things regarding all templates provided:

• This is NOT legal advice… just a place for you to start
• All templates need to be adjusted to match your business and the privacy laws that apply to you (for example, some templates apply to a business that does not sell personal data. If you do sell data, you will need to adjust the template to reflect this practice)
• All templates are for internal use (please don’t post them to your website)

Step 6: Create procedures that detail the steps that you need to take to process privacy rights requests 

This set of procedures should be created for each privacy right that you offer and will detail all of the steps that you will need to take internally to process that request. Once again, we’ve compiled pre-written procedures that you can use because we have no hobbies. 

Step 7: Train your employees

Provide training to your employees on:

• What a privacy rights request is;
• What rights you offer;
• How to spot a privacy rights request;
• Who is responsible for privacy rights requests; and 
• What actions need to be taken to process privacy rights requests.

You receive a privacy request… now what? 

So the day has finally come when somebody sent you a privacy request. Don’t panic. Remember your training. Take a deep breath and… ok, now we’re being dramatic. Just follow these steps:

1. Forward the request to the individual or attorney responsible for processing requests; 
2. Determine which privacy right(s) the individual would like to exercise and whether you offer those right(s); 
3. Verify the residence of the individual (if you offer privacy rights by country or state only and not to everyone that visits your website); 
4. Verify the identity of the individual (if applicable); 
5. Go through the procedure that you created for processing requests for the privacy right(s) that the individual has requested to exercise; 
6. Send the appropriate response to the individual. 

Conclusion

At the end of the day, people have the right to their privacy and data. They get to decide what to do with it.

The fact that you’ve made it this far shows your commitment as an agency to ensuring that you respect this right. So, well done.

Much of what was said does rely on you knowing what privacy laws apply to you and/or your clients. We’ve hinted at it a few times throughout, but if you’d like help with this, be sure to use Termageddon’s Privacy Policy Generator. It’ll ask you questions about your business, determine what privacy laws apply to you, and then generate policies accordingly.

Plus, all Termageddon policies auto-update as privacy laws change. It’s a pretty cool party trick… well, not really. But it is very helpful.

Anyway, thanks for reading and we’ll catch you next month.