CPRA Step 05
Providing User Right of Access
As outlined in section one above, you must provide your consumers with the ability to request access to their personal data and to receive this within 45 days. You may also request a 45 day extension in the event of a legitimate reason or delay in processing their request.
1. Provide your user two ways to submit their access requests
In order to fulfill this obligation, you must provide your consumer a minimum of two methods to make their request to your business. Typically these are:
- A form or privacy center to automatically accept requests from consumers.
- An email address or customer support system to accept requests.
2. Collect information necessary to verify their identity
As the business receiving the request, you are responsible for verifying the validity of the identity of the consumer.
To minimize privacy risks, you should not request additional information you do not already hold about the user to verify their identity. Put simply, if you don’t already have their driver’s license, don’t ask for it to process privacy requests. For this reason, the most common method to verify the identity of a user is their email address or phone number.
You can then use MFA solutions to send an email or SMS to their inbox or device with a short code. This code allows you to better confirm that the Consumer making the request is the rightful owner of the email address or phone number.
3. Retrieve their personal data from your systems
You must then retrieve all of the user's data from across your business systems and vendors and to provide it to the user.
If you are doing this manually, be very careful to ensure you are not returning confidential company information, data belonging to another user, or any non-personal, non-essential information.
The access request process is labor intensive and risky. Therefore we strongly recommend using an automated system such as Fides to perform this end-to-end for you from providing the consumer a privacy center to receive their requests, automating identity verification, and programmatically performing secure data extraction across all business systems on behalf of the user.
Looking for more help with Access Requests? Ask a question now on the Fides Slack Community.
If want lightning-fast, automated access requests with Privacy Engineering Intelligence from Ethyca, get in touch now.