New Oil, Familiar Challenges — Answering GDPR Requests for Data

Data is the new oil, and that means that it requires supporting infrastructure for safe handling.

In the same way that oil and gas facilities are subject to inspections to verify whether their equipment is fit for purpose, companies can receive requests — under the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or other regulatory regimes — that will identify whether they have technology in place to handle data responsibly. 

One test of a company’s capabilities is the GDPR’s Data Subject Access Request (DSAR), which can be submitted by customers, sales prospects, or anyone else whose personal data may be on file. Companies must comply with these requests by sharing relevant information that has been collected about the subject.

Complying with DSARs can take weeks of work and cost thousands of dollars. They pose one of the more challenging aspects of data privacy compliance, and any company storing, transferring, or processing an individual’s data must be ready to issue DSAR responses. 

Key Requirements for GDPR Compliance Technology

Firms that benefit from consumer data must have the technology to handle that data responsibly. Under GDPR, companies are required to include “privacy by design and default” in their data management systems. The response to a DSAR can signal whether those efforts have been effective.

DSAR responses are particularly challenging if companies are scrambling to locate personal data in unstructured formats or to collect relevant data from vendors and contractors. At a minimum, companies must have a technical solution in place that can: 

• Confirm that the request is valid. 

• Collect the relevant information. 

• Redact non-relevant information. 

• Deliver the data securely.

Any tech solution for DSAR responses must meet these basic requirements. Ideally, it will also have the capability to log each request and its accompanying response. When building DSAR workflows, firms need to consider their cost, capacity, and scalability.

The Calculus of Compliance

Fintech firms looking to profit from data now face substantial pressure. Rising compliance costs have driven them to search for more efficient processes, and more jurisdictions are expected to implement their own legislation modeled after GDPR. Companies that fail to keep pace with ongoing developments may find themselves incurring additional expense. 

However, third-party data still offers tremendous benefits even as additional responsibilities apply under GDPR and other regulatory regimes. The question is whether companies want to invest in their capacity to manage that data themselves, or whether it makes more sense to outsource that work.

Data may be the new oil, but that doesn’t mean that every company wants to build its own refinery.