Be Prepared: New Tech Enables Floods of Subject Access Requests
In January 2020, a new data privacy startup, Mine, made headlines when it received $3 million in seed funds. Mine is an inevitable product of new data privacy laws that have been passed in Europe and California. The start-up based in Tel Aviv helps users identify all the companies that hold their personal data. It then allows users to submit automated subject access requests and subject erasure requests. They advertise as a service providing tools for consumers to “reclaim your data.” Users of this service have already sent out thousands of requests emphasizing how easy it is to generate hundreds of requests.
Achieved is already handling Mine requests on behalf of several clients. This alert will give you insight into how these services work, what you can expect and how to respond.
So, How Does it Work? A user registers with Mine using either a Google email account or a Microsoft Outlook email account. The company then scans the headlines of every email in the user’s inbox and identifies all the companies that hold the user’s data. The user can then send automated subject access requests to the companies mapped during the process. You may be one of the companies receiving floods of automated requests if you regularly interact with individuals by email.
The Impact on Business. The most common request generated by this service is a blanket erasure request. European and California law requires companies to verify and fully comply with a user’s request within a tight timeframe. Business needs to be able to respond quickly to individuals while increasingly careful about responding to fraudulent requests. Most companies currently do not have the infrastructure to easily respond to high volumes of user requests—especially within the 30-day window allotted by regulations. They also lack standard operating procedures to govern the ID verification process and to ensure timely and full erasure with accurate responses to the requestor.
The Challenge. Compiling reports for Subject Access Requests can be complicated and daunting. One of our clients received 30,000 requests in just three days in response to some negative publicity about its business model. Is your business ready to handle large numbers of requests within 30 days?
How Achieved Helps Clients Prepare for Subject Access Requests.
- Achieved will prepare standard operating procedures and policies crafted to your data profile and internal resources. We also assess the adequacy of your response infrastructure and make recommendations on how to improve.
- Establish and test a process to verify identification in a way that complies with the data minimization rules.
- Customize a comprehensive response method based on how the company stores customer data.
- Provide subject access requests and data incident logs.
- We can also act as your back office to monitor incoming requests and respond on your behalf.
Achieved Compliance Solutions can help you take control. Let us show you our full suite of services so you can navigate the evolving world of data protection and privacy.