Leveraging Data Classification to Enable GDPR/CCPA Data Subject Requests

Published On February 22, 2019

Regulatory requirements are driving organizations to clearly define processes to manage personal data requests from data subjects [1], which in turn requires clear data classification and disposition controls in the environment. Chief among these regulations is the EU Global Data Protection Regulation (GDPR) but following suit later this year is the California Consumer Privacy Act (CCPA).

A key component of these regulations, with some nuances between them, is to assure data subjects of the control, use, protection and privacy of their personal data. To do this, GDPR empowers data subjects with specific rights. These rights enable data subjects to make specific requests and be assured that their personal data is only used for approved purposes for which it was provided. They include the right to access and rectify data collected on the data subject, the right for erasure of personal data, and the right to object to the data subject’s information being used.

These data subject rights provide the foundation for GDPR and CCPA compliance and an organization, the data controller [2] and processor [3], has to be ready to respond to the data subject requests. It is the data subject that is the ultimate owner of their data and have the right to control their data. It is the data controller and data processor that has to quickly comply with the requests of the data subject. This requires that the data controller and processor have clearly defined data classification in place to identify data subject information, where it is stored and used, and its disposition.

Organizations should establish their data classification policy and ensure that it is effectively implemented in the environment. Data classification allows the organization to identify and therefore control data as well as provide speed of access to information when data subjects make a request. When data is labeled it provides a reminder to individuals using the data that there are specific controls in place on that data. It increases awareness of control and compliance of this data.

Data classification enables the organization to understand what data subject information is in the organization, how to control it, and manage its disposition. This provides a foundation to more effectively respond to data subject rights requests in the organization. Data classification enables the organization to:

1. Provide rapid and efficient data retrieval
2. Greater security and control of data based on classification
3. Consistency in the application and monitoring of controls to insure confidentiality and integrity of data.
4. Awareness of data criticality through labeling that users see

The organization needs to identify the business owners and users of personal data to identify and classify the data. The steps to data classification for personal data are to:

1. Discover where personal data of data subjects is in the organization whether in digital or physical form.
2. Identify what the personal data is and how it is used with a particular focus on if it is needed.
3. Classify the data and clearly label it as data subject data.
4. Monitor the data to ensure that controls are in place to assure of its confidentiality and integrity.

Data classification provides the foundation for the identification, control, and disposition of personal data that then directly impacts the organizations ability to respond to data subject requests and provide assurance to data subject of control and disposition.