Re-Purposing E-Discovery Software To Field DSARs

Among the provisions of the California Consumer Privacy Act will be a requirement for affected companies to respond to a Data Subject Access Request. The “subject” of a Data Subject Access Request could be any consumer who is feeling uneasy about the personal information he or she suspects a company may have about them and wants to know the details. The California law, which launches on January 1, will require affected companies to provide that information and they will have just 45 days to do it. Although some of the strictures of a DSAR are diametrically opposite from those of a discovery request – in the sense that data privacy protection may entail the destruction of data, while in the context of a discovery request destruction of data may be forbidden – the methodologies to carry out these two processes are similar, and companies that have good e-discovery processes in place should be able to adapt those processes to a DSAR. This post helps sort it out and provides a basic flow chart that clarifies both processes.