What do most companies include in a CCPA data access policy or procedure?

BCLP
Contact

While businesses are not required to create a written policy or procedure for processing access requests, some businesses – particularly those that receive high volumes of such requests – choose to create such a policy.

If a company chooses to create an internal policy or procedure for handling access requests, they typically address the following four topics within the policy: 

  1. Data subject verification.  Before taking any action, a business should verify that the requestor is the individual about whom the information relates.  How a business verifies a requestor’s identity often depends upon what type of information the company maintains about the individual and might be able to leverage as a verification mechanism.  For example, if the business has an individual’s email address and telephone number, it might consider verifying that a requestor is the individual by sending them an email and/or placing an outbound telephone call.
  2. Communicating with data subjects.  A business is required to respond to a requestor within 45 days.  In order to promote consistency, some businesses may choose to include template communications within an internal policy or procedure.
  3. Evaluating the request.  Receiving personal information about yourself is not an absolute right.  Some businesses choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure to aid the employees that will be handling access requests.
  4. Providing access.  If a business is able to verify the identity of a requestor, and if a business determines that access should be granted, some businesses choose to include instructions within their internal policies or procedures concerning what technical steps should be taken in order to identify (and produce) an individual’s information. 

For more information and resources about the CCPA visit http://www.CCPA-info.com. 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide