March 28, 2018 at 1:25 pm
kevin77 - Wednesday, March 28, 2018 1:07 PMAfter reading the letter, it seems to me like most, if not all, companies that get a request like this would simply be able to respond with the same canned response every time, for every user. For example, Steve, what would you do if you got a request like this from a SQLServerCentral.com user? Could you not use the following for everyone? (Here would be my response to the first 5 questions in the letter. Obviously I don't know the real answers as they relate to SQLServerCentral.com, but I just made up some stuff that I thought would sound reasonable.) Sure it could be more complicated for different companies, but after they did one, chances are it would be applicable to many, if not all of their users. Then, once an individual gets a response back, are you going to argue it? How would the individual know what is correct, incorrect, or missing?1. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
Yes, kevin77, your personal data is being processed.
1a. We have your Full name, and email address.
1b. The information is stored in the United States of America.
1c. Your personal information can be found at: https://www.sqlservercentral.com/Forums/Users/kevin772. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
Your email address is used to send out news letters every week day.3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Redgate (www.red-gate.com)
3b. Redgate is a parent company, so all legal grounds transfer.
3c. Data is transferred over HTTPS/SSL.4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
Data is retained until you delete your account.5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
No additional data is being collected.
My question is if the parent company would also have to respond.
412-977-3526 call/text
March 28, 2018 at 3:07 pm
For us, yes, it's really just email for us. Easy to respond.
For most organizations I've worked in, it would be a bit of a project to assemble all this, verify it, and ensure that you were legally correct. Keep in mind that a request can ask for a copy of their data. So you'd have to be able to export this.
March 28, 2018 at 3:23 pm
Steve Jones - SSC Editor - Wednesday, March 28, 2018 3:07 PMFor us, yes, it's really just email for us. Easy to respond.For most organizations I've worked in, it would be a bit of a project to assemble all this, verify it, and ensure that you were legally correct. Keep in mind that a request can ask for a copy of their data. So you'd have to be able to export this.
Which depending on the sensitivity of the data could be a headache in and of itself.
March 29, 2018 at 6:18 am
It seems to me that if an organization already has a customer data-mart, then fulfilling such a request would be as simple as running a canned report. It could even spit out a thoughtful fill-in-the-blank reply letterhead to accompany the Adobe PDF document containing the 1,200 pages of personal information.
What would concern me is how to confirm that the person submitting the request is truly who they claim to be.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 29, 2018 at 8:42 am
I remember getting a 1,200 page file with my brother's medical records when he died.
I would be surprised if most organizations had the capability to produce this kind of report. There will need to be 3rd parties, and they will have to have a regulated system for producing and recovering the legally allowed amounts to answer these types of letters. There is a balance of rights here, and if companies are legally collecting data, then the cost to disclose what they are collecting shouldn't be born without thought.
It will be interesting to see what the process looks like 3 months and year into it.
412-977-3526 call/text
March 29, 2018 at 9:34 am
Eric M Russell - Thursday, March 29, 2018 6:18 AMIt seems to me that if an organization already has a customer data-mart, then fulfilling such a request would be as simple as running a canned report. It could even spit out a thoughtful fill-in-the-blank reply letterhead to accompany the Adobe PDF document containing the 1,200 pages of personal information.What would concern me is how to confirm that the person submitting the request is truly who they claim to be.
Should be that simple. The hassle is that most people don't have all their information in the mart. Often sensitive data might be left out.
In most orgs this should be a one-shot deal to build a process to export data, then minor updates as new systems come online.
June 3, 2022 at 6:10 pm
"With the focus on privacy in the media, and the mishandling of data regularly by companies, I wouldn't be surprised if there are going to be large numbers of requests by individuals. In fact, I'm wouldn't be surprised if there are scripts or applications being built now to facilitate the ability for lots of individuals to ask for this information from companies about their data processing."
OK, here we all sit four years in the future from the original post. Shortly afterward, I was recruited to help with our organization's CCPA remediation project. Step one is that management consulted with a company called OneTrust. Next came the data dictionary where we record every server, database, table and column used across the enterprise. It takes a village to build a data dictionary for an enterprise with hundreds of IT workers and hundreds of databases - it's not something that a couple of contractors camping out in a conference room can pull together in any meaningful way. WE have to take ownership of it, because only we know our databases. This data dictionary combined with our pre-existing MDM (master data management) and MPI (master person index) system provides the meta-data required to drive the PII request, reporting and data anonymization process.
We actually have a process that auto responds to the "nightmare letter" (once the requestor's ID has been verified and legal has manually reviewed the responding letter). That said, my understanding is that there hasn't been near as many requests as what we originally anticipated. But the process is there doing it's job.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
Viewing 7 posts - 16 through 21 (of 21 total)
You must be logged in to reply to this topic. Login to reply