Managing Erasure Requests or DSARs via Third-Party Portals
Do organisations have to honour them? Well, it depends…
Over the past few years GDPR, the California Consumer Privacy Act (CCPA) and other privacy regulations have led to specialist companies offering to submit Erasure or Data Subject Access Requests (DSARs) on behalf of consumers.
These online portals say they want to help people exercise their privacy rights, while enabling them to make requests to multiple organisations simultaneously.
Companies on the receiving end of such requests often receive them in volume, and not necessarily from consumers they even know. Requests can quote swathes of legislation, some of which may be relevant, some which won’t apply in your jurisdiction.
If you haven’t had any yet, you may soon. Companies like Mine, Privacy Bee, Delete Me, Revoke and Rightly all offer these services.
They don’t all operate in the same way, so be warned the devil is in the detail.
How third-party portals work
Okay, bear with me, as said there are different approaches. They may use one, or a combination of, the following elements:
- Offer to simply submit requests on the individual’s behalf, then the consumer engages directly with each organisation
- Offer people the opportunity to upload their details and proof of ID, so the portal can submit requests on their behalf without the consumer needing to validate their ID each time.
- Provide a bespoke link which organisations are invited to use to verify ID/authority. (Hmmm, we’re told not to click on links to unknown third parties, right?)
- Allow consumers to select specific named organisations to submit requests too
- Make suggestions for which organisations the individual might wish to ‘target’
- Offer to scan the individual’s email in-box to then make suggestions about which organisations are likely to hold their personal data. (Again, really? Would you knowingly let any third-party scan your in-box?).
Is this a good thing? Does it empower the consumer?
On the surface, this all seems fairly positive for consumers, making it simpler and quicker to exercise their privacy rights.
For organisations, these portals could be seen as providing an easier way of dealing with rights requests in one place. Providing perhaps, a more secure way of sharing personal data, for example in responding to a DSAR.
I would, however, urge anyone using these portals to read the small print, and any organisation in receipt of these requests to do their homework.
Why it’s not all straight-forward
The following tale from one DPO may sound familiar…
We tend to find these requests slightly frustrating and time-consuming. First, we have to log all requests for our audit trails. We cannot simply ignore the requests otherwise this can cause regulatory issues, not to mention if they are genuine requests.
More often than not, they are sent in batches and do not contain the information we require to search and make the correct suppression. Where we do have enough information to conduct searches, we often find the personal details do not exist on our database.
Another concern is whether the requests are actually for meant for us. We recently received a number of requests for a competitor, who was clearly named on the requests. When we tried to contact the portal to explain this issue, we did not get a response and were essentially ignored, which leaves us in a predicament – do we continue with the with the request, was it actually for our organisation or not?
So, there’s a problem. Requests might be submitted on behalf of consumers who organisations have never have engaged with. Requests can arrive with insufficient information. We can’t always verify people’s identity, or the portal’s authority to act on their behalf. In these circumstances, do people genuinely want us to fulfil their Erasure or Access request?
What does the ICO say about third-party portals?
The regulator does reference online portals in is Right of Access guidance. It tells us we should consider the following:
- Can you verify the identity of the individual?
- Are you satisfied the third-party has authority to act on their behalf?
- Can you view the request without having to take proactive steps (e.g. paying a fee or signing up to a service)?
The ICO makes it clear it would not expect organisations to be obliged to take proactive steps to discover whether a DSAR has been made. Nor are you obliged to respond if you’re asked to pay a fee or sign up to a service.
The Regulator says it’s the portal’s responsibility to provide evidence of their authority to act on an individual’s behalf. If we have any concerns, we’re told to contact the individual directly.
If we can’t contact the individual, the guidance tells us we should contact the portal and advise them we will not respond to the request until we have the necessary information and authorisation.
This all takes time…
This is all very well, but for some organisations receiving multiple requests this is incredibly time-consuming. Some organisations are receiving hundreds of these requests in a single hit, as Chris Field from Harte Hanks explains in – You’ve been SAR-bombed.
In addition, we need to do our research and understand how the portal operates, checking whether we believe they’re bone fide or not.
Another DPO, whose company receives around thirty privacy requests from third-party portals a month says; “Often these tools don’t provide anything more than very scanty info, so they all require responses and requests for more info”. This company takes the following approach; “We deal with the individual if it’s a legitimate contact detail, or we don’t engage.”
It really is a question of how much effort is reasonable and proportionate.
We must respect fundamental privacy rights, understand third-party portals may be trying to support this, but balance this with our duty to safeguard against fraud or mistakes.
As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.